'

htmare
introduction by Gareth Branwyn

**

i-:j>

LT

Jp*

Sound Bytes from Reviews

of

Secrets of a Super Hacker

"Secrets of a Super Hacker is a fascinating hacker cookbook
most stalwart computer system."
The San Francisco Chronicle

that reveals the ease of penetrating even the

"Not often do the contents of a book match its cover hype, but here is one book that comes closer than most.
Secrets of a Super Hacker, by The Knightmare, is billed as 'every security manager's worst nightmare.' It
does, indeed, descend into the realm of security managers' darkest fears."

Infosecurity

News

"...step-by-step instructions in

Booklist

"Excellent. This

work

meaningful hacking [using] a personal computer."

will appeal to

many,

especially business professionals as the

networks and e-mail

become more commonplace."

The Reader's Review

"...the

most specific,

Reading

detailed, general-purpose guide to electronic shenanigans I've seen.

Recommended."

for Pleasure

pages are loaded with clear, concise, and very devious information.
with wit and the Knightmare's own personal experiences."
"All 205

It is

well-written, sprinkled

Selected Book Reviews

"Sysops

may find it necessary to read this one, especially if their callers read it first."
BBS Magazine

"It's

readable, interesting, informative, balanced,

<solmaker> on

and

accurate, with a nice spirit of fun

and swashbuckling!"

alt.books.re views

"Secrets of a Super Hacker... should

ComputerWorld

be read by anyone

who has the crazy notion that his data is safe.

Secrets of a

Super Hacker

by The Knightmare

Loompanics Unlimited
Port Townsend, Washington

Contents
Introduction: Hackers: Heroes or Villians?,

by Gareth Branwyn

PART ONE
Before Hack

Chapter One: The Basics

Equipment
Modems And Speed Communications
Opening Remarks
Reading vs. Doing
Software
Handy Features Data Capture Past and Future Days of Yore Live On Computer
Various Thieveries
The Seventh Crime
Hacker
Stealing Money
Sabotage
Crime

Motivations

Chapter Two: The History Of Hacking

First Came Hardware
YIPL and TAP Computer Crime
Hawk The Electronic Frontier Foundation

13

2600

WarGames and Phrack

Shadow

Chapter Three: Researching The Hack

Targeting

19

Some Unusual Research Methods On-line Computer SimuCheck Up DamThrough Trash GIRK Found Disk Analysis

Collecting Information

lators

and

age to

One Side

Tutorials

Sorting

Rips and Tears

Imperfections

Examining Screenshots

Snooping

Chapter Four: Passwords And Access Control

35
Passwords Passwords Supplied by the User Possible Password Investigation
Password StudPassword Restraints
Computer Generated Passwords: Fakery and Analysis of Machineies
Non-Random Machine-Generated Passwords Programs are People Too
Generated Passwords
Foiling the Brute Force Assault
Brute Force Methods
Conclusion

Chapter Five: Social Engineering

49
The Noble Form
Hacker as Neophyte
Hacker in Power
Hacker as Helper
Peak Hours
Other Hints
Sample Social Engineering Situations
Miscellaneous Social Engineering Tips
Other Roles
In-Person Engineering
Written Engineering
Request for Information
Message
From God Trouble in Paradise?
Reverse Social Engineering
63
Overcoming Social Engineering Drawbacks Reverse Social Engineering Sabotage Methods RSE
Case Study: The Translation Table Solving the Sabotage RSE Advertising Methods Trouble for
Nothing?

Chapter

Six:

PART TWO
During Hack
Chapter Seven: Public Access Computers And Terminals
71
Introduction to the Three Kinds
CD-ROM Databases and Information Computers Public Access
Terminals (PATs)
The Bar Code Hack Hidden Commands College PATs
Doing it the E-Z
Way
Shoulder Surfing
Doing it BASICally
Hardware Methods
General Purpose
Microcomputers Breaking Free Freedom Means Free Roaming PACK Menu Simulation and
Other Sneakiness Hiding Your Goody Basket Things to Watch Out For

Chapter Eight: On-Site Hacking: The Trespasser-Hacker.

89
Closed-Circuit Television
Biometric Systems
Always a Way
Acting for the On-Site Hack
Piggybacking
Other Successful Tricks & Antics
Electronic Passive Computing
Radiation

Comprehension

Van Eck and Britton

Ups and Downs

Chapter Nine: Hacking At Home: Dialing Up Computers With Your Modem

99
Who to Connect to Paying for the Pleasure Packet Switched Networks Other NetReality
Finding Dial-Up Numbers
Dial-Up Security Measures
works
Scrutinize the Login Environ-

ment
Chapter Ten: Electronic Bulletin Board Systems
105
Making Connections BBS Features BBS ExFinding BBS Numbers
Finding Hacker Boards
ploitation
Getting to Know You
Bypassing BBS Security Running a BBS Midnight MasquerCovering Up Trojan Horse Activity
Crashing BBSs
Trojan Horses
While it
ade Hackmail
is

Running

Before

& After A Few Tips for the Do-It-Yourselfer

Chapter Eleven: Borderline Hacking

Hacking for Ca$h Filthy Tricks

119
Bribery

Booze and Broads

Bad Feelings

123
Chapter Twelve: What To Do When Inside
Looking Around
Commands to Look For
Operating Systems
Hacker Motivations Revisited
Fun 'N Games
The User Network
Becoming a
File Transfer Protocol (FTP)
and to Use
Bit by Bit
Program Employment Viruses
Cryptography and DES
Superuser
Spoofing
Covert Channels Get Out of Jail Free Returning to the Scene Mission Accomplished... Almost!

PART THREE
After Hack
Chapter Thirteen: This Lawful Land

139
Burglary
Criminal Mischief
Theft of Services or Labor
Receipt of Stolen Property
Larceny Theft of Trade Secrets
Fraud
Traditional Federal Crime Laws
Interference With Use Statutes
Under False Pretenses
State

Computer Crime Laws

Conspiracy

Traditional State

661, 2113, 641, 912, 1343, 1361, Etc.

They Know Where the Hackers Are?

Conclusion

Crime Laws

Federal

Computer Crime Laws, Or:

It's

10:30,

Do

145
Chapter Fourteen: Hacker Security: How To Keep From Getting Caught
Your On-the-Road Kit
Dialing In
Laptop Hints
In Researching
In Social Engineering
BBS Protection Other On-line Security Steps
Lessons From the Hospital
System Tiptoeing
Maintaining Your
While Off-line: Minimizing Losses
Security Logs
In Public and On-Site
Computer Keeping Your Other Stuff Conclusion: How to Get Caught

Chapter Fifteen: Conclusion

161

Combining Principles
My One-Person Tiger Team
Concluding Thoughts
Some Thoughts to the Concerned Administrator
Principles Combined
Some Thoughts to the Concerned Hacker
The Hacker's Ethic

My Code of Ethics

Further Reading

The Books

169

Other Sources

Glossary

173

APPENDICES
Appendix A: Explanation of Some ASCII Codes

185

Appendix B:

Common Defaults

189

Appendix C:

Common Commands

191

Appendix D: Novice Word List

193

Appendix E: Job-Related Word List

197

Appendix F: Technical Word

199

List

Appendix G: Social Security Number Listing and ICAO Alphabet

201

Appendix H: Additional R/SE Role Playing Situations

205

Introduction:

Hackers: Heroes or Villains?

by Gareth Branwyn

Hacking

"Where ami?"
"In the Village."

"What do you want?"

"Information."

"Whose side are you on?"

"That would be telling.

We want... information...

information... information."

you won't get it."

"By hook or by crook, we
"Well

comes

will!"

McGoohan, a Luddite

be
sure, despised even the TV technology that brought
his libertarian tale to the masses. He saw no escape
from the mushrooming techno-armed State short of
out-and-out violent revolution (it was, after all, the
'60s!). As prescient as The Prisoner series proved to
be in some regards, McGoohan failed to see how
individuals armed with the same tech as their
warders could fight back. The #6 character himself
chinery of the State.

in the Village

close to revealing this in a

number

sodes, as he uses his will, his ingenuity,

Remember
ated

by and

realist

the '60s

TV show

starring Patrick

series

McGoohan to

was

McGoohan,

basically

explore his

The Prisoner? Crea

this sur-

platform

for

own fears of modern sur-

veillance/spy technology, behavioral engineering,

and society's increasing ability to control people

through pacifying pleasures. He was convinced

that all this might soon mean the obliteration of the
individual (expressed in the defiant opening shout:
am not a number, I am a free man!").
"I
McGoohan's #6 character became a symbol of the
lone individual's right to remain an individual
rather than a numbered cog in the chugging ma-

own spy

skills to re-route #2's

to

of epi-

and

his

attempts to rob him

of his individuality.

One

doesn't have to stretch too far to see the

connection between The Prisoner and the subject at

hand: hacking. With all the social engineering, spy
skills, and street tech knowledge that #6 possessed,
he lacked one important thing: access to the higher
tech that enslaved him and the other hapless village residents. Today's techno-warriors are much
better equipped to hack the powers that be for
whatever personal, social or political gains.
In the last two-part episode of the series, #6 finally reveals

why he

quit his intelligence job: "Too

many people know

too much." Again, this ex-

presses McGoohan's fear that the powers that be

were holding the goods on him and everyone else
who was bucking the status quo at that time. He
probably didn't mean "people" as much as he
meant "governments." It is this fact, that "too many
[governments/megacorps/special interest groups]
know too much" that has provided an important
motivation to many contemporary hackers and has
fueled the rampant techno-romantic myths of the
hacker as a freedom of information warrior.
Let's look at a number of the mythic images of
the hacker that have arisen in the past decade and
explore the reality that they both reflect and distort:

The Hacker as
Independent Scientist
The first image of hackerdom to emerge in the
and 70s was of the benevolent computer science student pushing the limits of computer technology and his/her own intellect. Computer labs at
MIT, Berkeley, Stanford and many other schools
hummed through the night as budding brainiacs
sat mesmerized by the promise of life on the other
side of a glowing computer screen. These early
'60s

yond measure, tempting even the most principled

hackers. The Knightmare weaves his way in and
out of these ethical issues throughout Secrets of a
Super Hacker.

The Hacker as

Cowboy
The cowboy has always served as a potent
American myth of individuality and survivalism in
the face of a harsh and lawless frontier. It is no accident that William Gibson chose cowboy metaphors for his groundbreaking cyberpunk novel
Neuromancer (1984). Case and the other "console
cowboys" in the novel ride a cybernetic range as
data rustlers for hire, ultimately sad and alone in
their harsh nomadic world. They are both loner heroes and bad-assed predators of the law-abiding
cyber-citizenry they burn in their wake. I don't
think I need to tell readers here what impact Gibson's fictional world has had on fueling hacker fantasies or what potent similarities exist between
Gibson's world and our own.
Like the cowboy tales of the wild west, the
myth of the hacker as cowboy is undoubtedly more

hackers quickly developed a set of ethics that cen-

image over substance (as are most of the myths we

will explore here), but there are some important

around the pursuit of pure knowledge and

kernels of truth: a) hackers are often loners, b) there

the idea that hackers should share all of their in-

are many nomadic and mercenary aspects to the

burgeoning cyberspace of the 1990s, and c) it is a
wide-open and lawless territory where the distinctions between good and bad, following the law and

tered

formation and brilliant hacks with each other. Ste-

ven Levy summarizes

this ethic in his

1984 book

Hackers:

forging a new one, and issues of free access and

property rights are all up for grabs (remember the

is an insult, and a
an outrage. Just as information
should be clearly and elegantly transported within
the computer, and just as software should be freely
disseminated, hackers believed people should be
allowed access to files or tools which might promote the hacker quest to find out and improve the
way the world works. When a hacker needed something to help him create, explore, or fix, he did not

co-founder John Perry Barlow (a

Wyoming cattle rancher himself) chose frontier
metaphors when he wrote his landmark essay

bother with such ridiculous concepts as property

"Desperadoes of the DataSphere."

"To a hacker a closed door

locked door

is

Not

Indians?).

surprisingly,

Electronic

Frontier

Foundation

"Crime and Puzzlement" (Whole Earth Review, Fall

1990). The first section of this lengthy essay that
lead

to

the

birth

of

the

EFF was

entitled,

rights."

While

this

ethic

continues to inform

hackers, including the author of the

many

book you

has become more difficult for many to

purely embrace, as the once-innocent and largely
sheltered world of hackerdom has opened up onto
a vast geography of data continents with spoils beholding,

The Hacker as

are

Techno-Terrorist

it

When
70s, with

was

my

a budding revolutionary in the

Abbie Hoffman and Jimi Hendrix

posters

and

my cache of middle class weapons

caliber rifles, .12

(.22

gauge shotgun, hunting bows),

I,

ground. Like a cat chasing its own tail, the busts

and media coverage and additional busts, followed

runaway

like

by more

interested in firearms than revolutionary rhetoric),

loop of accelerating hysteria and misinformation.

One radio report on the "stealing" (copying, actu-

McGoohan, was gearing up for the Big Confrontation. With a few friends (who seemed more
I

sensational reportage, created a

used to do maneuvers in the woods near my house.

ally) of

We

Emergency 911 system" for Bell South

opined: "It's a miracle that no one was seriously
hurt." Of course, the truth turned out to be far less
dramatic. The copied booty was a very boring text
document on some management aspects of the Bell
South system. For a thorough and lively account of
this and many of the other arrests made during

would fantasize how it was all gonna come

down and what role we (the "Radicals for Social
Improvement") would play in the grand scheme of
things. It doesn't take a military genius to see the

armed force against the U.S. military on

its own turf. The idea that bands of weekend rebels,
however well trained and coordinated, could bring
down "The Man" was pure romance. Part of me
knew this
the same part of me that was more interested in posture than real revolution and in getting laid more than in fucking up the State. My
friends and I were content to play-act, to dream the
impossible dream of overthrow.
One of the first "a-ha's" I had about computer
terrorism in the late '80s was that the possibilities
for insurrection and for a parity of power not based
on brute force had changed radically with the advent of computer networks and our society's almost
complete reliance on them. There was now at least
futility of

the possibility that groups or individual hackers

seriously compromise the U.S. military
and/or civilian electronic infrastructure. The reality

could

of this hit

Morris,

home on November 2,

Jr.,

1988,

when Robert

a piece of information

Operation Sundevil, check out Bruce Sterling's The

Hacker Crackdown (Bantam, 1992).
Whatever the truth of these particular incidents,

computer crime is here big time and the boasts of

even the most suspect hacker/cracker are usually
at least theoretically possible.

terrorism

modems,

and

less-than-honorable

intentions.

Wireheads of every gauge would do well to study

volumes like Secrets of a Super Hacker to stay abreast
of the game and to cover their backsides should the
proverbial shit hit the fan.

the son of a well-known computer se-

with

his

down over 10% of the Inworm (a program that

self-propagates over a network, reproducing as

The Hacker as
Pirate

it

goes). This event led to a media feeding frenzy

which brought the heretofore computer underground into the harsh lights of television cameras
and sound-bite journalism. "Hacker terrorists,"

"worms," "computer espionage"...all of a

sudden, everyone was looking over their shoulders
for lurking cyberspooks and sniffing their computer disks and downloads to see if they had contracted nasty viruses. A new computer security industry popped up overnight, offering counseling,
virus protection software (sometimes with antidotes to viruses that didn't even exist!), and workshops, seminars and books on computer crime.
Hysteria over hacker terrorism reached another
plateau in 1990 with the execution of Operation
Sundevil, a wide-net Secret Service operation intended to cripple the now notorious hacker under"viruses,"

Computer

has yet to rear its head in any significant fashion,

but the potential is definitely there. This is very unsettling when you think how many people can gain
access to critical systems and how many loony
times there are out there armed with computers,

curity researcher, brought

ternet

the opera-

"critical to

tions of the

Next to "cowboy," the most potent and popular

image of the hacker is that of a pirate. Oceanographic and piracy metaphors are equally as com-

mon in cyberculture as

ones about lawless frontiers

and modem-totin' cowboys and cowgirls. People
talk of "surfing the edge," and the "vast oceans of
the Internet." Bruce Sterling's near-future novel
about data piracy was named Islands in the Net. In

world countries and anarchist enclaves opbuying and selling global information through the world's wide-bandwidth comit,

third

erate data havens,

puter networks.
Anarchist theorist and rantmeister Hakim Bey
penned an essay called "Temporary Autonomous

by

Zones

(or T.A.Z.)" inspired

lands.

Bey sees in the rapidly growing techno-

Sterling's data is-

,,,,,...:.,,,,:,;,

new form
nomadic anarchic culture that might resemble

sphere of our planet the possibilities for a

most behemoth systems.

of

for his britches, "Davidian" (?) hackers are standing

the sea-faring pirate societies of the 18th century.

Using

all

by to do some necessary tailoring.

come together to form tempoand virtual enclaves. These bands can wreak
havoc, throw a party, exchange intelligence, or
whatever else they want. Once the deed is done, the
party over, the nomadic bands simply disappear
back into the dense fabric of cyberspace. While de-

The Hacker as

rary

cidedly romantic, the

TAZ

idea

is

attractive to

hackers and cyberspace residents

feel the fluidity

movement and

of

who

daily

the potential for

on "the nets."

invisibility offered

Of

big brother gets too big

the resources of the global nets, individ-

ual cybernauts can

many

If

not kid ourselves, pirates were

mainly concerned with stealing things. In cybercourse,

let's

becomes a more ambiguous and conworms. Are you really taking something if you're simply looking at it or making a
let's
copy of it? If you copy copyrighted material
and then alter it significantly, to
say an image
the point that it is almost unrecognizable, have you
space, piracy

tested can of

violated the copyright?

What

if

you're using

it

as

raw materials in a piece of art, like collage? What

does stealing mean when what is stolen is nothing
more than a particular assemblage of electrical impulses? I regularly download recognizable audio
bytes from networks, process them in a sound editor, and then use them in various audio art projects.

Security Informant
Another do-gooder myth revolves around the
hacker as an either self-appointed or hired security
checker. Many hackers, true to their ethos of simply
wanting to push the limits of their ability and not
to cause harm, will report holes in security after
they've breached them. To the hacker who is interested in the gamesmanship and challenge of penetrating a system, tipping off the system's administrators means a new level of challenge should they
ever return. Hackers who are hired for purposes of
testing system security, called "tiger teams," also
work to compromise the security of a system to
find weaknesses. Often times, these hired guns are
convicted computer criminals who "go straight."
Several members of the legendary Legion of Doom,
caught in the Operation Sundevil busts, formed

COMSEC, a computer security team for hire. While

many hackers bristle at such turncoat maneuvers,
other
that

it

more

politically neutral hackers point out

doesn't really matter to

them who

they're

working for as long as they get to hack.

Am I stealing? If I publish the work commercially,

THEN is it plagiarism? All of these questions about

The Hacker as

sampling, copying, cutting, pasting, re-purposing,

have become the thorny legal and

ethical issues of our cybernetic age. Hackerdom is
one of the domains that is rapidly fueling the fire.
and

U.S. Cavalry

altering

Just as
dirt-lickin'

senting hackers as a tech-mounted U.S. Cavalry, a

The Hacker as
Biblical David

against a military/industrial Goliath. This

on the

"parity of

myth

of

power" theme

discussed above can bring comfort to those of us

who

cyberpunk version of Mighty Mouse, here to save

in the final secthe day
and save the movie
onds. Movies such as WarGames, Sneakers, Jurassic
Park, and TV shows such as Max Headroom

When liberal and fringe media want to feel

good about hacking and cracking they start invoking images of the hacker as a do-gooder David
the hacker, based

Hollywood movies raised the lowly

cowboy to mythic status, it is now pre-

are paranoid about megacorporate and government big brothers. However over-romanticized
this myth is, there is comfort to be found in the
knowledge that individuals can penetrate even the

glamorize

hackers,

misguided geniuses

often

who

portraying

them

finally see the light

as

and

prevent calamities they're often responsible for initiating. At the same time that the mainstream media has demonized hackers, Hollywood has romanticized them. John Badham's 1983 film

WarGames probably did more to stimulate interest

in hacking and phone phreaking among young
people than anything before or since. Numerous

legendary hackers have credited that film as their

chief inspiration

and raison

d'etre. All these films

have also played into the myth of the evil government and megacorps who deserve the harassment
that the hacker protagonists dish out.

duction

is

furious

this intro-

being written, rumors are flying

number

that

hacker /cyberpunk
will

As

TV shows

fast

and

near-future

of

are in the works.

It

how Hollywood con-

be very interesting to see

tinues to re-invent the hacker.

The Hacker as
Cyborg
Ultimately computer hacking and net navigating,

and the images and

fantasies surrounding

them, represent something greater than the

the parts outlined here.

It is this

sum

of

writer's opinion

new territory
be mapped out by

that hackers represent the scouts to a

now beginning to
Hackers were the first cybernauts, the first
group of people to understand that we as a species
are about to disappear into a cyberspace at least
similar in function to that posited by William Gibson in his 80's fiction. As Manuel De Landa exthat is just
others.

plains in his

book War

chines (MIT, 1991),

relationship with

we

in the Age of Intelligent Maare forging a new symbiotic

machines via computers. The na-

ture of this relationship

and the

freedom afforded by

has a

it

hackers, visionary scientists,

level of individual

do with how
and the first wave of
lot to

go about their business. While De

very laudatory toward the "freedom of information" ethic and developmental ingenuity of
hackerdom, he cautions those who wish to make
cyber-settlers

Landa

too

human/machine

hybridization).

Anyone

who

spends most of their waking hours patched into a

PC and the Internet or in hacking code has felt the
margins between themselves and their machines
getting very leaky. Hackers were the first to experience

this,

many

others are

now

following in their

Hacking has become trendy and

chic among people who, if pressed, couldn't even
define an operating system. The "idea" of hacking
has migrated far from the actual act of hacking. It
has become a cultural icon about decentralized
digital footsteps.

power for the turn of the millennium.

leading to retaliation, escalation of tensions,

which
were once indispensable means to channel their
"...[S]ome elements of the hacker ethic

energies

into

(system-crashing,
lock-busting)

the

quest
physical

for

interactivity

and

logical

have changed character as the once

innocent world of hackerism has become the multimillion-dollar business of computer crime. What
used to be a healthy expression of the hacker

maxim

is now
new form of terrorism and

that information should flow freely

danger of becoming a

The Knightmare's Vision

and organiza-

trouble for individuals

and increased paranoia. He writes:

in

coming limitations, and all the other real and

imagined dimensions of hacking, have become part
of a new academic trend that uses the sci-fi image
of the cyborg as a model of late twentieth century
humanity. These academics have embraced cyberpunk sci-fi, the politicized image of the hacker, and
postmodern ideas about posthumanism (a future of

is

much

tions,

organized crime which could create a new era of

unprecedented repression."
De Landa argues elsewhere in Machines that the
U.S. government's, especially the military's, desire
to centralize decision-making power has been seriously compromised by the personal computer
revolution. He speculates that those outside the
military-industrial machinery have only a few
years to develop a new and truly decentralized system of networks before the military devises a new
tactical doctrine that subsumes the distributed PC.
The images of hacking: coming in under the
wire of mainstream society, cobbling together technology for individual and group purposes, over-

Behind all these lofty notions lies the tedious

act
of
the
and compelling
hack
itself.
Hacker-monikered "The Knightmare" presents his
complex view of hacking in Secrets of a Super
Hacker. In this classic hacker cookbook, the author
has gone to great pains to explain the massive
width and breadth of hacking, cracking, and computer security. With Sherlock Holmes-like compulsion and attention to detail, he presents the history
of hacking, the how-tos of hacking, the legal and
ethical issues surrounding hacking, and his own
personal reasons for hacking. Numerous examples
and "amazing hacker tales" take the reader inside

^^^

each level of the hack. Reading Secrets will change

way you

look at computers and computer sehas already been very valuable to me. I
am a smarter computer/net user now and much
more attuned to computer security.
When Patrick McGoohan conceived of The Prisoner he wanted to create a show that would dethe

curity. It

mand

thinking.

He wanted

controversy,

ments, fights, discussions, people waving

argu-

fists

in

You might love the show, you might hate

show (or both), but you would HAVE to talk

his face.

the

about

it.

Computer hacking and the wooly frontiers

domains of controversy.

of cyberspace are similar

freedom of information, Secrets

made available to anyone
it.
It
read
is my hope that it will help

In the true spirit of

of a Super Hacker is being

who

cares to

keep the debate alive and that those who make use
of its privileged information will do so responsibly
and without malice.

Be Seeing You,
Gareth Branwyn
August 29, 1993
Nantucket Island, Mass.

llll

ill

l:

:mm

M^M

Before H;

"

"Given that more and more information about individuals

often without our

knowledge or consent,

penetrate these databases to find out what

is

it

is

is

now

being stored on computers,

not reassuring that some citizens are able to

going on? Thus

it

could be argued that hackers

represent one way in which we can help avoid the creation of a more centralized, even
totalitarian government This is one scenario that hackers openly entertain.

Tom

Forrester

and Perry Morrison in Computer Ethics

Chapter One:

The

Basics

Reading vs. Doing

the ones the text has prepared the hacker to encounter. Naturally, way-to-write-a-book

Number

Two is the way this book has been written.

There are two ways to write a book about computer hacking.

The

first is

to write

an encyclopedic account of
its dialup numbers,

known system and

every

passwords, loopholes, and how to increase one's

access once inside. There is nothing particularly
wrong with this approach except that by publication time much of the contents will likely be outdated.

And surely, after word leaks to the computer

sites of

the world the remaining information will be

rendered non-functional. Such a specific approach,

while exciting, is best left to periodicals, which can
keep readers updated on the constantly changing
security frontier. Indeed, there are both print and
on-line publications which attempt to do just that.
The second way to write a book about computer hacking is to write an encyclopedic account
of the methods by which security is breached and
systems penetrated. This is a much more agreeable

problem of how to distribute

changing information. The readers of such a book
solution

to

the

can then follow those methods, those algorithms,

add some of their own creativity, and will never
end up facing a situation drastically different from

At some points during the course of writing this

book I've found that to talk about certain information requires knowledge of another aspect of
hacking entirely. I tried to keep this book flowing
in a logical order, conducive to understanding, but

you will find ripples in the flow.

you come across a term or situation that the
book hasn't yet prepared you for, forget about it.
You'll learn soon enough. Or look in the glossary
you might find the answer you seek there. Computer hacking is a subject which contains a voluminous amount of information. Repeatedly, as I
prepared the manuscript, I had to decide whether
or not to go into great detail in a particular area, or
allow you to discover certain inside tricks on your
occasionally
If

own. Sometimes
n't.

Some

scary.

part

things

When

isn't

compromised, sometimes I didout because they were too

I left

all is

said

and done, the important

the writing of the book,

it's

the reading of

and the actions that result from the reading.

Hacking is about doing something, for yourself and
on your own. It's not about reading about doing
something. I will gladly point you in the right diit,

Hacker

Secrets

but I won't be your guide once you're on

your way.
Speaking of books being read, it is often a wonder that they ever do get to that readable finished
rection,

state at

all.

Thank you

R.S.

and

J for critiquing se-

world, and the world of computers. The True

Computer Hacker is a computer enthusiast and

more importantly, a Universe enthusiast.
You should already be enthused. Are you ready
to learn?

lections from this book; thanks to the people at

Loompanics for recognizing that the Constitution
does, after all, allow freedom of the press; and to

the

many

hackers and crackers

gestions: Morris, Janet,

who

Equipment

offered sug-

Sex Pack, Carl Fox and the

happy Gang Of Demon Street.

to

Opening Remarks
This book will show you various methods you
can use to break into computer systems.
In some ways this is harder to do than it used to

Nowadays people

are

tious about security. That's

more

how

strict,
it

more cau-

seems, anyway.

But there are plenty of holes still left in any system's armor. System managers can tighten up computer security as much as they want but there will
always be ways to get around their efforts. Remember the first rule of hacking: Whatever a human mind can achieve, another can also achieve.
Whatever one mind can hide, another can discover.
People tend to think and act alike, and it is this
sameness of thought that you, the hacker, will exploit.

What is

a hacker? I'm going to give a definition

you don't fit the description I give, you

can just close this book and throw it away:

now, and

if

hacker

is

something, be
sports.

a person with an intense love of

it

computers, writing, nature or

A hacker is a person who, because he or she

has this love, also has a deep curiosity about the

subject in question. If a hacker loves computers,
then he or she

is

curious about every aspect of

computers. That curiosity extends also to the ways

other people use their computers. Hackers have respect for their subject. For a computer hacker that

means he respects the ability of computers to put

him in contact with a universe of information and
other people, and it means he respects those other
people and does not intentionally use this knowledge of computers to be mischievous or destructive. That sort of thing is for social-outcast junior
high school kids. The serious computer hacker
simply wants to know everything there is about the

you don't even need a computer.

you might be better off not having one as
you will see later on. However, to start out you will
want to have a computer, a modem, and a telephone line close by so you can connect to the outThat's right

In

be.

There is only one piece of equipment you need

be a successful computer hacker... a brain.
fact,

side.
It's inconsequential what kind of computer it is.
What's more important are the modem and the
communications software you use with it.

Modems And Speed

Remember the
more: a pound of

old puzzler,

"Which weighs

feathers or a pound of lead?"

same puzzler with a modern twist:
"Which transmits data faster: a 600 baud modem,

Well, here's the

or a 600 bits-per-second

modem?"

The answer, of course, is "Both transmit data at

the same rate!"
But the real answer gets a little more
complicated. Let

me explain.

"Baud" is the measure of the rate at which a

modem sends and receives information. Below
speeds of 600 baud, the baud rate is equal to bitsper-second. Due to the restrictions of telephone
equipment, high speed modems may transmit far
fewer bits-per-second than their baud rate. For
example, a 2400 baud modem may only be sending
1200 bits-per-second.
For traditional reasons, modem speed is still
stated in baud. While a hacker should be aware of
the difference

between baud

modem

and bits-perremember about

rate

second, the important thing to

speed is: the faster, the better. Just don't

expect a 9600 baud modem to be four times as fast
as a 2400 baud modem.
Five years ago, 300 baud modems were quite
popular. Today, 9600 baud modems are fairly
common. Higher speed modems, such as 14,400

VZfX^XX&mmxwxmxxx

&t

baud and 19,900 baud, are now

available in fairly

sure

inexpensive models. Many of the services you

connect to will not be able to accomodate these
higher speeds; however, a high-speed modem can
always "step down" and connect at a slower speed

able.

when necessary.
Hacking

is

to

be

a hobby that requires little equipis necessary to buy something, you

fast.

When

got

my

first

modem,

thought of 140 baud as being the slowpoke. Now I

look at the 300 baud crawler I used to use and
wonder how I ever managed to stay interested

when

the

words dribble across the screen

at

such

an agonizingly slow pace.

Realize that whatever speed modem you get, it
will usually run even slower than advertised.

When

there

is

static

on the line, the modem is

and over until it has

forced to resend data over

Modems may run at

even slower if they're in a
particularly bad mood. They get even more snailish
been sent or received

correctly.

half their listed speed, or

when you're calling long

Communications Software
hard to find truly splendid communications

software,

and yet

it is

the software (in conjunction

with a fast, high-quality modem) which will determine how much enjoyment or frustration you
get from your on-line interactions.
There are lots of communications software
("terminal emulators" or "term programs") out
there. Just because a particular package comes with
your modem doesn't mean you should feel obligated to use it. A good piece of telecommunications
software will have

For the hacker,

tures. Well,

more

pleasur-

Handy Features
The monitor on your computer was probably
your computer. When you
dial who-knows-where over the phone, you can
easily be talking to some computer with a completely different screen design than your own. Con-

many

it is

maybe

sequently, certain standards (rules of behavior for

monitors to follow) have been devised. If you call

up a hundred different computers, there will be
many differences between the characters each can
display, the control codes used to perform various
screen functions, and so on. Your communications
program, or "comm program," should be able to
adjust to a wide range of these codes and characters. This feature is known as terminal emulation.
Software that can't do that will often represent data
from the remote computer in peculiar ways, or as
garbage characters. Your comm program must be
able to emulate a good number of terminals, such
as ANSI, VT52 and VT100. It is also handy for the
software to have a translation table
translate

distance, or you're calling

one computer through another through another (to

make your call harder to trace back to its source), or
if the remote computers are getting heavy usage.
For all of these reasons it's crazy not to get a fast
modem. It will make every bit of electronic communication much more enjoyable.

It's

experience

specially designed for

ment; when it
should try to buy the best available. This doesn't
mean you should get what the salesperson or a
magazine review says is best. It means, get what is
best suited to your needs. You will want your mo-

dem

make your hacking

of the following features.

necessary to have all these feait's not necessary, but it will

the ability to

incoming and outgoing characters to other

characters.

The terminal program you choose should be

and receive files using the Xmodem,
Ymodem, Zmodem, and Kermit protocols. A protoable to send

col is a set of rules.

You see, if you're trying to move

between two completely dissimilar computers,

those machines need to know how to talk to each
other. These file transfer protocols set up specific
guidelines for the two computers to follow regarding how the file should be sent and received. Each
protocol has its own set of advantages and applications. The Zmodem protocol transfers files fast, and
with good error recovery, but it isn't as prevalent as
files

the original

Xmodem. Ymodem

is

another im-

provement on Xmodem, but its error detection isn't

only use it on clean phone lines. Kermit
as keen
is used on many university mainframes for speedy,
efficient file transfer. Make sure your terminal

software has at least these four protocols.

Choose software that allows you to enter "AT"

commands. ATtention commands were developed
by Hayes to allow the user to control the modem.
They have been adopted for most makes of modem.
AT commands allow you to program the modem to

,,'

go on

dial,

line,

go

v.m Ji ll

off line,

.U. I .I. I .U.U. I. I J. I

I . I . I .I.I.I.I.I

III II

.1

and perform various

other functions.

II III HLIJ.I.IIU..1

1.1

uumu.n.i.l. III. I.. milium

fer the files;

what one does depends on circum-

stances.)

You should

be able to shell to your

computer's operating system while maintaining the
connection
sometimes you will want to run
also

another program while on-line.

The software should allow you to be able to

many phone numbers, names, and comments
for a large number of dialups. You should be able
to store more than just the ten digit phone number
extensions and special codes should be programmable, as well as sign-on macros for faster
connections. It is also helpful to have auto-dial capacity, which repeatedly calls a busy phone numstore

ber until the line

is free.

program you use must be pleasant

and easy to use. If one program doesn't suit all your
needs keep several on hand and use whichever you
need when you need its special services. Generally
Overall, the

tend to stick with the PC Tools Desktop comm

program. It doesn't have too many advanced
features, but its ease of use more than makes up for
that. ProComm Plus for the IBM and Macintosh is
the Lotus 1-2-3 of communications software. It's a
huge package that includes every conceivable
feature you'll ever need. There are also many low
price (free) alternatives in the world of shareware
I

and public domain software. QModem is one good

shareware communication program for IBM

Data capture is also handy to pick up control

codes and text that scrolls off the screen too fast for
you to read. And sometimes text is immediately
erased after it's put on the screen, either for security
reasons or due to faulty software. With data capture you retain a permanent record of that text. In
any event, it's nice to have an official record of your
hacking activities that you can use for reference

and research.

One time I
was run by a

called

up a bulletin board

(BBS) that

local company, mostly for the purpose of advertising its products. The modems connected, I pressed Enter a couple times, and I got the
usual random characters on the screen, then the
login prompt came on. It took a little longer than
usual to get to the login prompt, and I was wondering about that, but nothing seemed really unusual
so I went about my business.
Later, I was going over the print outs I made of
the break-in and I took a second look at what at the
time seemed to be just normal login garbage. In the
middle of the nonsense symbols was this: "d-b".
And on the next line, sandwiched between two
this: "ye!". On the surface this doesn't
look too interesting, but think about it: put "d-b"
and "ye!" together and you get "d-bye!". What I was

plus signs,

looking at

was

the last half of the

word "good-

bye!".

computers.

There is one

final necessity for the hacker:

Data Capture
Your terminal program should have a data capture feature. This means that as information gets
sent through your modem and put onto the screen,
you should be able to capture it in a disk file.
It's important for you to keep the data capture
feature on whenever you're using your modem.
You do this for several reasons. When I'm logged in
somewhere, I like to poke into all the text files I can
find, but I don't like to waste my time on the system by actually reading them while on-line. Instead, I turn on my data capture, store what can be
hundreds of pages of text in separate files, then sort
through the data
other times

I I

it is

later, offline, at

more appropriate

my

leisure. (At

to simply trans-

From using the BBS I knew that "good-bye!"

was the last thing one sees before logging off. In
other words, I had called the system just after
someone else had logged off, and I had gotten the
tail end of their log-off message. This meant there
was something wrong with the way the remote
software handled disconnections. This meant there
was a bug that could be exploited.
logged onto the system again, and the first
I did was go to the "User Log" to find the record of my last login to the system. The person who
had been using the BBS before me was a regular
user of the system and, sure enough, according to
the log she had logged off just seconds before I was
recorded as having logged in.
I

thing

Later

was

of this flaw to

able to incorporate

make myself

my

knowledge

a system operator by

up and connecting soon after the real system operator had finished a scheduled maintenance check. I wrote a letter explaining to him what
calling

had done, and how. Over the next few days we

you have a slow

printer)

and

corrected the problem.

printer won't be as efficient as

sometimes weird things happen

on or off, but anomalies can
logging
while you're
occur at any time. The moral of this story is be prepared to capture this weirdness, and be prepared to

tions

So you

analyze

it

see,

when you find it.

know
never

something
when
going to happen, like the system operator (sysop) coming on and doing system
maintenance while you watch. IVe had that happen to me more than once. In fact, there was one

You

out-of-the-ordinary

home from school.

Instead of rushing off to

was on my computer, dialing BBSs.

The first day I was sick, I had just finished logging
onto a system and was about to read my e-mail
when the sysop interrupted. "I have to do somethe bus stop,

board system program, then shelled out to his hard

drive, and came back in again. He was doing everything so fast I couldn't keep track of what was going on, but later, after I'd logged off, I was able to
go through the file I'd made of the event, and analyze it thoroughly. The information I learned from
watching that sysop fix his system did not help me
break in anywhere, but it taught me more about
how telecommunication systems work. And that's
the whole purpose of hacking.
A few mornings later, I was on another system
and almost the same thing happened. Another sysop was late to an appointment, but before he went
he just had to do some last minute rearranging.
This time I was able to understand as I watched
what was going on: one of the things the sysop did

password (a dumb
thing to do in front of somebody, but maybe he
didn't realize I could see what he was typing). Since
I was capturing the event in a text file as I watched
it, there was no need for me to scramble for a pen to
write down the passwords as I saw them scroll
to validate a

across

new

user's

my screen.

An

alternative to data capture is to

have your

printer running continuously. There are people

but it's always seemed to me to be a

complete waste of ink, paper, time (especially if

who do

this,

your communica-

better off capturing

files, then using a word processor to sort

through those files, erase what you don't need, and
then perhaps print out the rest.

data in

Past and Future

As you read about the many facets of hacking,
you will be introduced to more equipment, tools,
software and hardware that will be of interest to
hackers who wish to try their expertise in more
specialized areas of interest. For

now

though,

all

you need is the understanding that...

thing real fast," he typed, "and I'm late for school."

Then he went about doing whatever it was he had
to do. He went into the back screens of the bulletin

was

at capturing strange control codes

and foreign symbols. You're

is

week in which it happened twice.

When I was in high school there was one day
near the end of September that I was sick, so I was
staying

program

electricity. Also,

Days Of Yore Live On

When you

start

of data security,

reading through the literature

you begin to get worried.

it seems, are the days of "Joshua doors" as

movie WarGatnes. Gone are the system bugs

Gone,
in the

and loopholes, the naively entered "PASSWORD"

used as a password. Gone, it seems, is the reverent
awe people once held for the lone hacker, cracking
secret government databases in the middle of the
night.
It

Gone are the lone hackers.

seems.

But all of this really isn't true! As recently as

few years ago, Robert Morris, Jr., was hacking
into computers using system bugs that he himself

just a

had discovered. These weren't even new bugs

they were old ones that no one had ever noticed or
bothered to correct before! Who knows how many
more similar bugs like it are out there, waiting to be
manipulated?

And

the trap doors will always be

there as well:

it is

the programmer's vanity that

leads

him to stylize otherwise joint or corporate

by inserting covert code, either for benign,

software

"jokey," Easter
later on.

And

Eggs purposes

or to wreak havoc

don't forget

counts and
1

all

the stupidity: the test ac-

demo modes,

the

default

security

An Easter Egg in the computing sense is some

unexpected, secret thing you can do with a piece of
software that the programmer put in but doesn't tell
anyone about.

measures that nobody bothers to delete or change.

In July 1987, a bunch of Chaos Computer Club
members hacked their way through the network,
from an entry in Europe, to NASA's SPAN system
(Space Physics Analysis Network). These crackers
exploited a flaw in the VMS infrastructure which
DEC Corporation had announced was remedied
three months earlier. There must be hundreds of
VAX computers still out there, still running the
faulty parts of the operating system. Even with the
patch in place, the Chaos members reportedly were
laughing themselves silly over the often trivial
passwords used to "protect" the system. Some of
the passwords were taken straight from the manufacturer's manuals! On the one hand we have a top
secret VAX 11/785 computer with the full power of
NASA to protect it; but on the other hand there are
approximately four thousand users of that computer. Never can you get 4,000 people together and
still keep secrets hushed up.
Hacking may seem harder than ever before, but
it

The

really is not.

culture

may have

security-aware, but the individual user

world

of

user-friendliness

benign

and

who

still

indifference,

want

are not. Those

seek the advice of the gurus.

And

more

lives in

vanity,

friendly-userness. Users

are in-the-know will always

fortunate ones

gotten

who

to help the less

who

aren't will

so Social Engi-

neering and Reverse Social Engineering live on, as

you shall discover within these pages.

Ease of use will always rule. The "dumb" password will be a good guess for a long time to come.
all,
people
don't
choose
just
"6Fk%810(@vbM-34trwX51" for their passwords!

After

Add

to this milieu the

immense number

of

computer systems operating today, and the staggering multitudes of inept users who run them. In
the past, computers were only used by the
techno-literate few.

ple

who

operate computer installations understand

just don't

problem with system security; they

do anything about it. It seems incredibly

naive, but

it's

that there is a

There are

true.
lots of

reasons

why

companies don't

increase computer security. Publicly or privately,

they say things

like:

Extra security decreases the sense of openness

and trust which we've strived to develop.

Security

is

too

much of a nuisance.

Extra security just invites hackers

who

love a

challenge.

would be too costly or difficult to patch existing security loopholes.

It

The reprogramming could open up new security

problems.

We've never had a security problem before!

The information we have here is not important
to anyone but ourselves; who would try to
break in here?

But we just had a security breach; surely they

won't come back!
Didn't all those computer hackers grow up and

go on to better things?
There are different reasons why each of these
statements is either wholly or partially incorrect.
The last one is certainly false as any reader of this
book should be quick to point out. Computer
hacking (as well as the misuse of computers) will
always be a contemporary issue because of the
great value computers have in our daily lives.
Some of these sayings also have their validity.
In any case, the people who run computer installations (call them sysops, system managers, computer operators or whatever) very often believe in
these things, and so the window of opportunity is
left open. With a little work we can often ride the
breeze inside.

Now they are bought, installed,

used, managed, and even programmed by

who have a hard time getting their bread to
light brown. I'm not downgrading them

Computer Crime

folks

toast
I

ap-

plaud their willingness to step into unfamiliar waters. I just wish (sort of) that they would realize
what danger they put themselves in every time
they act without security in mind.
It is a simple and observable fact that most
computer systems aren't secure. If this isn't clear
now, it certainly will be once you've read a few
chapters of this book. Ironically, many of the peo-

would love

be able to say that

but I
computer crime does not exist in the world
can't, because it does. When you're talking about
the bad stuff that people do with computers, hacking truly is at the bottom of the list, and it certainly
is the farthest removed from traditional crimes
I

to honestly

murder and burglary which we feel in

our hearts are wrong. True hacking is victimless, so
things like

it is

my way

in

of thinking only vaguely a crime.

Perhaps it is immoral or wrong, but there is much

worse that can be done.
Computer crimes come in seven basic catego-

which are related to the concept of

some way. The seven categories are financial theft, sabotage, hardware theft, software
theft, information theft, and electronic espionage.
The seventh "crime" is computer hacking.
all

ries,

of

"hacking" in

Stealing Money
Financial theft occurs

when computer

records

are altered to misappropriate money. This is often

done by programming the computer to route

money

into a particular

bank account, usually by

the use of a salami technique.

salami technique is a method used to steal

of money over a long period of time,
with the assumption that such small stuns won't be
small

sums

missed. The criminal reprograms the computer at a

bank or some other financial institution so that
fractions of pennies will be given to a dummy account.

For instance an account might hold $713.14863,

where the "863" occurs because of the multiplication involved to figure interest rates. Normally the
computers would say this person has $713.15 in the
bank, rounding up the 4 to a 5. However, a computer programmed with salami in mind would
slice off those extra digits and put them into a separate account. Now the person may only have
$713.14 in the account, but who's going to notice or
complain about a missing penny?
The computer is not generating new money, it's
only shifting valid money to an invalid account.
This can make salami thefts hard to detect. Once
the criminal's account has grown big enough on
those fractions of pennies, he or she can withdraw
the money and most likely will get away with the

Many

thieves have tried this form of bank

and many have been caught, but dozens
or hundreds of such operations could be going on
today without anyone's knowledge (or so the
crime.

robbery,

"experts" claim).

The way
technique

is

investigators check to see

being used

is

to

if

a salami

have the computer

make a list of all accounts, and how many times per

day over a period of days a transaction has occurred with that account. Next, any account that is

number of times per day is

how much money each of these

accessed an exorbitant

checked to see

transactions represent. If

it's

tiny sums, someone's

up to something!
While

don't condone such thievery,

I feel obli-

gated to point out where computer criminals have

gone wrong in the past and how to avoid future
mishaps. Instead of reprogramming the computer
to immediately transfer those fractions of pennies
to an account, they would have been wiser to simply subtract the amounts and keep track of how
much money is collected in an area separate from
the account files. Then, the portions of code which
print out total bank holdings should be altered to
include that hidden figure in its summation, so
those minuscule amounts aren't missed. Once the
figure reaches a certain point (for instance, some
random value over one hundred or two hundred

should it be transferred to the

say some "random" value so every
transaction on the thief s account won't be exactly
the same and thus suspicious.
Such thievery requires access to a computer;
usually these crimes are committed by employees
of the institution at which the crime occurred, and
so true hacking is not necessary. However, when an
employee with limited computer access or a complete outsider pulls off a financial theft, computer
hacking will surely be involved.
dollars) only then

thief s account.

Sabotage
Computer sabotage

is

the physical destruction

of computer hardware or firmware, or the tamper-

ing or erasure of information stored on a computer.

The point of sabotage may be to force a competitor
out of business, or, as is sometimes done with arson, to get the insurance money. Computer hacking

has only limited involvement with sabotage, since

it is the goal of most hackers to keep computers secure, not to destroy them. Still, sometimes sabotage
does creep into hacking in limited ways. Reverse
social engineering uses what is called sabotage, but
it is actually just a bit of tomfoolery used to get a
computer to temporarily misbehave. You will read
about reverse social engineering later on.
Computer vandals frequently sabotage the information stored on computers after first using
hacker's methods to gain entry to them. Vandals
should not be confused with hackers, however.

>er Hacker
:

Neither should those folks

or misleading data into a

who

introduce incorrect

computer system, or oth-

erwise sabotage the data stored therein.

An

Various Thieveries
Hardware

theft is either the stealing of the ac-

computer or

its

peripherals, but

it

can also

in-

clude the piracy of a computer's internal design.

is

It

related to hacking in that stolen or ''borrowed"

may be used

hardware

to procure access codes. In

tinely

might clandesmonitor the private e-mail and other com-

puter

files

the case of design piracy, a hacker

of a

hardware designer in an

effort to

innovative ideas.
Software theft or piracy is the unauthorized
copying of programs protected by copyright. Often
hackers will make personal copies of software they
steal

find on a computer system, so they can learn how it

was programmed and how it works. As with

hardware piracy, there is also the aspect of wanting

to get an edge on a competitor's new line of software, and so there is the hacking connection.

may include stolen credit card

TRW reports, new product specs, lab re-

Information theft

numbers,

patient or client data, or

sults,

any other data

that

might be potentially valuable. Electronic espionage

occurs

when

that information is sold to a third

making the hacker a spy for either another

country or company. In both cases hacker techniques are used to steal the information, and pos-

party,

sibly

the

even to make contact with the spy agency in

first

place.

The Seventh Crime

Hackers have the abildo any of the above, but they choose not to.

Finally, there is hacking.

ity to

and see

that again carefully,

if

you can

detect

the paradox.

The person who perpetrates the seventh of

hacking
has just been

illus-

such data tampering is given by Thomas

Whiteside in his book Computer Capers (Crowell,
1978). Between 1968 and 1972 the FBI planted false
adverse information on radicals and other people
who had wild political views into the computers of
credit reporting agencies, "the idea being to harass
those citizens by making it difficult, if not impossible, for them to obtain loans or other forms of
credit." For all we know various agencies may be
continuing this practice. Want your own file
verified for accuracy? Hacker to the rescue!
tration of

tual

Read

seven computer crimes

described as a person

who

any crimes at

Of

chooses not

to

commit

all.

course, there

that small matter of illegally

is

breaking into other people's computers before that

choice is made. But we conveniently disregard that
because we don't see any harm in the simple act of
"breaking in."

Where

other computer crimes are concerned,

obvious why a person

would steal a computer, or engage in a financial
crime, or a crime of vengeance.
But with pure hacking, essentially a peaceful,
harmless act, motivations might not be as apparent.
The traditional motivation for a hacker was the
quest for knowledge. But nowadays that quest may
motivations are obvious.

It is

be ruled by higher motives

are hackers

like

money. There

who see their talent not as

a hobby, but

number of both moral

and immoral reasons one would provide one's
as a trade. In fact, there are a

hacking services for a

the

fee.

How's of hacking,

Before

let's

we get further into

take a brief look at the

Why's.

Hacker Motivations
The IRS has a bad reputation

and

it

deserves

have a friend
who received a refund check from the IRS for one
cent; so apparently they can be honest at times),
they pretend to do things in our interest, but underneath it all they do a lot of cheating, conniving
it.

Sure, they pretend to play fair

(I

things.

For instance, the IRS has a computer selection

called the Discriminate Function System.
DFS is a system used by the IRS to select over 80

program

percent of the income tax returns which will be

audited. When the DFS selects a return for audit, it
is

because the program believes there

probability the citizen

made improper

is

a high

deductions,

income, or for some other reason believes the filer has lied.
Now, as citizens of the United States, we are
entitled to know all the laws and regulations of our
country, right? Not so, according to the IRS. The
decision-making formula (algorithm) used by the
or hasn't reported

all

DFS

to select

which returns

be audited

will

is

kept

secret from us (so we can never really know to

what extent an action of ours breaks the IRS's re-

turn-selection laws).
It

seems

logical

and

fitting for the

IRS to not

re-

veal this secret, because doing so prevents a lot of

fraud. But

years ago,

it

also restricts our rights,

two outraged

citizens

veal their selection formula.

the IRS

was ordered

and

several

sued the IRS to

The

citizens

re-

won and

to reveal the formula.

The IRS

and they appealed their way up to the Supreme Court and still
lost in favor of the Freedom of Information Act.

was not ready

to reveal their secrets,

But since the IRS is a crying, whining, wily

baby, they refused to obey the court orders, and ran
to Congress for help. Congress, of course, immediately enacted a statute which made the IRS's audit
selection algorithm

immune

to the

Freedom

of In-

formation Act.

Now, I ask you: Can you think of a better reason to hack than to get back at the IRS? I'm sure
that someday some hacker will surreptitiously
stroll into the IRS's computers and make off with
their Discriminate Function System, and publicize
2
it widely for all to see and file by.
Even if that doesn't happen, and even if that's
not a hacker's main goal (which I wouldn't expect it
to be), there are plenty of motivations from which
to choose.

Dissemination of information

is

always an hon-

orable incentive to hack. According to

and Perry Morrison in

their

Tom Forester

book on computer

eth-

ics (listed in the bibliography), following the Chernobyl nuclear disaster, hackers in the Chaos Computer Club "released more information to the public about developments than did the West German
government itself. All of this information was
gained by illegal break-ins carried out in govern-

ment computer installations." Certainly that was a

noble and just act on their part, from our point of
view.

happened in Australia. A computer

working for the Australian Taxation
Commission wrote up a guide to the confidential
computer program which the commission used to
determine the legitimacy of a taxpayer's income tax
^ This has already

professional

form. Taxpayers could use his guide to safely overstate

the

amount of deductions they claimed.

Hackers also see themselves as preventers of

computer disasters that is. There have
disasters
been several recent examples of computer security
companies from all over the world putting their security products to the test. They did this by publicizing a phone number hackers could call to try to
beat the system. Sure this is done for advertising
hype, but it is also a good idea, and it gives hackers
a chance to do some computer cracking in a benign

setting.

Hackers

who

maintain a high degree of virtue

will use their illegal hacking to prevent disasters.

Once they have discovered (and misused) a security loophole in a system, they will warn the system
operator of that

fact.

Hackers are thus beneficial

to

the world in that they act to keep the world in-

formed and secured.

But we can only be assured of these traits if the
hackers themselves conform to ethical behavior.
Unfortunately, due to the exciting/risky/devilish
nature of hacking, the people involved are often
immature and play around in juvenile activities
such as vandalism and carding (mail ordering stuff

on other people's

credit cards).

These are the

of activities that True Hackers should strive

sorts

NOT to

be associated with, as they degrade the word

"hacker."

Many hackers, even some very good hackers,

have done their part to give hacking a bad name by
having skewed motivations. There have been
plenty of destructive hackers, and those

did not know

who

just

when to quit.

There are also hackers-for-hire. Private citizens

pay hackers to change computerized

are willing to

information for them

levels.

Or

grades, ratings,

tion about themselves deleted

bills,

who want

there are the people

access

informa-

from the record, be-

cause they are in hiding. Private investigators can

always use the skills of the hacker to find addresses
and phone numbers, credit ratings, and other private concerns of clients and suspects which are contained on computers. Office workers have hired
hackers to scope out the personal electronic mail
and files of coworkers and competitors, to gain an
edge when making a proposal or a bid. There is not
only industrial, but governmental espionage. All of
the above has been done and is being done RIGHT
NOW, by hackers who hack for money.
Hackers tend to look down on other hackers

who

fall

into

this

line

of

work.

Maybe

once-in-a-while job

is

and exclusively is to
I

okay, but to do

sell

it

extensively

out one's integrity.

people reading this book,

like to think that all

and all hackers, will use their talents to good ends:

to promote public awareness, prevent tragedy, and

new technologies and new

own self-growth.

to learn

one's

innovations for

Chapter Two:

The History of Hacking

First

Came Hardware

cific

Where does one begin a history of hacking?

Do we

with the creation of the computer,

Presper Eckert and John Mauchly? During
start

by J.
World War

II this

approached the

pair of engineer

US Army

and

physicist

with a proposal

for

an

would speedily calculate

a job that was then tedigunnery coordinates
ously being done by hand. With the government
electronic

device that

backing their way, the Electronic Numerical Integrator

And Calculator (ENIAC) was born in 1946.

was a year

after the war's

signed function

end

It

the machine's de-

but
uses
computer

was now superfluous

the

lived on.
dream behind its imagined future
Of course, the origin of the
the
computer for god's sake
the most revolutionary

enough.

It

may have been ENIAC

that

spawned the next generation of computers, but

ENIAC was a one-task machine. Zuse's contraption
had the feel of modernity to it: a machine that
would do... anything.
But is that where hacking began? Certainly not.
The longing to do... anything has been in the human
psyche for ages. Perhaps

we

should begin with the

revolutionary creation of the telephone, culminat-

ing with Alexander

on March

Graham

Bell's historic "acci-

The telephone was not an

immediate best seller. After all, you couldn't simply
buy one and place it in your house and use it. Lines
had to be installed. Networks had to be created to
link home to home, business to business, and finally, state to neighboring state. Almost thirty
years of growth for the phone to spread throughout
dent"

10, 1876.

the country.

invention since the telephone, can not be so easily

summed up

in a tidy paragraph of wartime patriThe real story goes back further, to

Konrad Zuse, whose patent for a general-purpose
electromechanical relay computer in 1938 was
turned down by the Patent Office as being not spe-

YIPL and TAP

otic stupor.

So, there

puter,

was

the telephone, there

and there was an undaunted

in the collective

human

was

the com-

inquisitiveness

subconscious.

It

took an-

other

war

to shake that curious imagination loose

and on May Day, 1971, the Youth

became the newsletter of the
fun-seeking, disenfranchised riffraff of New York
City's Greenwich Village. Abbie Hoffman and a
phone phreak who went by the handle Al Bell used
onto the world,

International Party Line

YIPL to disburse information about cracking the

phone network. It was the first instance of subversive information of its kind finding a wide audience. Subscriptions to the journal spread the word
of this arm of the underground far away from
Bleecker Street to people of all walks of life. Today
this distribution would be done by computer, and
indeed, a great deal of hacker /phreaker/anarchist
material surfs around the world on the invisible

waves of cyberspace.
A few years after YIPL's inception,

TAP

it

Technological Assistance Program

became

when

more pomembers of YIPL. TAP was more

than partisan, and more suited for hack-

the goals of the phreaks collided with the

litically-minded
technical
ers

This

was an unfortunate mode

those charged with preventing computer crimes,

because while research stagnated, the criminals,
crackers and hackers were actively racking their
brains to come up with more ingenious methods of
doing things with computers they were not supposed to be able to do. The criminologists could not
have realized then that the computer really was an
integral part of the crime,

these machines

them
ing

led to

and

and

that the existence of

the systems built around

whole new areas of crime and

about crime that had

explored.

Lawmakers and enforcers, however, finally did

up and take notice. In 1976 two important developments occurred. The FBI established a 4-week
sit

training course for

its

agents in the investigation of

computer crime (and followed

it

ernment Affairs Committee realized that something

was going on, and it was important for the government to get in on it. The committee produced
first

Ribicoff introduced the

Federal Systems Protection Act

1977. These reports eventually

recorded computer abuse, according to

Donn B. Parker, a frequent writer on computer
crime, occurred in 1958. The first federally prosecuted crime identified specifically as a computer
crime involved an alteration of bank records by
computer in Minneapolis in 1966. Computers were
not so widespread then as they are now, and the
stakes weren't quite so high. It's one thing to have
money controlled and kept track of via computer;
first

quite another to have power controlled in this

way. In 1970, many criminology researchers were
stating that the problem of computer crime was
merely a result of a new technology and not a topic
worth a great deal of thought. Even in the mid1970s, as crimes by computer were becoming more
it's

and more

costly, the feeling

was

that the

machines themselves were just a part of the

environment, and so they naturally would become
a component of crime in some instances. It doesn't
matter

if

a burglar carries his loot in a pillow case

or a plastic

bag

up with a second

course for other agencies in 1978). Also in 1976,

Senator Abraham Ribicoff and his U.S. Senate Gov-

two research reports and

Computer Crime

frequent

think-

never before been

big

and their kin.

The

of thought for

why should

crime determine the

think about the case?

way

in

the props of the

which criminologists

Bill in June,

became the Com-

puter Fraud and Abuse Act of 1986. Florida, Michigan, Colorado, Rhode Island, and Arizona were

some

first states to have computer crime legbased on the Ribicoff bills that had developed into the 1986 Act.
A year before, a major breakthrough was announced at the Securicom Conference in Cannes by
a group of Swedish scientists who had invented a
method of silently eavesdropping on a computer
screen from a far-off distance. But let's save this

of the

islation,

story for later.

Much later.

2600
Tom Edison and Cheshire Catalyst, two phone
phreaks who had been interested in the nether side
of technology for ages, took over TAP in the late
'70s. The journal came to an end before its time in
1983 when Tom Edison's New Jersey condominium
burned to the ground, the victim of a professional
burglary and an amateurish arson. The burglars
had gotten all of Tom's computer equipment, the
stuff from which TAP was born. The arson, perhaps

an attempt to cover the burglary, did not succeed. It

was a sloppy fire, one which Tom and Cheshire
hypothesized had been engineered by some irate
phone company officer. A few months later, the
original

TAP

printed

its final issue.

The following

year, in 1984, hacker Eric Corley (aka

Goldstein) filled the void with a

new

Emmanuel

publication:

newsstands and through the mails, but on the

"news racks" of electronic bulletin board systems,

where

collections of files are available for the tak-

when

ing. Later,

the journal's founders

went

off to

and received Internet access, the publication

list servers which can
automatically e-mail hundreds of copies of the pubcollege

was

distributed through

2600 Magazine. Ironically, Goldstein is more a

rhetorician than a hacker, and the magazine is less

lication

and more political (like the original YIPL).

Networks were being formed all over, enabling
hackers to not only hack more sites but to exchange
information among themselves quicker and more
easily. Who needs published magazines? The City
University of New York and Yale University joined
together as the first BITNET (Because It's Time
NETwork) link in May 1981. Now there are networks of networks (such as Internet) connecting the
globe, putting all hackers and common folk in direct communication with one another.

PHReaking and hACKing, but it also is

pleased to present articles on any sort of mischiefmaking. Annual conventions, hosted by Phrack,
called SummerCons, are now held in St. Louis.

technical

throughout the world. Phrack

tributed in this way.

the

name

is still dis-

implies, Phrack

deals with

Shadow Hawk
Landreth, who had been arrested in 1983,
out on parole and there are reports of his
mysterious disappearance following publication of
Bill

was

let

computer security called Out of the

left a note stating that he would
suicide "sometime around my 22nd

his guide to

Inner Circle.

WarGames and Phrack

As

commit

He

There was much discussion about all

Was it a publicity stunt, or for real? Eventually

birthday..."

A hacker named Bill Landreth was indicted for

computer fraud in 1983, and convicted in 1984 of
entering such computer systems as GTE Tele-mail's
electronic mail network,

and reading the

NASA

and Department of Defense correspondence within.

Naughty boy! His name will come up again. 1983
also saw the release of WarGames, and all hell broke
loose. Certainly there had been plenty of hacker activity before the movie came out, but previous to
WarGames those hackers were few in number and
less visible. The exciting story of David Lightman
(played by Matthew Broderick), a school-age whiz
kid who nearly starts World War HI, became the

many modems for Christmas presents that

Suddenly there was a proliferation of people
on the hacking scene who were not really hackers
in expertise or spirit. Bulletin board systems flourished, and a large number of boards catering to
hackers, phreaks, warez dOOds (software pirates),
anarchists, and all manner of restless youth sprung

this.

Landreth reappeared in Seattle, Washington, in

and he was hastily carted back to jail for
breaking probation.
July, 1987,

The month before

D-Day

identified

on

the anniversary of

named Shadow Hawk (also

by some press reports as Shadow Hawk
cracker

had been discovered by an AT&T security agent

be bragging on a Texas BBS called Phreak
Class-2600 about how he had hacked AT&T's com1)

to

Shadow Hawk (really Herbert Zinn

was an 18-year-old high school dropout when he was arrested. He'd managed to get the

puter system.
of Chicago)

basis for

FBI, the Secret Service, the Defense Criminal Inves-

year.

tigative Service

up.

The online publication Phrack was founded on

November 17, 1985, on the Metal Shop Private BBS
in St. Louis, Missouri, operated by Taran King and
Knight Lightning. The term "online" referred to the
fact that this magazine was distributed, not at

his tail for

and the Chicago U.S. attorney on

not only the above mentioned hack, but

computers belonging to NATO

and the US Air Force, and stealing a bit over $1
million worth of software. Shadow Hawk's case is
important because in 1989 he became the first person to be prosecuted under the Computer Fraud
and Abuse Act of 1986.
Shadow Hawk is just one example of how this
hobby has gotten people in trouble with the law.
Around this time there were a lot of hackers being
brought down by all manner of cops: security offialso for invading

telephone companies and other organiand concerned citizens.

This was the time when the investigators got smart.
Not that they suddenly knew more about computers and hacking, but now they understood that to
catch a lion, one must step into its den. These police
agents started logging onto hacker BBSs and
amassed huge dossiers on the people who normally

cers for the

agents to serve 28 search warrants in 14

zations, the FBI, local police

seized 23,000 disks

used those boards. Many warnings were issued,

and many arrests were made.
In August, 1986, Cliff Stall first set out to find
out why there was a 75t imbalance in the computer
accounts at the Lawrence Berkeley Laboratory in
California. Stall's efforts led to the discovery of a

group of German hackers who had broken into the

computer system. In October, 1989, a book about
Stall's exploits called The Cuckoo's Egg was published and became an instant best seller.
Organized and independent hacker activity
continued for the next few years with little public
interest. There were threats in early 1988 by the
West Berlin Chaos Computer Club that they would
trigger Trojan horses they had implanted into
NASA's Space Physics Analysis Network, thus
causing the chaos of their name. The threats never
materialized but minor havoc was wrought
anyway, as many computers were temporarily
pulled from the net until the threat could be
analyzed.

The end of 1988

November 2, to be exact
marked the beginning of a new surge in anti-hacker
sentiment. It was then that Robert Morris Jr.'s computer worm began its race through the Internet.
Exploiting an undocumented bug in the sendmail
program and utilizing its own internal arsenal of
tricks, the worm would infiltrate a system and
quickly eat up most or all of the system's processing capabilities and memory space as it squiggled
around from machine to machine, net to net.

cities.

and 42 computers, often

They

for in-

appropriate reasons. E-mail was left undelivered.

Public postings never made it to the screens of the

computer community. Many innocent bystanders

(as well as criminals) were arrested.
John Perry Barlow (author, retired cattle
rancher, and a lyricist for the Grateful Dead), and
computer guru Mitch Kapor, best known for writing Lotus 1-2-3, were outraged by these events (and
by their own run-ins with the FBI over stolen
source code that was being distributed by the
NuPrometheus League). They teamed up with
attorney Harvey Silverglate who was known for
offbeat causes. Some yellow journalism
Washington Post provided the publicity
needed to attract Steve Wozniak (co-founder of
Apple) and John Gilmore (of Sun Microsystems)
who offered monetary support for the enterprise.
It was at this point that the Steve Jackson incident made the headlines. An Austin, Texas, pub-

on

taking

by

the

games, Jackson's business

was raided by the Secret Service because one of his
games, called GURPS Cyberpunk, had to do with a
kind of futuristic computer hacking. The Secret
lisher of role-playing

Service called Jackson's

game

"a

handbook

computer crime." This was ludicrous, akin to

ing Milton Bradley because they
teaches kids

Chess, which

how to wage war.

Jackson's office

was

sell

for

arrest-

equipment was confiscated, he

staff, and he very

forced to lay off half his

nearly

went

into bankruptcy. "Eventually," Jackson

"we got most of our property back

(though some of it was damaged or destroyed). The
Secret Service admitted that we'd never been a target of their investigation." Jackson sued the U.S.
government (the Secret Service, two of its agents,
and a Bellcore official were named in the suit) on
charges that the Secret Service had violated his
later wrote,

right to free speech during the office raid. Justice

The

Electronic Frontier Foundation

The birth of the Electronic Frontier Foundation

was announced July 10, 1990. EFF is a group dedicated to protecting our constitutional rights; it was
created as a response to a series of rude and uninformed blunderings by the Secret Service in the
witch hunt known as Operation Sundevil. By May,
1989, this "hacker hunt" had led 150 Secret Service

was held guilty. Jackson has

made a role-playing game about the incident.
The summer of 1990 was filled with all sorts of

prevailed and the SS

since

similar surprises. There are the famous stories, the

infamous ones, and the ones that barely made the
back page. In the middle of August, thirteen New
York young adults and minors were charged with
felonies involving computer tampering, computer
trespassing, and theft of services. They had broken
into the Pentagon's computers, among others, and

on their tail.
$50,000 worth of computing equipment was seized,
said to have been used by the hackers to do the
break-ins. Dozens of stories like this were reported
then quickly faded. Other tales and other hackers
held more interest, like Acid Phreak and Phiber
Optik, who became "celebrity hackers," speaking
on behalf of the hacker community for various
media. Phiber Optik was eventually arrested and
sentenced to thirty-five hours of community service
got a whole load of law enforcers

in February, 1991.

And
lines.

the Craig

M. Neidorf

story

made head-

We have already mentioned Neidorf (Knight

Lightning) as one of the co-founders of Phrack. Nei-

dorf published an (edited) internal BellSouth paper

in Phrack

and was quickly charged with

interstate

transport of stolen property, with a possible sentence of 60 years in

was
was

jail

and $122,000

particularly absurd

was

in fines.

that the

What

document

and legally available (though BellSouth

declared it to be full of company secrets), and it
easily

talked about the BellSouth bureaucracy as

tained to 911 lines. Sixty years in

jail for

it

per-

copyright

infringement?

The EFF helped Neidorf through these troubled

would
come to aid many hackers and crackers who'd been
treated unfairly or with ignorance by the law). The
U.S. dropped its case against Neidorf at the end of
times (as they'd helped Steve Jackson, and

July, 1990.

There are dozens or hundreds of stories about

hackers every year, and there have been for quite

some

time.

Some

are quickly forgotten; others pro-

voke controversy. Such was the case on November

6, 1992, when a group of hackers, peacefully convening in the food court of the Pentagon City Mall
outside Washington, D.C., were bullied and manhandled by mall security personnel, Secret Service
and FBI agents.
Hacking has had a long past and will continue
to enjoy a prosperous and successful future because
of people like us who enjoy seeing what secrets are
out in the world, waiting to be unearthed.

Chapter Three:

Researching The Hack

Any

serious hack will involve

some prepara-

tory research long before the hacker sets foot near a

is simply because to hack intellione must have knowledge of certain facts

computer. This
gently,

and ideas.
With computer hacking, you should obviously
have some knowledge about computers and telecommunications (ideas) but to actually carry out a
hack requires just one fact: a phone number. Or if
not a phone number, at least one way of accessing a
computer. Either case requires some research. Once
you've called the computer for the first time, some
on-line research is required to tell you how you
should proceed with the hack. And finally, there is
the ongoing research you will do once you've
gained access to a system, to help you make full use
of the facilities you've conquered. The "after research" is discussed in the chapter "What To Do
When Inside." For now, let us discuss what to do to
get started.

Targeting
By

targeting, I'm referring to the process

which a hacker

will decide

which of

all

by

possible

computer

installations to attempt to breach. This

may seem

like a trivial topic for

many

reasons, but

a topic well worth discussing.

suppose you are a rookie at this game. You
have gotten
through research of some kind, or
in fact

it is

Let's

just plain luck

a piece of information you

feel

be helpful in entering a specific system. For example, suppose you've discovered through the
computer crime grapevine the phone number of a
large governmental espionage database. Naturally,
it seems reasonable to call the number and see if it
actually is what you've heard it to be. On the other
hand, it might be better to first research your target
to see if it's worth the time and the risk, and the
phone bill. Look up the number in a criss-cross
will

telephone directory for that region. Criss-cross

di-

many libraries,

are

rectories,

which are available

at

books (usually non-licensed by the phone company) which list the names and addresses that go
with phone numbers. Unlike regular phone books,
criss-cross directories are sorted by number rather
than name. If you can't get this sort of directory,
call
to.

the operator

Naturally

and ask who the number belongs

it is

preferable to use a directory on

reif^Smmw^Mmm
your own, eliminating extraneous interaction with

phone company employees ("witnesses"). If the

phone number is publicly available, it probably
isn't

a computer line after

It

to look
ber,

all, let

alone a secret one.

may seem crazy to you to go out of your way

up a number

it is

before dialing

important to get as

much

it,

but remem-

information as

you can about a system before you make the

call. If it

really is a top-secret database,

assume that your

able to

call will

it's

first

reason-

be traced, or at

the very least, will arouse suspicion.

As

a novice

one tends to get excited with one's first big break

and tends to do stupid, dangerous things. You may
not yet have the expertise to alter phone company
data, or call from a pay phone, or in some other
way make it seem like you are not the person
placing the call. The rookie who calls a number of
this kind after doing a bit of research might be
taking a stupid risk, but that's a few steps higher on
the professional hacker's scale than the one who
calls without any preparation at all. That's just being stupid, period.
So, as far as targeting is concerned,

want

up

to follow

may be

you may not

that first big lead right away.

preferable to wait awhile, until

the expertise to

do

it

properly.

thing about a system

no one

If

else

It

you have

you know someknows,

it's

very

going to remain a secret unless you spill the

beans. If you try to act on your inside knowledge
and fail, you are ruining your chances of getting in
later, as the system managers might see their mistakes and correct them.
My word of caution is this: Don't get in over
your head. Get familiar with floating on your back
before trying to scuba dive for sunken treasure or
else you may end up being the one who's sunk.
likely

Targeting also involves other research.

What

if

you do have some exciting secret that will let you

get in somewhere? Perhaps you should think about

way of reaching that system in the first

For instance, if the system you're stalking is
on the Internet, you would have to determine a
way to access the Internet disguised as someone
else before you could proceed to your main goal.
If you are enrolled at a college, or live near one
the best

place.

and have access to your

count,

and,

it is

from

systems.

own Internet computer ac-

a trifling matter to log in as yourself

there, attempt to connect to other

It's

not

only

Regardless of whether

trifling

it's

you have mischief

dumb!

in mind,

and lazy to do hacking logged in

as yourself. Before you can move out of the few
directories allowed by your minimal access level,
you will have to figure out a way to disassociate
yourself with what you do. That is
and I can't
repeat it enough
you will have to find a way to
connect as somebody else, and through that
connection go on to bigger things.
Breaking into major league computer systems is
very often a matter of, first, personal hacking, and
second, institutional hacking. That is, first you hack
a person (figure out a way of masquerading as that
person), and then you hack the institution (figure
it's

irresponsible

out a way of disguising that person as a legitimate

user of the protected system).
Time, money and effort can be spent needlessly
on attempts to access systems that ultimately turn
out to be dead ends. Maybe your target is a school's
computer, because you want to change your grade
from an F to A. You may think your target individual would be the dean or some other school head,

but as it turns out, in many instances you would be

wrong. School heads often have little or no access
to the computers which hold grades, unless they
themselves teach classes. In this case you would

want to

more likely, a teaching

who have to do
grades. Consequently you

target a professor or

assistant (T*A.). They're the ones

the actual inputting of

would want to research the professor or T.A. to get

a handle on what their passwords might be.
Then there's the matter of the computer. Which
computer should you target for your hack? Teachers, especially in math and computer science
courses, will usually tell you their computer address so you can send them e-mail. But that isn't
necessarily where you need to go to change your
grade. More likely there is some hush-hush administrative computer which carries out those functions, and it is that computer you would want to
hack.
It

seems

logical to

assume

that the president of

a university has the highest level of computer access. But does he or she really? Does the president
actually have a computer account AT ALL? You're
probably better off targeting individual professors.
One English teacher I had mentioned Kojak a cou-

and on several occasions made

be interpreted as
having some relation to that television show
(sometimes he would use phrases that Kojak used
ple times in class,

references to things that could

Mapj ;r Three: Researching The Hack

in the series). Obviously,

one

if

Kojak

is

the place to start

interested in forcing one's

is

way

into this

guy's account (especially since he's an English professor,

and therefore

less likely to

understand the

value of non-real-word passwords).

Kojak-related words
"bald," for

And

trying

like "Telly Savalas," "lollipop,"

passwords

is

the obvious

way

of per-

sonally targeting that English teacher's account.

But is he
first

REALLY the one you want to use in the

place?

wanted

If I

had been

failing that class

to get into his account to

change

Kojak wouldn't have helped me; as far as

able to determine,

who had
sors!

This

it

was

and

my grade,
I

was ever

the teaching assistants

control over the grading, not the profesis

why

it's

necessary to target in order to

If you have goals

mind, do the necessary research to find out if

achieve your intended purposes.

in

you are targeting the

right

PEOPLE,

as well as the

right computers.

be found by reading
documents about a site. Documents pertaining to "ethical use" of the system, and
Potential targets can often

publicly available
articles

encouraging "preventative security" are

often particularly enlightening. For instance, here's

quote I picked up from an outdated memorandum about security policies. This is one suggestion taken from a list of what was felt to be necessary improvements in security. By the time I read
the article the improvements had already taken
place, but thoughts of needing security were long
gone from the minds of those who had written the
memorandum, and so security was lax. Here's the
one suggestion from the list that stuck out:
a

little

Net 19 must be isolated completely by gateways

from PCs and from the broadband. Terminal
server logins must be strictly enforced on all
machines.

PCs should

be implemented which

run software that will monitor the network

for signs of misuse and/or unethical usage.
will

Look

at the

here.

We

goldmine of information that is given

have these suggestions for improvement,
so now it should be a simple task to determine
which software was purchased to implement the
suggestions. From there we can see what the software will and will not do, find out about bugs or

and use other means to discover ways

around that software. But most interesting of all
loopholes,

(and the point that

is

related to this discussion of

21

mention of "Net 19." What is Net

19? Obviously it is something that the administration wants to go out of their way to protect. Clearly
it's something well worth hacking. If you had been
the hacker to first read these words, clearly Net 19
would be the target of your hack.
Keep in mind that I read this document from a
public terminal, without having to log in as anybody. It was accessed from a public information
system. It is information available to anybody, and
look at the wonderful clue it holds for all who see
it! Now, when I read this I didn't know what Net 19
was, but I knew immediately to target all efforts to
finding that system and penetrating its security.
This is an example of accidentally found knowlI
edge being put to good use. But don't forget
was reading through every publicly available
document for the SOLE PURPOSE of breaking into
the system. The specific bit of information I found
was accidental, but my finding it wasn't.
In a way, doing this kind of on-line research
exploring every inch of the system available to you
targeting) is the

before going after the private regions

targeting. If

your goal

system, target

all

is

is

a kind of

a specific private computer

public systems related to

it

before

you begin. This can only help you in the long run.
It might lead to helpful hints, such as the mention
of Net 19, or it might at least familiarize you with
various aspects of the system.
Things you should be looking for when you
system in this way, with the intent
of going after a correlated private system, are: how
it handles input and output; if any bugs are present
and how the system reacts to them; what the command format is (three letters? control sequence?)
and what kinds of commands are available; and
machine specifications and hardware. Of course,
there are numerous other things you should either
be looking for, or will unconsciously be picking up
anyway as you look around, like what the visual
display is like and how long it takes the computer
to process commands. These are things that will be
helpful later on, because when you actually are
trespassing, you won't want to spend hours trying
to find the help command or how to log off.
Targeting may seem not just trivial, but distracting as well. After all, a scientist can analyze a
rainbow using specific technical terms that explain
what a rainbow is, how it is formed, and why it
displays its colors as it does. But in a way, this
target a public

22

llcretsof a Super Hacker

complicated description of a rainbow

is

completely

unrelated to the rainbow being described.

The

ex-

it. The techno-jargon shuns the poetic connotations that we associate

with the rainbow we are so interested in describing.
You may use similar arguments to complain
that targeting and pre-thought and planning of
hacking attacks distract from the pleasure of the
hack itself. If you are a hired hacker you will need
to get the job done if you expect to get paid. But

planation ignores the beauty of

otherwise,

why should we bother to discipline our-

with such nonsense as targeting? You're

There is no reason to
feel obligated to apply these suggestions that I present. There is no pressing need to think carefully
about what you do before you do it, but you should
be aware of these things as you start. At least, if
you break the rules, you should understand how
following them might have helped.
Targeting specific computers that hold interest
to you, and that you are sure hold the information
you seek, and targeting people who have specific
selves

right! CertairJy you're correct!

access levels

and

abilities

all

of this

is like

ana-

and ending up with nothing but

gobbledygook. But in the long run, if you really
want to end up at a position further from where
you started, if you want to hack for the enjoyment
of it and maintain high pleasure levels throughout
the endeavor, I suggest you do these things. They
will help lessen the amount of frivolous searching
and brute-force monotony needed to get in, and
will help you stay out of trouble. So, set up a genlyzing a rainbow

eral

plan of action.

Make

sure the goals you've out-

your case.
That way you'll know that what you are hacking
won't turn out to be a series of blind alleys.
I keep bringing up the point of "intentions," and
"goals," but unless you're a private investigator or
some sort of muckraker, you're probably willing
lined are really the ones that apply to

and happy to break into any computer available

any and all opportunities that present themselves.
This is fine too, and many hackers are so devoted
(fanatical?) in their pursuits that even if they know
a computer system will offer them nothing exciting
once they get inside, they persevere because
the thrill of the break-in itself that drives them.

it is

But as you can well imagine, it is much more interesting to break into a system that holds secrets,
than one whose contents are worthless to you. Is it
worth it to spend months trying to get into a sys-

tem

on the copulation patyou happen to have

of thing.) Choose your

that contains statistics

terns of lab rats? (Not unless

an

interest in that sort

targets carefully. Getting into the

system

half the

is

fun; once you're inside, the other half can

be more

exciting.

Collecting Information
you begin researching you should know
what kind of information you should be trying to
Before

find out. There are three topics a hacker should be

concerned with: Telecommunications in general,
computer systems in general, and specific systems.
There is a certain level of understanding you
should have about computers, modems, the telephone and human nature. Hopefully this book will
prepare you with most of the information in these

you will make use of. If not

and I
readily admit this is not an all inclusive Bible of the
Universe
then go around to some local or special
libraries and find out what you need to know.
Maybe there isn't anything you specifically
need to know. You will still want to keep up with
categories that

the latest developments in technology as well as the

who run the computers you intend to

Even if you think you know everything there
is to know, it can be most helpful to do a bit of
reading to make sure you really are an expert in
organizations

hack.

your

field, especially

when

dealing with such rap-

idly changing fields as computer hardware, software and telecommunications

So go to your local library. Go to the shelves
with the computer books, and the shelves with the
criminal justice books, and the shelves with the
business management books. That's where you'll
find the "legit" books about hacking and computer

crime. Every once in a while, take out

some books

on telecommunications and look through them.

You want

with the various

be encountering, so look through

to start getting familiar

situations you'll

books on the different information services, on-line

databases, computer crime, operating systems,
BBSs, and anything else that pertains to what you
can do with a computer and a modem. Look up
"telecommunications" in the card catalog. Also,
"security,"

"computers,"

"modems," and anything

that's relevant. Also,

"hacking,"
else

remember

"telephones,"

you can think

to look

of

through the

books in the reference section; you will find the

most useful materials there. Hacking is best learned
by doing, but many good tricks and leads can be
found in the literature.
By the way, do you know who the biggest book
publisher in the world is? The United States government. If your library is a government depository, read through all the relevant government

probably look at this sort of thing and

throw it out as useless. If you make friends with
them, surely they would prefer giving such
"useless" items to you, rather than discarding them.
I've gotten many valuable guidebooks, reference
guides, operating systems manuals, and disks this
way. I even have a very nice and very current set of
rials will

AT&T security books.

Sometimes the books you pick up have notes

publications that interest you. You'll learn a lot

I'm not saying you should read every book in

the library, and I'm certainly not saying you should
read all this before you begin your hacking exploits. What I am saying is that very often people
don't realize the wealth of information that is avail-

them free for the asking

no need to hack.
And by reading these things you will get familiar
with what different computer systems look like
when you log onto them. You will get to know the
kinds of commands that are available to you, and
what formats the systems use for names and passwords. Also, you will often find toll free numbers
lines you can call to test out
listed in these books
various systems, or to get information on the systems. All this information will be helpful to you as
you proceed.
able to

While you're

at the library go to the periodicals

and take out some computer magazines and
newspapers. Borrow some that you don't normally

section

read, or that you've never heard of before.

away

ful to write

and

for information

It is

use-

from the maga-

send in the Reader Service postcards

to get free information. It's amazing what companies will send you, and it's further amazing to think
about all the great tips this information offers to the
zines,

to

hacker. I'm

now on

several perpetual mailing

lists

from various computer security companies. I know

everything I need to know about all their products,
their

on the cover. My favorphone number and

group ID access code. The access code had since
been deleted, but the phone number still worked
and so did the sample visitor's password listed in
scribbled in the margins or

from that stuff.

ite

note

was

the one that gave a

that manual.

Some Unusual Research Methods

They
all,

aren't really all that unusual, because after

anything that works

get an idea for a

works! Any time you

new way

of discovering

more

about an online system or the people who run it

you should do your best to act on that idea. In the
long run every bit of data

is

potentially useful.

Anything you manage to find will either help you

get in your present target computer, or get in another one some time in the future.
Besides, it's always a delight to find confidential
data or insider secrets about a system. Share that
knowledge with other hackers and you will be rewarded with interesting tips that will be beneficial
to you.

Here are five further research methods: online

computer simulators and tutorials; sorting through
trash; found disk analysis; examining screenshots;
and snooping. Remember
these research methods work. Use them to your advantage.

upgrades, what businesses use their software

and from
around

that information,

their products.

catching hackers,

can hack

Online Computer Simulators

my way

And Tutorials

Knowing how they go about

know how

to avoid getting

caught.

Another, sometimes more practical way to use

the library is to find out about donated books.
Many libraries get donations of books, either for an
annual book sale or for their shelves. A lot of those
books are old technical and company manuals for
computers, software, and operating system procedures. The librarians who deal with donated mate-

Computer-based simulators and tutorials are

employed in teaching the ways of the company computer system. These programs mimic the
computer screens users would see if they were to
log in to the actual network. Tutorials and simulators differ from the actual network in that they talk
the user through a typical use of the system, peroften

24

iuper Hacker

Secrei

haps showing

Sometimes you have

off special features available to the

to use

your imagination

to

given a guided tour, there is

often a workbook that is to be used with a
scaled-down version of the actual system, often one
with extensive help facilities to teach the new user

ways in which online simulators can

help. I was waiting in an office one day to see
someone. The receptionist stepped out for a moment and I stepped behind her desk and borrowed

the ropes.

a computer disk I'd noticed stuck in a book. The

user. If the user isn't

Tutorials

and

simulators

give

new

users

hands-on experience with the problems and

cies of

poli-

software they will encounter. They are very

often used for training purposes instead of the actual system, or as a

supplement

eral reasons for this.

What

if

There are sevthe system is still beto

it.

ing installed, or undergoing a renovation? Or perhaps not enough terminals are connected yet for all
employees to access the actual system. Using
simulators eliminates these problems since they can
be set up on any computer.
Temporary employment agencies may use
software from a specific company to pretrain their
workers, especially if the agency gets a lot of jobs
from a specific company. Or regular employees
may want the convenience of being able to borrow
a tutorial disk from the company library to practice
on at home. Finally, a good tutorial program or
simulation can ensure that everyone receives the
same quality instructions, without leaving out important details which a human instructor might
forget to teach.

How to get them? Simulation programs may be

available
libraries.

from corporate, special or even academic

also get hold of one from the

You may

publisher. Write to a software publisher, saying

you're interested in

ask

if

making a

a demonstration disk

is

large purchase
available.

may be able to procure one from a

of the

and

And you

friendly

member

company's computer department (do some

social engineering

pretend

you're a

company

manager or supervisor).
Simulators and tutorials are great things

for a

hacker to come across; the usefulness of them

should be self-evident. They will help you learn the
systems, and perhaps reveal default entry-words,
and might even come with descriptions of system
bugs.

find other

held
a
program
called
ARRSIM
(ARRangement SIMulator) which was actually a
copy of a program they used on-line, only with a
minuscule database of names. The program was
disk

used to teach employees

computers
to arrange and schedule meetings between customers

and

Social engineering is the act of talking to a

system user,

pretending that you are also a legal user of the system, and in
the course of the conversation, manipulating the discussion so
that the user reveals

passwords or other good

stuff.

to use the

potential contractors.

When

I got home I booted it up and started

playing around. At one point I tried changing an

address and the computer responded, "Supervisor

Approval Required" and put a cursor on the screen.
Apparently it wanted a password. I tried the one
that was used to log into the simulator (which was
scribbled on the disk label) but that didn't work. I
scanned through the disk with a file maintenance
utility, but could find no text (i.e., hidden password) that I had not already seen.
Now, it occurred to me that address changes
were probably something that everyone had to do
every once in a while. So why had it asked for a
password when I tried to change an address? Obviously the program had been designed by your
usual paranoid manager who did not trust a receptionist to change a name or address by herself.
So I called my favorite receptionist at the company, and after some suave insider gossip about
company matters ("So Sheila's a grandma! Was it a
boy or a girl?" I had heard her discussing this with
a coworker the day I was there), I popped the

do you know what to type when it

"
says 'Supervisor App'
"Oh isn't that silly!" she laughed. "It's really
horrible. Type 'morris.' I don't know why they have
that there. Nobody's supposed to know about it but
you
we use it every day!" I thanked her and
know what?
'morris' didn't work as a password
on the simulator (I don't think anything did). But it
was the password used to get into the actual network. Apparently only supervisors were supposed
to be able to log on the terminals scattered
question: "Gaye,

throughout the
1

how

offices.

Chapter Three: Researching The Hack

her garbage was very

Sorting Through Trash

It isn't

do

it,

really a dirty job,

but

serious

"investigators"

ing a

investigators

refer to hackers

company

and nobody

or computer.

It

who

has got to

By

will.

are research-

really isn't all that

messy going through the garbage of most

places.

Often you'll find a separate bin for white paper.

Some may be shredded, but mostly not. Try to plan
your trips to the trash on days following a few days
of sunny weather. You want your garbage to be in
tip-top shape.

While I'm inside the dumpster

like to

make

and load them into garbring

it
home to examine what
Then
I
bage bags.
I've collected. You'll find internal phone directories,
names of public and private individuals, training
stacks of the papers

find

manuals, outdated files, letters, information about

projects being worked on, and sometimes even
mention of the computer system. Much of it is help-

and most is interesting too.

Even the regular trash is usually a pretty clean
place to be (somewhat). Rummaging around in the
ful,

garbage bins of various companies, office centers

and other institutions, I have come across: microfiche, computer cards, entire boxes of business
cards, books, a dead cat (really gross), broken electronic junk,

and

course most of

it

lots

and

isn't

helpful for the hack, but often

lots of, well, garbage.

Of

knowledge to be gained. You can find out a

lot about how an organization functions by its
trash, and the way in which that trash is organized.
The first time I did this, I took a single green
trash bag from the bin behind a bank. Bank bags,
by the way, are stapled shut with a paper receipt
that tells the name of the bank, and the time and
date of disposal of the bag. The trash within is of
two types. There are smaller bags containing refuse
from each individual's office in the bank, and then
there is the cytoplasm of crumpled forms and discarded paper tapes from behind the counter. The
interesting parts are the bags from individual offices. In my first garbage heist, one banker was
he was throwing out a Japanese
Japanese
newspaper and a Japanese candy wrapper in
addition to his bank-related stuff. There was also
diet,
the
the
woman
on
the
struggling-to-make-ends-meet single mother, and
the assistant bank director. Now the bank director
there

is

25

interesting. It contained a
discarded lock from the vault, a box of orange "key
hole signals (style 'c')," some vault-key envelopes, a

of paper with the combination to a safe

scrawled across it like a clue in a parlor mystery
(12R-32L-14R
in
case
you care), and a
memorandum to "Branch Managers" from the
woman in charge of "Branch Automation," which
apparently had accompanied a disk. From that letslip

ter I was able to get the name, address, and room

number of the bank's Branch Automation Department and from there evolved a social engineer
through the mails (see chapter on Social Engineer-

ing)

which resulted

in myself getting a

disk in question as well as

copy of the

some other very

useful

information.
If you were caught hacking a trash bin, you
used to be able to say that you were "just looking

for cans to recycle."

Now

offices pretty

much

recy-

won't do for an excuse. The

old "school" or "community project" ploy is always
a good bet: Say you are rummaging around in there
doing research for a report on government or busicle everything, so that

ness waste.

you even step out of your house the first

bit of phone work to find out what the
garbage situation will be like. Call up the Solid
Waste Department and ask when garbage collection is for the street you have in mind to plunder. If
Before

time,

do a

pickup is Monday morning, that's good, since

you'll be able to go at night over the weekend,
when no one is around. You don't want to end up
going the day after collection, so make that call before you hop in your car.
As for recycled white paper, if there aren't any
outside bins devoted specifically to it, you might
want to go to the office during the day (if it has a

and take a casual look at

the level of white paper in the recycling cans inside.
publicly-accessible area)

Do this at different times of day for a few days, and

you'll get their recycling schedule. Again, you'll

want

to

nab white

office

paper when the bins are

at

their fullest.

GIRK
Of course, you can go out scavenging unarmed
through the trash bins of the world, but to facilitate
and quicken results, you will most likely want to

I^BIB^
vm
}

/
/'

^
\

TS>z

-^FROM:
SUBJECT:

Branch, Managers

Lie

*-~

DBS Diskettes

Enclosed* please., f ind^-a copy

Please check the box of diskettes
that a copy of the Destran disk is on
Iff there is no copy in your branch,
ypur box of software.

If there is a Destran Disk aiready in your box

please, return that disk to lie in the envelope
the following locacvticn, anq, add the newjest;
:;
your* box of software.
'

Should you have any questions, feel free to call me on

7-5^-5<(|. Thank you.

RETURN DISKETTE TO

BRANCH AUTOMATION DEPARTMENT.

ROOM 245

Figure 1

A memo retrieved from the garbage contains valuable information.

.-.

prepare beforehand for your excursion into the

trash of white collar America!
Here are the things you should consider includ-

GIRK

ing in your

Garbaged

Information Re-

trieval Kit:

You might want

wear a custodial type

you know the company
maintenance staff tends to wear baseball caps,
or a certain color shirt or jacket, then by all
means dress similarly. Wear dark colors, not
outfit, if

you have

to

it.

If

bright pinks, reds, or yellows that everyone's

Rubber gloves. Either surgical gloves, or the kind

you use while washing dishes. Though most
garbage you'll be rummaging through is "clean"
(white paper bins for recycling) it's a good idea
to wear some sort of thin gloves anyway. You'll
also want to wear gloves when you're at home
sorting through the bags you lifted.
Ladder. I'm not talking about real ladders here,

al-

may want to use one. Some dumpvery high, or are vertically-oriented,

and so climbing out of them may be difficult.
Find yourself an old chair or hassock somebody's throwing away, and take it in the trunk
of your car. Then you can either put it into the
bin from outside if it looks like you'll have
trouble climbing out, or you can use it to climb
into the bin in the first place. Either way, if you
have to leave in a hurry for some reason you
though you
sters are

after all, it was

can safely leave it behind
garbage to begin with, right?
Flashlight. Take a piece of rope or a strip of denim
or something and fashion a strap. Make the
strap just big enough so you can easily slip the
flashlight on and off your hand. Especially if
you'll be rummaging at night, you will need a
powerful flashlight to guide you through the

garbage.

Make

best thing

is

sure the batteries are okay

to use rechargeables.

Garbage bags. Not the clear kind. You must use

black, brown, or similarly colored bags for this.
After all, you don't want people to see what
you've got in them. If you're just pulling
manuals, memos, etc., out of the trash and are
not bringing home whole, intact bags, you
should bring along at least one of your own
dark-colored garbage bags, to put everything
in. You might want to take two bags, placing
one inside the other, to insure against breakage.

Appropriate clothing. Don't go rummaging

through garbage bins in your Sunday finery!
Wear shoes you'll be able to climb and jump
with. Wear clothes that won't snag, old clothes,
clothes that you don't care if they get destroyed.

going to be staring

at.

Empty soda cans. Some hackers

tell

security guards

or other onlookers that they're searching for

aluminum cans to recycle. You might want to

fill up the bottom third of one of your garbage
bags with cans, or maybe leave an open bag of
cans outside the bin so bypassers will be able to
figure out for themselves that you're collecting
cans for charity.
One time I told a stodgy old guard, "The sci-

ence classes at my school are competing to see

cans we can recycle. For every
pound of cans we bring in, our school gets three
dollars. The class that brings in the most cans
wins a prize. Right now we're in second place,
so I want to bring us up to first!" He walked
away and came back with a handful of empty
beer cans and bottles. "Are you doing glass

how many

too?"

he asked.

Remember: don't carry unnecessary things in

your pockets, or things like watches that are going
to fall off your wrist. You don't want to lose money,
wallets, credit cards, notebooks or anything else to
the hungry stomach of a garbage bin, so leave all
that at home. Before you leave the house, do a
pocket check. Make sure you have nothing that
could identify you and nothing you can't afford to
lose. This seems like obvious advice but I can recall
at least four different messages posted by hackers
on private BBSs where they said things like, "Jeez! I
just came back from the CompuPhone dump and I
forgot to put my ring back on after I climbed out of
the can! Now I'll have to go back there tomorrow!"
On the other hand, you might want to take
along a cheap watch or something that didn't cost
much but looks expensive. Then if some curious
person comes along you can jump up and say,
"Here's that stupid watch!

threw

it

knew

that idiot janitor

out with the trash!"

Also, another

you get home!

good

idea:

Take a shower when

When you hack you

begin to find disks everybeen discarded, mangled,

where. Some have

warped, bent; some have been carelessly lost, in the
drive of a public computer, under a keyboard, behind a desk; and others you will find in their natural

place

lying around

on people's desks,

boxes, in library reference books, in

You

file

in disk

cabinets.

want to be able to read data files off these

disks and rerun any programs on them.
I am not going to suggest that you actively steal
disks that you find in an office or wherever, but if
you can manage to sneak one away for a few days
will

or overnight without

it

being missed, then the best

of luck to you!

go into what should be done with

found disks, let's get our terminology straight. Here
I will be talking about microcomputer disks, which
come in two varieties: 5W and 3%" disks. A disk is
composed of two parts. There is the square plastic
outside, which I will refer to as the envelope, and the
circular mylar disk inside. The square envelope is
simply a means of protecting the flimsy and fragile
disk within, and can be horribly mutilated without
damaging data on the disk itself. 3%" disks have a
small plastic or metal door that slides open to reBefore

veal the disk inside. 5 lA" disks are unprotected in

this

way;

their disks are

exposed through an oval

hole.

WARNING!
Never put a disk of
a physically

damaged

unknown

origin, especially

one, into a

good disk

damaged

drive.

you
should get ahold of a cheap, second-hand drive and
Before examining found or

disks,

use that for found disk analysis.

Examining bad disks can easily damage your
disk drive. Never use bad, damaged or found disks

on a good quality drive!

'

Check Up
Begin a found disk analysis by removing the
disk from

its

paper sleeve

if

there

is

one,

and eye-

distinct

And certainly the plastic and

Teflon they are

made

enough to throw away, meaning discommon. So if you are rummaging

through a company's trash bin and you see a mangled disk, take it
you might be able to get someof are cheap

cards are

thing interesting off it.

If

disk,

there

is

nothing visibly wrong with the

but you're

still

(5V*")

wary (because you found

it

in

a garbage can or in a dusty place or something) you

should carefully hold the envelope with one hand

while rotating the disk with the other hand (using
the hub ring). Look at the disk through the oval
window as you do the rotation. Then turn the disk
over and inspect the other side the same way. For
3%" disks, you will have to hold open the sliding
door with a finger as you rotate the disk using the

hub ring.
If you suspect that a 5W disk is filthy, or if
there is any dirt at all inside, rotating the disk may
scratch it. Instead of rotating it, do this: Push the
disk to the bottom of the envelope with your finger.
Take a pair of sharp scissors or a knife and cut off a
very thin strip of plastic from the top (label) edge of
the envelope. With thumb and fingers, puff out the
envelope, and ease out the disk. Don't wipe dirt off
the disk
you don't want to scratch it. Try to blow
away dust and dirt, or use a hair dryer set on low
heat, or a can of compressed air.

Now look inside

the plastic envelope.

You

see a lining of a white gauze-like material.

will

If that's

throw away the envelope. Take a different

disk (that contains data you don't need any more),
slit the envelope open the same way, remove the
disk and replace it with the other round floppy.
Make sure the reinforced hub ring (if it has one)
faces front. Now you can try using this disk on your
cheap second-hand disk drive.
dirty,

mtmmt^mmm^^^

any

problems such as
grooves, coffee stains or wrinkles. It is amazing
what disasters disks can live through. During the
early '80s when home computers first hit the marketplace, there were warnings everywhere: "Don't
put disks by magnets, by your monitor, on your
printer, or near your telephone. Don't bend disks,
don't let your fingers stray from the label..." And on
and on. Certainly you should treat disks carefully,
but as we've learned since floppy drives became inexpensive enough for anyone to afford, disks just
aren't as fragile as they were once thought to be.
balling both sides for

Found Disk Analysis

ipUr
For 3%" disks, you can

first carefully remove the

open the plastic envelope
case with a knife. Don't jam the knife into the envelope; rather work around the edges and corners
where the two halves are snapped together. Remove the floppy disk. Blow away any dirt, then put

door, then gently pry

the disk into a clean envelope, using tape to keep

the pieces together. Replace the sliding door

if

trouble doing so

book and press it down. Do NOT try

by bending them the other way.
If the outside envelope still seems in pretty bad
shape, remove the inner disk and insert it in a
take a heavy

to straighten disks

envelope as described earlier.

Let's look at some of other ways a disk can be
damaged but still remain salvageable.
good,

flat

you

worry about that aspect if you have

most drives will not miss it.
5Vt disks sometimes get folded or bent. They
are still usable but the bending can misalign your
drive head. Not only will this ruin your disk drive,
but subsequent disks inserted may be irreversibly
damaged. Therefore, never use bent disks on a good
drive, or good disks in your bad drive.
If you find a bent disk in the trash, first flatten it
out as best you can. Put it on a hard, smooth, flat
surface. Cover it with a few sheets of paper, then
can, but don't

xmvviJ^cuTemng The Hack 29

Damage To One

If

side,

the

damage

you

will

to a disk is limited to a single

be able to read data from the

still

other side. There are

The

first

way

Side

is

two ways
to use a

to

do it.

superzap program

selectively read tracks, piecing together data as

find

it.

utility,

Superzap programs, such as DOS's

try this with

your store bought

to the sides (A).

you

DEBUG

allow you to alter the data on a disk one bit

at a time. If

you can

single-sided drive

it

get your

will

hands on an old

make your work

Figure 2

Don 't

to

disks! After slicing

open the

top,

apply pressure

Then (B) slide out the disk. Now you can repair the
clean it, and slide it into afresh envelope.

disk,

a bit

simply insert the disk bad-side-up, and read

away. (In single-sided disks, data is normally read

disk that you find in the trash bin may hold

corporate data, proprietary software, maybe even a

from and written to the back of the disk

the
underside, if you hold the disk label-side up.)
A second option is to use a cosmetic disguise to
hide the damaged side of the disk. For example,
suppose you have found a 5%" disk with unremovable blemishes on one side only and your drive
simply refuses to read the disk. Here's what you
do. Take another 5W disk, format it, then cut it
open. Remove it from its envelope, and tape the
new disk over the blemished disk. The tape should
be between the two disks (thin double-sided tape
works best). Make sure you line up the two disks
precisely. Insert the taped disks back into a clean
envelope, and see what you can make happen!

tutorial or simulation like

easier:

Rips
You can very

And Tears

carefully tape a ripped disk back

Make

sure to

Once you've
gotten all the data you can off one side, you can
remove the tape and repair the other side. As before, it is imperative that you don't let the tape get
onto the side of the disk which the drive will be
reading, or you could throw off your drive's
read/write head, and may get sticky stuff on it, too.
only put tape on one side at a time.

Imperfections
If a disk looks okay, but will only give you
"Read Errors," it is probably physically damaged on

a microscopic level.
it,

may have little holes or dents

imperfections that are too small for the naked

eye to see.

You can push

by manually
is

It

past bad spots on a disk

rotating the disk inside. If the

limited to a small area of the disk,

to

we discussed earlier.

was an archaeology side

computer hacking, did you? But that's exactly
there

what all of this is; we are looking into people's lives

to see what they think about, to find out what's important to them, and to learn from their experiences. Hacking a damaged disk that you have unearthed from a trash bin will lead you to details
you would otherwise never have imagined existed.
I highly recommend the exercise for the thrill value,
and for the intellectual workout to be gained from
this pursuit.

Examining Screenshots
The photographs of computers you see in
books, magazines, system documentation, promo-

together with thin transparent tape.

in

You never knew

it

damage

may be

that

the damaged segment is the part the drive tries to

read first. If you manually rotate the disk a little to
the left or right, the new section of disk which you
reveal may not have that damage and may therefore be readable. Keep rotating the disk, a little at a
time, until you've found a spot that is readable.
If you never find a readable spot, perhaps
you've been duped! Maybe the disk is blank, or it
isn't suitable for your computer. Or maybe it's
single sided and you've inserted it with the wrong
side facing the drive's read/write head.

tional literature

such as posters and pamphlets,

government publications and booklets, as well as

the pictures of computers available on television
documentaries, news shows and commercials

can

all

contain valuable hacking information.

Computer photos might show

(or monitor),

keyboard,

just the screen

or the entire computer, including

CPU and

accessories.

Or

the picture

might depict an actual computer in its natural environment, with perhaps an operator visible.
The first group, essentially "screenshots," can be
helpful in showing you what it looks like to be inside a particular system that you have never really
accessed. This can clue you in on what accessing
style the system uses, if the password is displayed
on-screen as it is typed, username and password
styles,

what features

are available,

and much more,

depending on what the photographs are attempting to illustrate. Similarly, in user manuals and
other instructional aids, drawings of screens are
often found containing the same information, also
default login codes, text specifics, error messages,

and other handy stuff.

Knowing error messages and knowing the layout of the screen will make you a more believable
system administrator or low-level user when you
attempt some of the social engineering tricks mentioned later in this book, especially if the computer
system in question is one that is closed to outsiders.
Seeing examples of logins will give you ideas on

how to go about a brute force attack. If a user name

is shown or illustrated, it may be a valid one. Even
if lower down on the screen all you get for passrow of asterisks ("password:
help you in determining the
length passwords are required to be. If in separate
photos taken from separate sources, both passwords are shown being covered by eight asterisks,
that is a good indication that either there is a default eight-character password used to demonstrate
the system, or that passwords are a maximum
word information
*******)

jt

jjj

is

still

length of eight-characters.
Style of

username

important too, and will

is

usually be visible. Seeing examples of usernames

you know

and last names are required, if

uppercase letters are needed, whether abbreviations or company names or group names are used
for usernames.
Photographs that include more than just the
screen often show the keyboard being used (look
for misplaced or special keys), keyboard overlays,
the kind of computer setup, and possibly messages
taped to the CPU or monitor. A more generalized
shot may show the computer's surroundings. Is it
lets

if first

in a closed office, or are

many

terminal operators

working together in close proximity? What books

are there on the shelves? You may be able to see
things of interest hanging on a wall, or lying
around on the desk. A user might be in the picture;
is he or she wearing a name tag? Are pictures of a
family present, or items suggesting a hobby, such

mounted baseball or a fishing rod? All availby a hacker.

When I refer to the computing environment, I

as a

able data can be put to use

am, of course, only referring to pictures of computers in their natural environments, as opposed to
staged photos in advertisements, like the kind
showing a Macintosh in your typical teenager's
room. Newspaper and magazine articles are often
accompanied by the kind of computer photo you
will

want to analyze.

Seeing these things

signs of family life, books
and hobbies, a typical user and what he or she is

wearing
gives clues to passwords. The specific
kind of computer may suggest ways of breaking in
using known bugs or loopholes. The computing
environment also will allow the social engineer to
pretend familiarity with an otherwise private room
or office inside a building.

An

additional

way computer photographs

can

by looking to the bottom, usually in the

caption, to where the source of the photo is listed.
The source may give a photographer's name, in
which case that photographer may be discreetly
help

is

it may give clues as to

business or organization. This can
help in detennining phone numbers, means of ac-

pumped

for information, or

a relevant

cess,

and

city,

also passwords.

These are just some of the ways in which close

magnifying glass work will help you find out more
about your intended target system. You can see
why it is a good idea to videotape as many computer-related TV shows as you can; you can always
fast-forward through the boring parts. Freeze
framing a specific scene may help give insight into
the hidden side of a system and the people who run
it.

If

you

you get a

lot of static

on your

television

freeze a frame, try cleaning the

doesn't clear

up

the problem,

it

VCR.

may be

when

If

that

the audio

component

of the tape that is interfering with the

video picture. Try taping just the video part of the
tape you want to freeze. One way to do this is to
connect two VCRs together using just the Video
In/Video Out cable, ignoring the audio link. Copy
the relevant portion of the tape, and you will have
a picture without accompanying sound to muddy

the screen.

You should only have an audio problem

like

background sound to begin

with, like loud narration or loud music going on.
Here's an example of how this kind of photographic detective work pays off:
A hacker named Bellee was watching a behindthe-scenes-at-the-police-station show on her local
cable channel. A close-up on a computer screen revealed the last three digits of a phone number that
was being dialed by modem. The rest of the number was invisible due to glare on the screen. Bellee
knew the police databank being called was headquartered in a specific town in Maryland, because
the officer giving the tour had mentioned it. Some
this if there's a lot of

of the access codes being typed to get into the da-

tabank were easily visible or inferable by all who

watched the show, but some weren't. A bit of library research got Bellee the three-digit exchanges
that were local to the township the cop had mentioned. Bellee then dialed each of those exchanges
until she found the correct phone number. (Because

VAW.UAUWJAUAWJJAUMWA MWAW^
'

she had the last three digits from the television

show, she only had to call each exchange 10 times
to

fill

in the missing digit.)

knew

to use the

(a precinct

number,

and hack the

part she didn't (she knew she needed an eight-letter
municipality and state were needed)

password from the

TV

show). So watching

televi-

sion paid off for Bellee.

Even widely syndicated shows can mess up by

inadvertently revealing important clues to an observant audience. Anyone who happened to be
watching a certain episode of Geraldo Rivera's

Now

Can Be Told news show in late 1991 would have

seen a story on a group of hackers and how they
broke into a military computer. Several times during the course of the story the camera came close to
It

where the electronic address

computer they had hacked was visible. The
story also reported that the hackers had added an
account to the system under the name "dquayle,"
with no password. As you can imagine, soon after
the segment aired the account was closed up. As of
the computer's screen,
of the

this writing there is definitely no "dquayle" account

on the system (I just called and checked), and some
of the more common ways of gaining access to the
system have been noticeably shut down. For example, it is no longer possible to call up anonymously and retrieve files from that system.

Snooping
You can go on
ficially

tours of a lot of places, either of-

or unofficially.

A tour might be

regularly run for wide-eyed kiddies

may be one

one that

and

up

is

their par-

you because you say you are a journalist who wants to do

an article on the company. While taking your tour
you will be gleaning valuable information about
the computer rooms, and about the person
conducting the tour. That's all good information
ents, or

it

that can

specially set

for

be put to use in guessing passwords. If

you can talk a proud com-

you're suave enough,

puter owner into showing off the

the place.

power

of his

ma-

new game he's gotten. This can only

when you go home that night and hack

chine or the

help you

computers can be a boon, and

seeing the screen setup

is

helpful as I've outlined

above.

Once she got through, she was able

login information she

Just seeing the

Now here's a hint I like to make use of, though I

get to do so only irregularly. We are all familiar
with the phenomenon of phosphorus burnout. That
is, when one image is displayed for an extended
period of time, the image gets burnt into the screen.
Very often menus get burnt into the screen, and so
occasionally I've been in places

where there

is

an

old terminal that used to be for employees only, but

has been

Many

moved

into a publicly accessible spot.

of the functions available for staff use only

are visible on the screen and can be put to use or

hacked. (You might have to fiddle with the bright-

what

Other times
I've snuck a peek at the computer behind the
counter, and although an innocuous screen was
being displayed at the time, there was worthwhile
stuff barely visible, burnt into the screen.
ness controls to see

Many

it all

businesses, institutes

says.)

and organizations

run what are called special libraries. These generally concern themselves only with the product or
service which is the group's field of interest, but
also include valuable details on the group itself. For
instance, a company library might have manuals in
it to the company's unique computer system. Often
there is a helpful listing of what programs are
available on the mainframes. Such a program listing might include mention of what security products are enabled, and you can write to the maker of
those security products for details.
Snooping around buildings undergoing reconstruction can be worthwhile, as can snooping
around buildings whose occupants are moving to a

new building.
In such cases, doors are found wide open, with
computers and manuals laying around all over the
place. I remember one building I went to that was

temporarily vacated due to construction, which

had tons of

and workstations out in

were repainting offices). I found
masses of passwords stuck to keyboards by Post-It
Notes, and passwords scribbled on desk blotters,
and taped to the underside of drawers. It was
amazing that people could leave their secrets laying out in the open like that, and yet it happens all
cartons, desks

the corridors (they

the time.

From snooping around the lounge in a school

building, I came up with handy reference manuals,

Chapter Three: Researching The Hack

33

*""*

Figure 3

must be used every day (such as access codes) is often found hiding on little scraps of paper:
(A) on a cork board, (B) attached to the side or top of the monitor, (C) on nearby file cabinets or other furniture,
(D) under blotter, (E) under mouse pad, (F) in desk drawer, or (G) underneath the the desk.

Secret information that

decade-old literature from a defunct computer users group,

This wasn't
poses, but

programmers' guides, and other stuff.

all necessarily useful for hacking pur-

it

was

interesting to read.

teresting to rescue

it

from

its

And

it

was

in-

dusty box on the top

shelf of a closet.

which had modems. From surfing the hard disks

on one of those computers, I found that the terminal program was set up with script files2 that contained phone numbers, passwords and other login
procedures. Always look for such things when you
snoop.

same building I found a little room

whose door was closed and had four signs attached
to it. The first, formal and engraved said,
"Computer Room." The rest were menacing, either
hand lettered or printed by computer: "Keep this
door locked at

all

times!" "For authorized persons

And lastly, another stern reminder,

"ALWAYS lock this door when you leave!"

ONLY!"

Needless to say, the door was unlocked.

was a huge and informative operatsystem reference manual and two PCs, each of

Inside there

ing

you those tutorial and

well as damaged disks, trash

Snooping can bring

In that

simulation disks, as

to

A "script" is a file that you use with a terminal

program. You set up the terminal program so that when
you log onto a system, the contents of the script file are
sent to that system. So if you have to go through some
long and convoluted login procedures, you can put the
commands into a script and have the computer
automatically log in for you. This is handy, both for
legitimate users, and for hackers who happen to gain
^

access to those script

files.

which one can only get from

being employed by a company, or by
snooping around. It adds a bit of physical excitement to the usually passive art of hacking, and it
and

insider literature

either

gets

you away from the eyestrain of computer

screens for a while.

not always necessary to research before a

it is always helpful. Research in any form
doesn't have to be undertaken with a particular
hack in mind. Like my random snoopings of the
torn-apart building and the university lounge, general explorations can lead to fruitful information. In
other words, all hacking doesn't have to be done on
computers. There is also such a thing as the person
It is

hack, but

who hacks

joyously

life.

Chapter Four:

And Access Control

Passwords

Three dominant classes of access control have

developed to protect computer installations. They

further developed in the on-site hacking section of

book.

this

The

are:

knowledge-based controls (passwords)

possession-based controls (keys)

controls

first class

common

of access control

also the

most

netic card.

knowledge-based. That is, control is

limited to those persons who can prove they have
knowledge of something secret, usually a password. Discovering that password constitutes a
large portion of hacking. Here, then, is everything
you need to know about passwords: how they
work, how they are stored, and how they are bro-

culiar

ken.

based

on

personal

characteristics

(biometric devices)

Possession-based

do with
a physical key or mag-

controls

things the user owns, like

have

to

Sometimes there is a metal clip of a peshape that must fit into a hole in the computer before the computer will operate. A "key"
could also be an identification badge, or a signed
letter from a person of high status in the company,
granting permission to access a site.
Biometric devices are those which look at
trait

of a potential user

and compare

it

some

to traits

previously recorded, such as fingerprints, signature, or geometry of the hand.

These two forms of computer security may be

designed for remote access control, although usually they are implemented at the site where the
computers are located to limit access to either the
computer room or the computer itself. Thus, descriptions of biometric and physical keys will be

is

Passwords
The cheapest and easiest way to protect any
kind of computer system is with that old standby:
the password. Even computers that under normal
circumstances have no need for security features
often come equipped with password protection
simply because it feels good to use and doesn't cost

much

in terms of time, effort or storage space to

implement. Furthermore, systems which are pro-

tected

by other means

by magnetic

cards or by

software alternatives such as encryption

will

double or triple the security of their assets through

the use of a password system. Thus, on practically
all computer setups you are likely to encounter
passwords of one form or another.
Passwords are usually thought of as the entrance keys to a computer system, but they are also
used for other purposes: to enable write access to
drives, as encryption keys, to allow decompression
of files, and in other instances where it is important
to either ensure that it is the legitimate owner or
user who is attempting an action.
There are seven main classifications of passwords. They are:
User supplied passwords
System generated random passwords
System generated random passcodes
Half and halves
Pass phrases
Interactive question-and-answer sequences
Predetermined by code-indicating coordinates
If you intend to hack a computer installation you
will first have to figure out which of these seven

password types are used by that system. The first

type is the most common; generally users are asked
to think up a personal password for themselves.
System generated random passwords and
codes may be of several kinds. The system software
may supply a completely random sequence of

random to the point of cases, digits,

characters
punctuation symbols and length all being determined on the

fly

or restraints

may be used in the

generating procedures, such that each passcode

conforms

to

"abc-12345-efgh"

prearranged

where

letters

constitution

and numbers

(like

are

randomly generated). Or, computer-produced

passwords may be taken randomly from a list of
words or nonsense syllables supplied by the program authors, thus creating passwords like
"nahioop" or "car-back-tree".
Half and halves are partially user-supplied,
while the rest is composed by some random process. This means that even if a user supplies the eas-

password "secret," the computer will

on some abstruse gibberish at the end, forming
a more secure password such as "secret/5rhll".
Pass phrases are good in that they are long and
ily-guessed
tack

hard to guess, but easily remembered. Phrases may

be coherent, such as "we were troubled by that," or
they may be nonsensical: "fished up our nose." Pass
phrases are used when the manager of a site is par-

ticularly security-conscious. Usually you don't see

pass phrases required by a system, although the
programming required to enforce a pass phrase

rule is trivial.

Related to the pass phrase concept is the phrase

acronym, which security experts have been applauding as a short but equally safe form of password. In a phrase acronym, the user takes an easily
remembered sentence, phrase, line from a song or
poem or other such thing, and uses the first letter of
each word as the password. For example, the acronyms for the two pass phrases above would be
"wwtbt" and "fuon." You can see that innovations
in password theory such as this will greatly increase the difficulty hackers will encounter in future electronic espionage.

The

sixth

password type, question-and-answer

sequences, requires the user to supply answers to

(usually

several

personal)

questions:

"Spouse's

maiden name?", "Favorite color?", etc. The computer will have stored the answers to many such
questions, and upon login will prompt for the answer to two or three of them. These question/answer sessions can be delicious to the hacker

who

is

intimately familiar with the user

whom

he

attempting to impersonate. Systems which

use question-and-answer sequences also tend to be
programmed to interrupt users while online every
X minutes, and require them to answer a question
to reaffirm their validity. This can get pretty annoyor she

is

someone's in the middle of an exciting online game when it happens. Q&A is used
only rarely nowadays. When it was first proposed
it seemed like a good idea, but the bothersome factor has resulted in this method being pretty much
phased out.
Passwords which are predetermined by
ing, especially if

code-indicating coordinates usually rely

on some

external device, such as the code wheels used to deter

software piracy. In any case, a set of key

prompts are offered by the computer, and the user

required to return the appropriate responses to
them. You'll often see this type of password being
used on a system with once-only codes.
Once-only codes are passwords valid for only
one access. Sometimes they are used as temporary
guest accounts to demonstrate a system to potential
clients. Once-only codes may also be employed by
the system to allow actual users to log in for the
first time; the users will then be expected to change
is

password from the one provided to a more secure, personal code. In situations where groups of
people must log in, but security must be maintained, a list of once-only codes may be provided.
Users then extract one code at a time, depending on
external factors such as time, date or day. Maybe
you can find a list of codes by going through the
garbage of a place? The codes won't work anymore,
but you'll get a sense of what the system expects
from you.
their

Passwords Supplied By The User

Most passwords are of the choose-it-yourself
variety, and due to security awareness most contemporary programs which ask for a password to
be supplied will not accept words of a certain short
length which the program deems to be too easily
"hackable." Most passwords will be more than four
or five characters long. Other measures

to protect

users from their own lack of password creativity

might be taken as well. For example, systems may
force passwords to contain a mixture of upper and
lower case, numbers, and perhaps disallow obvious
passwords (such as "computer").

Software

is

available for

most operating

sys-

tems which looks through the computer's password files, analyzes user passwords and decides
how secure they are. Unsecure passwords will be
changed, or prevented in the first place. This is one
area where your prior research should help you.
Generally you will know which of these programs
your target has installed, and what passwords the
software will not allow.
Regardless of how clumsy-brained or brilliant a
person is, all people tend to think alike. It is only
through learning that they begin to think in creative ways. Even then, initial assumptions and first
conclusions are similar for a given peer group.
What this means is that when a person logs onto a
computer for the first time, and is prompted for a

password

especially

if

that person

is

under

that password is likely

time or place
going to be a variation on some common themes.
Imagine some of the situations people are in
when they are asked to create a secret password for
stress of

themselves.

They may be

calling a

puter over a long distance phone

rounded by a group of technicians

remote comline,

or sur-

who are there to

them to use the system. In any case, the

prompt is there on the screen and with it, a sense of
teach

urgency

is

brought to mind. People type the

thing they think

of,

or are hoping to

the

first

do once they get past the

procedure. The password

first

thing they see, or hear,

is

login

entered quickly, and

changed to a better, more secure one.

Thus,
passwords
many
relate
to
top-of-the-mind thoughts, such as job, family, posrarely is

it

environment,
hobbies or interests. If you can either find out or
guess any of these traits of a valid system user, the
sibly

current

number

events,

possessions,

of potential passwords

you

will

have

to

guess will decrease significantly.

Get catalogs from the companies that make

wall posters,

humorous mugs and other novelty

items one finds around offices. How many times

have you seen that tired phrase, "You don't have to
be crazy to work here... But it helps!"? I guarantee
the

word

"crazy" gets picked off that

mug

every

day as a password. Think about the age and lifestyles of the average user whose account you are
attempting to breach. An office in a corporate setting probably wouldn't have a nudie poster hanging

up

may

but a

college

dorm would, and

get passwords such as

so

you

"playmate," "victoria,"

"body," or "month."

The

easiest

way

to get a

password

is

to enter

it

yourself for the user, or to supply the password to

the user

who

is

logging on for the

first

time.

You

might be acting the role of computer tutor to a

and while showing him or her the ropes,

novice,

downplay the security aspects and allow him or

her to tell you the password as they type it, either
because they spell it out loud, or because you
watch the person's eyes light up as his or her gaze
falls
upon the wall poster with the word
"surfboard" written across the top. (Or they say,
"Gee, what's a

good

secret

password? Oh,

know

and proceed to spell it out to you as they hunt

and peck at the keyboard.)
Most often you will be hacking away at user accounts that have been long-established. On these
you will have to use some kind of either brute force
method, observation, social or technical method of
password retrieval.
Most passwords are dictionary words, like
"subway," "table," "chocolate" or "hotdog." Honestly, can you imagine any computer novice sitting
"

down and

entering "fMm6Pe#" as a password?

Of

terns

may be wholly unguessable and yet fully

when you know what's going on at the

course not!

logical

do not apply here: proper names

are allowed in password creation, as are misspellings, abbreviations, non-words and foreign terms.

phone line. For example, "05AF"

may seem a funny thing to pick up from a keyboard, but when you know the computer in question has a special hexadecimal keypad attached, the
whole thing starts to make sense.

Scrabble rules

Thus a person who likes watching Star Trek may

have the password "enterprize" instead of the correct "Enterprise." Whether that's due to bad spelling habits or because he or she simply likes it better
that

way

is

unimportant.

What

is

important

is

other end of the

that

you have to be aware that misspelled words exist in

passwordland. You are going to find the letter "k"
used in place of hard "c," as in "koka kola." You will
find "x" for "ks" (thanx), and other phonetic substitutions, like "lether," "fone"

Some hackers

will

and

"stryker."

go through every word in

the English language until they find something that

works as a password. If the password they seek is a

word, but isn't spelled correctly, they are going
to be wasting vast amounts of time. Complete brute

real

force dictionary attacks are often fruitless, useless,

adolescent

ways of doing things.

Many words

recur frequently as passwords,

and examples are given in the appendices. Howmany words that you would almost
never expect to find as a password on a system. Is it
reasonable to suspect a person will enter an adverb
for a password? Words of this sort would be the
last ones
to try. Real-word passwords will
generally be nouns, ("eyeball," "drums," "kitchen"),
(usually obscene ones), and perhaps
verbs,
ever, there are

adjectives ("purple," "great," "happy").

Girl friends, boy friends, and the cute pet

names they give each other are popular passwords;
these you would have found out from prior research. Also semi-popular are

word

"sure"

embedded

passwords with the

inside them, as in "forsure"

or "fursure," "surething" or "asb" (short for "a sure

bet").

find

Besides dictionary words,

names

you can expect

to

include
"7u7u7u,"
"jkjkjkjk,"
"0987654321," "asdfgh" or
"ccccccc,"

patterns

"WXYZ,"

A hexadecimal keypad, used by some computer

programmers to allow fast entry of numbers
base 16. The keypad illustrates a principle

on a
keyboard if you are confused about these last two
examples. Keyboard patterns will usually be simple
repetitions of characters, portions of columns or
rows or every-other-letter designs. Keyboard pat"qazwsx." Look at the location of these letters

in

smart hackers will follow: That what you

see

of relations, streets, pets, sports teams

and foods; important dates and ID numbers, such

as social security numbers, anniversaries, or birthdays; and keyboard patterns. Examples of keyboard

Figure 4

on your side may be different from

what they see on

Some keyboard

theirs.

patterns I've actually seen be-

ing used on

systems: "abcdef," "qwerty," "12345,"

"xxxxxx," "opopopopp." If you know the minimum

password length is six characters, don't expect patterned passwords to go much beyond that mini-

mum. On

the other hand, you can't reasonably try

out every possible pattern: there's an infinite num-

Beyond a

ber.

certain point, guessing keyboard pat-

terns is strictly reserved for

amateur hour.

Possible Password Investigation

One

I used to research this book

manual for a popular fee-based
information service. Throughout that book, the

was an

Not only did

abound in the

interest in computers.
life

they also appeared in illustrations of the serv-

ice's

"Find"

command, sample messages and sam-

ple letters.

knew

the author's name, of course.

had a membership on

this

knew she
I knew

system, and

was insanely simple to get her perID number on the system and, yes, within

about her

life. It

two dozen password guesses, to access the service

under her account. She has since taken my advice
and changed her password.
This isn't an isolated example! Every day you
and I read newspaper articles, magazine columns,
in which the authors give away their
and books
computer addresses so readers can respond.

Yesterday

heard a radio talk show host give out

CompuServe address

audience
air!

for the large listening

who didn't get the chance to speak out on

We know enough about many of these

authors and others to be able to

guesses of their passwords.
doesn't
there's

turn to

make educated

Even

if

an author

mention personal details in the book,

usually an "About the Author" section to
for facts. Many computer books are written

know what
and so you have a lead to an account. If the sample program segments they list entail baseball trivia, you've got a good idea where to

by

get good data from these, and if you can't get

enough good data, print up your own officiallooking Who's Who form and mail it to the person
you have in mind at the company. Make sure the
accompanying letter states that once they fill out

the form, their entry will be included free of charge

text,

the

You can

in the eventual book,

references to these aspects of her

his

listed.

of the sources

newly acquired

sonal

about themselves

unofficial

author continuously made references to her pet cat,

her love of Philadelphia soft pretzels, her favorite
football team, her husband and children, and her

to get a write-up

college professors; naturally you'll

college they're at,

begin a brute force siege.

With

all

of this said,

want you to realize

this is

I made the above

remarks only to point out some of the lax security
around anyone in the public eye. Don't get any
funny ideas about breaking my passwords!
Another trick is to look in Who's Who books.
Almost all industries have a yearly Who's Who published. Many of these are vanity affairs: people pay

for informational purposes only.

and they will receive one

copy of the book, free. This will help ensure that
they mail you back the form. It also ensures you get
good data to help you crack their passwords.
One more helpful subterfuge, this one involving socializing with cronies at the company. Call
up an office and talk to a receptionist or anyone
who knows everyone's gossip. Say you're from a
new trade magazine specializing in that business's
field of endeavor. Ask for the names of all the major
department heads, and their secretaries, so you can
send them a free trial subscription. Then call back
and talk to each of their secretaries. Have them fill
out "market research" cards, again for some prize,
like

free

subscription

or

clock

radio

or

something. Typical marketing questions for trade

subscribers include inquiries about
schooling, degrees held, industry awards, trade

magazine

association memberships, military service, salary

range,

and length of service

at the

company. As the

conversation continues, start asking about hobbies

and outside interests, favorite sports, names of kids

and spouse, and home address. These too are
acceptable questions for a market research surveyor
to ask; they are also valuable possible password
leads.

The short version of this is to call up, say you're

one of the assistant editors for a trade magazine,
and you're trying to find interesting people in the
field. "Do you know of anyone there who has done
anything at all spectacular, or has any particularly
unusual hobbies?" You might get a "no," but keep
pressing: "Anyone with special talent? Musical talent, for instance?" Keep going like this; eventually
you'll hit upon something, and you can use the
above tricks to find out more about that person
than you ever thought you could.
Uncovering a subject's interests is called

making up a personality profile or, for hackers, a

password profile. The technique is done whenever
the hacker has a specific individual in mind, whose
computers the hacker wants to crack. If you wanted
to read the e-mail and other private files of some

"

.""!

you would go find

reports of said honcho in the media, see what he or
she likes, and go from there. One popular stratagem, mentioned by Hugo Cornwall in his Hacker's
head honcho

at a corporation,

Handbook, recognizes the fact that often a chief per-

son in an organization

is

given an account to dem-

new computer system, under the assumption that setting up a new account is too difficult or time consuming for the busy leader to do on
his or her own. This account will of course have a
natural English password, something of either the
easily-guessed variety, or something from the
boss's list of interests. ("Say, Mr. Larsen likes fishing, doesn't he? Put in 'FISH' as the password!")
So let's suppose you know a person's hobbies or
interests: From there, how do you proceed?
To start, you could go to a library and get all the
books you can on that subject. Then make up word
banks from the glossaries and indices. People like
onstrate the

else

names/words
which they think no one
So you get students of lit-

"Euripides," "Aeschylus,"

and

to use big

from

and (they

think) obscure

their coveted subject

would ever think of.

erature
using
names

passwords,

for

in general, a

like

mess of

lengthy technical terms.

Make up word
fails

lists,

you can go on

because someone's a

"'

The point being this: That hackers can simply

sit down and guess passwords is FACT not FICTION. It can be done, and sometimes quite easily.
Another example of the ease with which
passwords can be hacked is the Internet worm
which squirmed through the net, disabling much of
it, in 1988. The worm had two tactics it used to
spread itself, one of which was attempting to crack
user passwords.

It

them out, and

if all

first

try inputting the

name, a

user's first

names, and other variations of these. If

work, the worm had an internal
dictionary of 432 common passwords to try.
Finally, both of these methods falling, the worm
went to the UNIX system dictionary, attempting
each word in turn, until something hopefully
worked. As we know, the worm's method worked

and/or

that

last

didn't

superbly.

By the way, if you're ever on a UNIX system

and need to do a brute force attack to gain higher
access, the

can find
file is
file

it

system dictionary

is

very helpful. You

in a subdirectory called "Aisr/dict."

called "words."

or capture

it

You can

also

The

download this
if you need a

to another computer,

plaintext dictionary
try

would

typical passwords, like login

file

for use

on other machines. 1

else

new password type. Just

doctor doesn't mean his pass-

to a

word will be "pericardiocentesis." People's lives are

composed of many subjects, their occupation being
just one.

Password Restraints
Most operating systems weren't developed with
security as top priority. Indeed, password-based

accounts should be

all

time sharing system.

Password Studies

the security required on a

As we have

seen, however,

too frequently passwords are chosen that are easy

The UNIX operating system does restrain

password selection by suggesting that passwords
contain no less than five lower case characters, or
only four characters if at least one of those is
nonalphabetic or uppercase. However, if a user
insists on a shorter password, disregarding the plea
that security be maintained, that shorter password
will be allowed.
Sysops know that most passwords aren't secure, so many have installed programs which disallow obvious passwords from being generated.
to guess.

If

you think

all

of this talk about easily guessed

A good
number of formal and informal studies have been
done to see just how good people are at picking

passwords

is

balderdash, think again.

safe passwords.

One such experiment found

that out of 3,289

passwords:

15 were a single ASCII character,

72 were two characters,

464 were
477 were
706 were
605 were

three characters,

four characters long,

five letters, all of the
six letters, all

same case, and

lower case.

One problem with using the UNIX dictionary "straight

from the box" is that the words it contains do not
genuinely reflect words in common English usage.
There is a high preponderance of scientific words, due
to the

manner in which the dictionary was constructed.

CHapter Four: Passwords And Access Control

Passwords are then forced to conform to certain
characteristics, such as:
Passwords must be of a certain length.
Passwords must include a mixture of upper and
lower cases.
Passwords must include one or more numerals.
Passwords
must include a non-alphanumeric
symbol.
One or more of these constraints might be en-

The program may also test the user's

password against a list of known "bad" passwords,
which are not allowed to be used.
Not allowing single-case passwords or strictly
alphabetical passwords does add some difficulty to
a guess-attack, but not much. One time I had someone in mind who I felt certain had "popeye" for a
password, due to his large collection of classic
comic books and the big deal he always made
about Popeye. The system software required a mixture of cases (which helpfully informs you, by the
way, that upper and lower case are distinguished
by the system), so instead of just trying "popeye", I
forced.

Numbers

will

be those which are easy

41

to re-

Numbers from
one through 31 should be most common, along

member, or easy

to type, like 1 or 0.

with numbers either repeating, ending in zero or

nine, such as "888," "500" or "1999." It is reasonable
to expect typists to use the numeral "1" substituted
in for the letter "1" (lowercase "L"), in passwords
which contain that letter. Cyberspace devotees
might do likewise, as well as using zero for their
required number, putting it in place of the letter
"O." This

means

that

if

you ever suspect a word

that contains the letters "L" or "O," instead of

finding something like "cool," "computer,"

"lemon,"

or

"colts,"

you

may

find

"lucifer,"

"cOOl,"

"computer," "lucifer," "lemOn," and "cOlts," where

the digits 1
ters.

and

have replaced the appropriate

let-

(Actually, "cOOl" is usually spelled "kOOl.")

Computer Generated Passwords:

Fakery and Analysis of
Machine-Generated Passwords

tried:

PoPeYe

Popeye
PopEye
PopeyE

popeyE
popEyE
PoPeye

popEYE
PopEYE

on

Many passwords that the computer generates

own will have some flavor of randomness to

its

them. For instance, look at this bit of imaginary

program segment:

and

also tried each of these with cases reversed,

such that PopeyE became pOPEYe (in case the user
thought of capital letters as normal for computer
keyboards, and lower case the exception). It was

highly unlikely that this particular Popeye lover

would

anything so bizarre as capitalizing in the

middle of a syllable, or without some pattern to it.
try

Indeed,

when

forced to capitalize,

who

right mind would?

As it turned out, his password was

in their

"OliveOyl."

5
100
110
120
130
140

200

Randomize Timer
For i = 1 to 6
Char = Int(Rnd*91)
If Char < 65 Then Goto 110
Password = Password + Chr$ (Char)
Next i
Print "Your new password is: "; Password

Here, six uppercase letters are selected independently and concatenated to form the password.

numbers might be forced

into one's password upon first login. Again, you
can hardly expect Joe User to break up syllables
with a number, and the numbers that are used you
should expect to be not more than one or two digits. After all, the user thinks of it as a password. The
number will generally be slapped on as a necessary

The way the letters are selected is that a random

number between 65 and 90 is chosen
this correlates with the ASCII code for the letters of the
uppercase alphabet. The randomness of the numbers
chosen is based upon the randomizer function
being used. In this case, pseudo-random numbers

afterthought.

are generated based

If

not capital

Thus,

what

letters,

you

will

normally

passwords in the following forms:

password #
pass # word
# password

find

are

upon

the exact time of the

computer's internal clock, although randomization

could also have been based on a practically infinite,
hardware-dependent range of inputs. I said
"pseudo" random numbers because no matter how

random

these

numbers may appear

to us, to the

ri-TrriTrn-'-riT-rn

computer they are

values plugged into a

just

formula.

password-making program could be

the
right
way,
then
all
randomly-generated passwords after the time of
If

the

in

altered

more

have the program

generate a random-looking password based on
some information about the user that you can easily determine from publicly available sources, such
as the user's birth date or Social Security number.
logical choice is to

Username Inputted: halbfish

Username

ASCII
code

letter

Sine of

Selected

ASCII

Values

0.9781476
0.9659258

0.9063077

108

0.9510565

98
102
105
115
104

0.

h
If

Selected Value

asch

114

New

Range

to

95
46
56
26
47

104
97

0.9702957

Convert

0.9925461

990268

0.9702957

117

101

97
118

25

122

07
95

104

114

< 26 Then ASCH = Selected + 97

else
If

Selected Value

< 52 Then ASCH = Selected + 71

else
If

Selected Value

< 78 Then ASCH = Selected + 45

else

ASCH = Selected + 19
Resulting password: rueavzhr

Cut to six characters: rueavz

Figure 5

A sample username is encoded into an obscure password using the method outlined in the text. On inspection
the password seems

random and secure, but a hacker can determine a

user's password using publicly

available information about that user (in this case, the user's last name).

alteration

may be

deducing).

If

yours

you have the

for

the

ability to

taking

(or

change the

program and save the changes to disk, or the ability

to reroute the password-making subroutine, then

some further items to consider.

The easiest thing to do would be to change the
program by getting rid of the randomization factor
entirely and simply inserting a "Let Passwords =
"EVBDCL8"" statement. Then every new user
would be given the same seemingly random
password. The problem is this is not going to go
unnoticed by the system administrators (although
you might be able to restore the original program
here are

before your change

is noticed).

Then you can simply plug that piece of information

into your copy of the code on your home computer
and reproduce the new user's password. One
encoding algorithm that works well is to take the
sine of the ASCII value of the first six or eight
characters of the user's name, then take the
second-to-last two values of the sine, convert them
to fall within a suitable range, then concatenate the

corresponding ASCII characters to form a "word."

Thus you have a random-seeming password that
can be easily constructed, even by hand. If the
username is less than six characters, the remainder
could be filled in by a predetermined set. (See
Figure 5.)

mmmmmmm^-l

simple example; your password

would have to comply with case mingling, length,
or digit sprinkling requirements where appropriThis

is

just a

ate.

password in this way can help if you

run an electronic messaging or bulletin board
Forcing a

system: users

new,

secure

"rueavz"

was

may

get so comfortable with their

passwords

you

(wouldn't

think

them over

secure?) that they transfer

Another possibility, again requiring the ability

to covertly
ter the

change the password generator,

is

to al-

randomizer's seed to a constant value, thus

produce the same

causing the program to

random numbers each time

series of

it is run (as long as the

computer stays on and the program is not reset).

This

is

risky though,

may result.
One
method

and unwanted

side effects

the

flaws

take 112 years to brute force through

in

all

those

hacker knew that the

random number generator could only take 32,768
seeds, and so only that many possible outcomes
needed to be looked at. "The bad guy did, in fact,
generate and test each of these strings and found
every one of the system-generated passwords using

But

found

it

wasn't

the

a total of only about one minute of machine time."

[Emphasis added.]
Clearly, sixty seconds plus some programming
time is worth spending to have access to every account on a system!
If you can't insert code to generate machinemade passwords, you might be able to analyze
them after they've been produced. This requires
having access to a minimum of one password,
preferably two or more, from a given system. If you
have a legitimate account, there's your first
password. If it's a local BBS you're hacking, or some
other sort of system where multiple anonymous
logons are possible, try calling back a few more

all

that interesting after all

run

factory supervisor mainly to let site agents or-

der inventory stock. I used the made-up name and

address Roger Eichner, 13 Stem Court, North Coast,

WA

64203 to log on. The password that was

was "roghner24." I was astounded!
Obviously the program had simply taken the first
generated

three letters
of

from

my last name,
Or had it?

utilizing

pseudo-random number generators was actually

accomplished, and reported on by UNIX co-creator
Dennis M. Ritchie in a 1986 security bulletin entitled "On the Security of UNIX." To increase
security at a computer installation, the administrators decided to provide safe, computer generated
passwords. Each password would be a string of
lower case letters and digits, eight characters long.
This calculates to 2,821,109,900,000 passwords
which, according to Ritchie, on a PDP-11/ 70 would
combinations.

times and collect new passwords under different

names. Or get ahold of the BBS software or the
password-generating routine, and work that to
collect various passwords.
Once I was going through some new BBSs that
had started up and I came across an ad for a system
that was a couple states over but still seemed worth
a try. I called up, logged in as a new user, and

by a

to other accounts elsewhere.

.:.......

as a

my first name, the last four letters

and stuck a number at the end!

called

back a second time, logging in

new user with a different name.

seemed

to

be no correlation

at all

This time there

with any of the

I had given. Now I was not

only astounded, but confused as well! Had the first
password been simply a fluke? Was the second a

personal information

Was

programmed to only sometimes use

username? I called back a third time
and again logged on as a new user. Again the
password was unrelated to anything I had entered.
Now I was pretty positive the first password had
just been an unbelievable coincidence. I wrote a
message to the system operator, saying he could
fluke?

it

parts of the

delete these three

new

users of his

(I

supplied their

would not think I was playing a

joke) and I didn't call back until a few weeks later.
Even though my second two passwords were
unrelated to both each other and my personal data,
I thought that perhaps I had missed something that
first encounter, since some of the characters were
personal info so he

repeated from one password to the next. Could

my baud rate or computer

some other parameter that had stayed the
same from one login to the next? Or was it possible
that what was random about the passwords was
these characters refer to
type, or

which pieces of data it selected to insert into the

password? This would account for my name in the
first case, and one of the items (which I didn't
recognize as relating to me) being repeated in the
third call password.
Logging on with the same name, address, terminal characteristics and everything else as I had
originally done,

received, to

my

disappointment,

not a computer-generated password but the following astonishing message:

the worst blunders

in

the

history

of horrible

programming.

Dear Member:

Non-Random
Machine-Generated Passwords

Sorry about having to go through this again

but we've had a problem the last few days. I

will have to ask that you be patient with the
low access level you will receive until I get a
chance to validate you. Please note, when
asked to supply a password do not give the
one you were previously assigned. Make up a
new and totally unconnected password.

Finally,

let's

consider

made passwords. Often

random/ess

machine-

users are entered into a

computer system before their first logon. Then,

unless the sysops can relay information to users
off-line, the password must temporarily be something that the user already knows, such as their
Social Security

number (SSN), date of birth, or other

See General Posting #1 for explanation.

StRaPmAsTeR === wIlLiE ===> (sysop)

personal data. Users are supposed to change this

easy-to-guess password to a more secure one, but
unless they're specifically shown how or required

Input Password ==>?

to

General Posting #1 said that a certain (relatively

new) user of the BBS, whose handle was Mr. Joke,
had kicked into action a "feature" of the BBS software that produced less-than-secure passwords.
The previous year the system had "crashed, apparently as a result of a rogue program that was
uploaded to file section by Mr. Joke." No further details were given on the cause or nature of the crash,
because apparently regular callers of the system
ready knew the story.

al-

Anyway, you can see how it's possible to occasome good information by analyzing
"random" passwords. Even if there doesn't seem to

sionally get

be any discernible pattern, that doesn't mean there

isn't one hidden somewhere. There might be some
subtlety to the pattern or, if not a pattern, a bug or
strangeness that you might be able to spot. For
example, in the

first

version of one

BBS program

was so godawful the board folded

the random password
generator would never produce a password with
in it. Knowing this does
the letter A or the digit
a program that

after

about a month

little: for a seven character password of the

form WXYZ123, where WXYZ are letters of one
case and 123 are numbers, there are only
284,765,630 possible combinations of letters and

help a

a difference of
numbers, instead of 456,976,000
172,210,370 passwords! This software was riddled
with bugs, many of which have become famous as

do so, it is unlikely they will follow through.

Here's a non-computer example which demon-

strates this

weakness. In April of 1992, students at a

informing

New Jersey university received a memo,

them

of

new

over-the-telephone class registration

memo stated that the Personal

Access Code (PAC) assigned to authenticate one's
registration was the first four digits of one's
birthdate (month and day), entered in conjunction
with one's nine digit student ID number
(essentially, one's social security number).
What got me was that first of all, they told
students that their top secret PAC was their birth
date. This violates all the security precautions
they're trying to maintain. After all, how difficult is
it to find out someone's birthday? But the PAC is
procedures. The

only half of the "password"

the other part is a
student ID. Again, it's a piece of cake to find out
someone's ID. IDs are publicly or semi-publicly

on computer
on identification cards, class
housing lists and elsewhere! The memo

available at the student health centers,

room sign-up
rosters,

sheets,

does say that those concerned with security can

come into the registrar's

office to

change

their

PAC,

but who's going to go out of their way to do that?

Anyway, changing just those four numbers
doesn't do much to stymie the determined hacker.
Following a change of PAC there are 10,000 minus
one possibilities to try. This is as opposed to the
mere 366 possible PACs before that security-aware
person changed his or her number. Sure, ten
thousand is a lot of numbers to try, but it's certainly
not impossible. A touch-tone auto-dialer can phone

Chapter Four: Passwords And Access Control

--:-':

:
-

.;

....

45
:

through

all

of those in about seven minutes, given

unlimited PAC-entry retries per phone

call.

In any

using this story to illustrate the principle

of least resistance: Users are not going to go out of
their way to change access codes if they don't have
to. And even if they do, it doesn't matter much.
case, I'm

After

all,

we are hackers.

back to our discussion of

non-random passwords which are generated by
computer; or rather, passwords decided upon by
the programmer or administrator and selected from
files by the computer.
Computers will select passwords any time a
large number of passwords must be assigned at
once. During the first week of a college semester,
thousands of new accounts must be created for
students enrolled in computer classes. For the most

data

going to be set up with

username equal to some truncation or bastardized
form of one's real name, and the password will be

part, these accounts are

Social

one's

either

Security

number (SSN)

or

student ID number.

So

if

you want

early in the

to

that points out slip-ups in the bureaucracy of the

school system. Use their mindset against them!

Several court battles have ruled that use of one's
Social Security

name

hack a college system,

start

semester before those passwords

changed by the user

to

brute force, especially

when you know how

get

something more secure.

Social Security numbers may be easily hacked by
they

number

in a public

in conjunction with one's

environment

is

unconstitutional,

an invasion of personal privacy. Therefore,

see a trend starting, with SSNs getting
used less and less for identification purposes, and
an organization-defined ID number being used in
its place. If that's the case, you will have to rely
more on brute force to access the array of ID
numbers assigned to a person.
Pre-usage passwords won't always be Social
Security numbers or other ID numbers. If some
non-computer communication is possible between
the sysadmin and the user, other words may be assigned as temporary passwords (to be changed
as

move

Let's

rected the problem. Professors will love any excuse

it is

we may

when the user logs on).

There might be a generic "new user" password
which is given to all accounts, which shouldn't be
very hard to crack. Or the password might be
something very obscure and security-conscious,
like some long string of random characters. It may
be necessary to intercept the new user's physical
mailbox for that envelope which contains the assigned password.

are distributed.

ID numbers) may also

be obtained through social means (see the chapter
on Social Engineering) or by other forms of chicanery. I've sat in on college classes where the instructor hands around a sheet of paper, on which the
students are asked to write their name and ID
number. This sheet is then handed to the teaching
Social Security (or other

who

assistant,

into the

some

enters this information as accounts

computer system.

If

you happen

classes that operate like this,

make

to find

sure

you

back of the class, where nobody will notice you copying other people's private data. A
hand-held scanner/copier makes life easier at times
sit

in the

like these.

You can

names and SSNs from attenclass rosters, which usually list

also get

dance sheets, or
both pieces of information for every individual in
the class.

If

make the roster

make up some excuse

the professor doesn't

available for student perusal,

swipe a look at it. For instance, say the registrar

had your name incorrectly spelled on your last
to

transcript,

and you want

to

make

sure they've cor-

Programs Are People Too

Sometimes computer systems are set up with
programs that have usernames and passwords, just
like any other user of the system. Thus if you login
as that program, the program is executed. Programs might be a tutorial on how to use the network, information system, database, messaging
system or just about any sort of application program. Some sites also have accounts whose username is that of an elementary command, such as
"time," "date" or "who" (which tells you who is
logged on). This allows people to carry out certain
quickie functions without having to go through the
hassle of logging on to the machine. Often these
command accounts don't have passwords
associated with them, which is ironic since many
are given superuser access permissions.
It's possible that you may get in to one of these
program-users with a name/password combination chosen from words such as these:

is

what drives them

demo

help

time, but not

info

tutorial

tut

menu

data

intro

anonymous
welcome

base
database

and error, and

programs to hurl one password

visit

Brute force

hello

the password, for example. Other possibilities

are trying to get in with

usernames "calendar,"

"sched," "schedule,"

"whois," "ftp," "who,"

"cal,"

common command

names.
have a general-usage or
even public information system set up. Access may
"lpq," "archie,"

Many

or other

installations will

be gotten by logging in as "info," as suggested

above, but other variations are possible. The

Wakka Doo

fictional

University

may

require

in as "wdu," "wduinfo," "hellowdu,"

"wdunews," "wdumail," "welcomewdu," or some

logging

on the University's initials.

you do manage to get in this way, first

If

hack

of

all

be congratulated for a very successful

but then what? If you are interested in

to

That time

it

is

must be

hackers will resort to using

it

restrictions.

Brute Force Methods

do, but

it

is

it.

labor for your com-

It isn't

time consuming.

too difficult to

What

brute force

one password afmaybe

something
ter another until finally
hopefully works. Or just until you give up and
move on to a better method.
Brute force methods are usually the first and
methods

last

entail is the inputting of

thing a hacker does

when trying to break into a

system. The first time he does it, it's a half-hearted

attempt. If he can guess the password right away,
or after the first seventy-five or hundred attempts
or so, then that's fine. After that fails it's on to
trying out other angles for a while. If none of those
more sophisticated ways work, then it's back to

brute force for the big finish.

Brute force, after

"must"

is

all,

must work eventually. The

what draws hackers

to

it;

way

to fly, but

at

one time or an-

You may find yourself in a situation where you

know nothing about the people who use a particuwhere common names and passwords
and where no trick seems to work. In
these cases, you will have to try the most brutal of
all brute force approaches: you will have to write a
little program that will repeatedly dial the computer system, enter a new name/password combination, and keep repeating this until something
lar system;

have

failed;

works.

Some hackers use a dictionary file they get from

word processing programs or off a bulletin
board. This is a good idea, but only if you use it
their

common names,

puter and,

another at the

other.

properly. Edit the dictionary

usually, lots of

after

effective, eventually all

program entirely, you could have a lot of difficulty ahead of you. An upcoming section will offer
suggestions for getting beyond limited access
the

means manual

spent in

in writing special

the least graceful

eventually

gaining higher access levels or in escaping out of

Brute force

is

This could take forever.

other variation

you are

else.

system.

or "visitor" might be the username, and

"Visit"

much

research, trial

since

"tut"

crazy. Brute force takes a lot of

guest

the "eventually"

names

each

file

so

it

includes

letter of the alphabet,

musi-

and presidents, numbers, celebrity nicknames and other common password

material. Get rid of the words like "perspectives"
that just seem too weird for anyone to use as passcians,

of cars

words.
Speaking of making things go faster for yourself, the same holds true when brute forcing nonlanguage passwords. If you live in New York, you
should begin your attack by brute forcing New
York SSNs only. There are many ways to bring
down the number of potential codes you have to
check. The military uses what is called the TAC
Access Control System (TACACS) to ensure
legitimacy of usership of its network computers.
The access codes that TACACS looks at are strings

but the strings will

of alphanumeric characters
never contain the numerals zero and one, nor the
letters Q and Z. The theory behind this decision is
that a user reading his or her access code off a code
card can easily confuse Is, Os, Qs and Zs with other
letters or numbers.

Once you have edited your dictionary

of

possible passwords to best suit your needs, or once

you have determined which codes are the ones

most likely to occur, you write yourself a little

Pat
whatever language you know, to dial
enter one word at a time as a

or any of a hundred other places to find names) or

password, and try, try again. And again. And

again. This is a simple program to write, but if you

you must resort to trying every first name, make

sure you try female and foreign names. You might
want to take a trip to the library and find out what
the most popular first and last names are. But
remember, you don't need the current popular
names
you need names that were popular and

program
the

in

modem,

don't have

programs

the

expertise

to

like this are available

do so, plenty
on BBSs.

of

There are some things to consider when writing

How many times will the computer
system allow you to enter bad name/password
combinations before it logs you off? Three? Eight?
If it gives you three chances before saying bye-bye,
make sure your program outputs exactly three
the program.

name/password

combos

before

redialing

the

number.
Often remote computers will accept characters
as input even before the input prompt is put on the
screen. If this isn't the case with the system you're
trying to get into, you'll have to put a delay loop in
your program to make sure passwords are not
being entered before the cursor is on the screen.
Finally,

what happens when your program

does manage to ferret out a workable username

and password? Unless you're sitting there,
monitoring the computer as it does its thing, you
need some way of knowing when a brute force
attempt has been successful. Otherwise your
program will continue to spit out passwords, and
the

system operators

who by now

almost

going on
will be
furious!
the
program
monitor
absolutely
Have
text
as it is sent from the remote computer. When
something other than the login prompts are

certainly

have noticed what

is

have the program flash the screen and

ring the loud bell on your printer. Either that, or
have it input the logoff command, and print the
usable username/password on the screen for you

try every

combination of possible

first

names.

If

common twenty or thirty years ago, when parents

were naming the people who work in the company
you're trying to break into.
Certainly,

it is

not absolutely essential to write a

program to spit out passwords. If you have the

time and patience, you can sit down and enter
passwords yourself. But remember that this will
take even longer than the already immense amount
of time it takes a computer to brute force its way in.
I must emphasize that no matter how many precautions you take to eliminate excess work, brute
force will almost always take an extremely long
time to bring results. Therefore, it's important to do
what you can to speed up the entry of passwords. If
you have to redial the modem after every three
passwords, make sure you're running your attack
off a phone line with Touch Tone capabilities.
Also, before you begin a brute force approach,
set yourself up with the highest baud modem you
can possibly acquire, even if you need to borrow
one from a friend. Moving just a few notches up the
baud ladder makes a big difference in speed.

Foiling

The Brute Force Assault

received,

to see
If

when you wake up the next morning.

you know Joe User works for Company

X,

then you can have the program run through every

combination of password with usernames

Joe,

and Joe User

not to mention other
varieties like joe, JOE, and joeuse. (But from your
research and experimenting you should have some
idea what format the username will be in, so you
shouldn't have to try too many variations.)
User, JUser,

on the other hand, you don't know the name

of anyone who works there, you'll have to either
find out (i.e., look in company directories, call up
and ask, look in annual reports, newspaper articles,
If,

As a youngster I remember going out

to dinner
family one night, where they had an allyou-can-eat special. Naturally I decided to do my
part to see that I ate my fair share, but by the third

with

my

reorder,

we were

getting increasingly frustrated

with the long waits and smaller portions. My dad

explained it: "You see, that's what they do so you
won't eat as much. They keep taking longer and
longer to come out with the food, and they give you
less of it." I don't know how true that was, but after
a while it certainly was not worth waiting around
forty minutes just to shovel down another plateful
of food.

The techniques used to thwart brute force attacks work on the same principle as that all-youcan-eat restaurant. As mentioned earlier, if one is

enough then it is really only a matter of

time before a legal username/password is hacked
by guesswork or by chance. Therefore, the way to

dates,

prevent such an attack from succeeding

and

persistent

ture the system

prompts

is

to struc-

to frustrate the hacker into

quitting early.
is

allowing only a

few login attempts before disconnecting. The

computer may then refuse to allow a reconnection
within a certain period of time. The drawback to
legitimate
user
might be
this
is
that
a
though having to wait a few
inconvenienced
minutes is much less of an inconvenience than
logging on to find one's files have been tampered
with by some cracker.

Another method is to increasingly slow the response time to each successive login attempt. A
prospective hacker might find himself waiting
thirty seconds for a response from the remote computer... Then a minute... Then two minutes... The
long waiting periods wouldn't start until the first

were tried and found

Then the computer would say to itself, "Gosh, no real user would spell his name
wrong that many times. Must be a hacker!"
three or four login attempts

unsuccessful.

Another trick is the

dummy login prompt. After

a certain number of unsuccessful login attempts the

system continues asking for login information, but

an error message no matter what the input

is.

The moral of this story is, if you write a password-cracking program, be sure you monitor its
progress. Don't just set it to run overnight and
leave it unless you've first determined that such

When you wake

morning you may find it's been taking
forty minutes for the computer to respond to your
inputs. Or you may find that every possible combination has been tried to no avail, and so you know
that you've been wasting time responding to
security

up

measures are not in place.

the next

dummy login prompts.

Conclusion
Much

of this chapter has focused on different

passwords to try when initializing an educated brute force attack. We can go on forever list"likely"

of pets, historical

titles

to

mention

of the above with vowels removed, backwards,

in various

anagram forms. There comes a time

when you have

number

The most common defense

returns

all

names
not
room numbers, book

common passwords

ing

to forget about trying to limit the

of possible passwords to a select few,

because your "limited" number will be as infinite as

before you put the restrictions in place.
Besides, a password may be "easily guessable"
and yet be secure enough to thwart your attempts
to guess it. The password "Smith" is not secure, and
"Jones" is not secure, but "Smith@#Jones" is as obscure as anything. Outsiders see password guessing as a valiant pastime for the hacker, but in essence it is only the beginning of the hack. Brute
force is best carried out by computers, and should
really only be used when a computer is necessary
to gain access (I'm thinking about Robert Morris
Jr.'s worm program as an example).
The thing is, the whole business of hacking has
to do with skill and knowledge. Brute forcing passwords requires little of either. But no one's going to

down on

who

does some educated

brute force work, especially if that hacker has a
good reason for doing so. But don't rely on the
computer's brawn to do your dirty work: Use the
ingenious computing power of your brain. And
look

a hacker

that is the topic of the following

two chapters.

"Computer crimes deal with people

Donn

B.

to a far greater degree

than they deal with technology.

"

Parker

Chapter Five:

Social Engineering

It is

somehow shocking

the

first

time one

hears about "social engineering." At least

shocking for me. Hacking

is

it

was

Some twists I will examine,

pursued solely, nocturnally, relentlessly, for

hour after midnight hour, by some dazed and
nerdish character banging away at a computer
keyboard in feverish pursuit of that single
golden word which will grant access to the
technological secrets of the universe.
is how it was at some point in the past,
became impractical. Those brute force
methods are certainly valid, and they are the
bread and butter of any well-stocked hacker's
arsenal. But there are other ways to learn pass-

That
it

words; social engineering

is

one of them.

"Social engineering" is the attempt to talk a

lawful user of the system into revealing all that

is necessary to break through the security barriers.

The

alternate

term

for this is bullshitting

the operator."
Social Engineering (SE) appears in a variety

of forms

them.
there

and

disguises.

As you
is

Here

will

list

many

of

will surely discover for yourself,

a cornucopia of clever twists and vari-

ations to be

made on each

left for

you to creatively imagine.

thought of as an ac-

The Noble Form

tivity

until

others will be

of these examples.

To those hackers whose sense of ethics does

not allow them to use trickery in an attempt to
one form of social engimight be used without straying

ascertain passwords,

neering

still

from one's sense of morality: the gentle

art of

asking, "Please...?"
I

think IVe never heard of a verifiable in-

where this has worked, though there are

rumors that hackers have simply requested
and received
passwords from system users.
Usually, the story goes, the system operator is
either asked over the telephone, or e-mailed a
letter which says something like: "I am a hacker.
Give me a low access account and I will use my
skills to show you what your system's weaknesses are. That way you can correct them and
won't be troubled by malicious crackers in the fustance

ture."

gap
The other way
one

anyone a
and

stance

up somean office for in"What do you type in to

do

to

this is to call

secretary in

just ask,

computer in the morning?"

Will this work? Well, you would have to be
lucky enough to call someone who's fed up with
his or her job, and who doesn't know any better
start the

about security procedures.

Social engineering minus the deceit is not
likely to work, and could make it harder for you
to get in, in the future.
to

More likely you will want

skills and try some

bone up on your acting

JACK: "Uh,

boot up. I mean,

two for the computer

YOU:

"Okay,

it

it'll

take a

minute or

to set itself, to get ready to use.

stopped."

JACK: "What do you see?"

YOU:

"Just

what you always

here fine before, but after this,

do I do when

it

doesn 't work here?

JACK: "What do you

worked up

see. It
it

didn't work.

to

What

"

usually type?"

telephone shenanigans.

YOU:

Hacker As Neophyte
Here you play the

role of a

new

just a

user. Let's

say you're trying to get into a company's computer system. The time is 8:55 in the morning.
You call up the computer department (from
your home or wherever) and this is the conver-

"I don't

temp

know. This

JACK: "Okay, press

YOU:

"Enter...

JACK: "Now

is

my first

they said someone would

day

here.

tell

me!"

I'm

Enter.

Okay."

type

'TEMP' spacebar 'PUPPY.'"

sation that follows:

YOU:

PERSON ON OTHER END:

Computing Department

YOU:

"Okay...

Oh!"

"Hello; Jack Chipper,

"

JACK: "See?"

Gary Harris from the

Researching Department Maybe you could help me
"Hello, Jack, this

is

YOU: "Thank you,

Jack

J don't

know what went

wrong before!"

with a problem?"

Now I want to run through this conversation

JACK:

"Maybe...

What

is

again, this time pointing out

it?"

tial

YOU:

"Well I'm the first one here, and I can't seem

to get things started up. Will

you

talk

me

components of

all

some

of the essen-

successful social engi-

neers.

through

PERSON ON OTHER END:

it?

"Hello; Jack Chipper,

Computing Department.

JACK:

"Sure.

You by your computer?"

YOU:
YOU:

JACK:

"Yes, okay. I see

"It'll

is

Gary Harris from

take a

boot up."

the red switch

it...

on the floor.

Okay.

few minutes for everything

to

how you

begin your conversation by mimicking the technician's words, introducing yourself in a way similar to the way the
technician introduced him or herself. This is
done to make the person on the other end feel
more comfortable talking to you, and to show
that you're not afraid to reveal who you are or
Notice here,

what business you do for the company.

YOU:

the

Researching Department

"Yes."

JACK: "Okay. Turn on

You see it there?"

YOU:

"Hello, Jack, this

'To what?"

had said he was from the Computer

Room, then you would say you were from the
Research Room. Unless you have a company directory as reference, you won't know the exact
names insiders use for each of the various segIf

Jack

ments of the corporation. Thus,

it's

bet to talk like the insider

in this case, the

usually a safe

Even if you say "department" when

you should have said "committee" or "room," the
technician.

fact that the technician

you sound,

in his ears,

YOU: "Maybe you

used that term will make

like an employee.

could help

me with a problem?"

This appeals to the technician's sense of

computer godliness. Also piques his curiosity as

to what could be wrong with his system, or your
use of his system. Saying "maybe" will get the
technician

know

somewhat

flustered

you should

better than to question his ability to han-

dle computers.

He

will then

go overboard

to

show you how smart he is. Knowledgeable users

love to show off their computing skills (I know I
do, don't you?), especially technicians whose job
to help the multitude of non-experts get
through the day.
Also, notice the mention of the word
"problem." Computer people love solving prob-

YOU:

"...and I can't

Will you talk

Now

me

seem

to get things started up.

through it?"

that he

knows

he's the superhero,

you

immediately identify the problem, while still

being vague enough to not alert suspicion if
your assumptions about the login procedures
are wrong. After all, dialing into the company's
computer system from your house could look
very different from actually being there, using it
in person. You're better off staying with general
questions, and allowing the technician to mentally picture the specifics of your trouble. The
"will you talk me through it?" request begs him
to do something he does by rote every day.
Again, it is important to request that he do
something specific (such as talk you through the
setup procedures) but not so specific that you
blow your cover by making yourself seem
suspiciously knowledgeable. For example, if you
had simply said, "Can you help me?" he might
want to walk over to your office to help you out.
Since you are not actually in an office, this will
definitely tip him off to your deceit.

it is

lems. Mention in a vague way that there's a

problem with his system, and he'll go crazy: just
open your ears and let the passwords roll right
in!

YOU:

"Well

Vm the first one here...

mentioned that the

time was 8:55 in the morning. It won't always be
possible to call before the workday begins, but it
sure does help if you can. Doing so gives you a
Notice at the beginning

valid excuse to call a technician for help; after

all, if

first one there, there's nobody

But technicians won't always be

you're the

else to ask.

anyone
won't always work.
available before

else at the office, so this

may want to try making

end
the
of the workday. Then

Consequently, you

a phone call at
you'll be able to say that the other people in the
office shut off the computers and went home before

you had a chance to finish your work.

JACK: "Okay. Turn on

You see it there?"

YOU:

"Yes, okay. I see

You have

the red switch on the floor.

it...

Okay."

be doing what the

technician asks you to do, because remember
you're not actually in the office, and perhaps the
reason you are social engineering is because you
don't even have a dial-in number. It's good to
have an actual computer next to you, so he or
she can hear the power being turned on and you
clicking

JACK:

to pretend to

away at the keyboard.

take a

"It'll

few minutes for everything

to

boot up."

YOU:

"To what?"

JACK: "Uh,

boot up. I mean,

two for the computer

YOU:

"Okay,

it

it'll

take a minute or

to set itself, to get

stopped."

ready to use.

"

complete
shows
your
helplessness when it comes to computers. You
don't want to pretend you've been living in a
"To

what!"

cave the last three decades, however. Saying,

'What's a keyboard?" will only provoke utter
disbelief, not sympathy for your naivete.
Don't forget that the conversation has a plan
to

it

you're

"

JACK: What do you

"Just

see?

"

what you always

here fine before, but after this,

do I do when

see. It
it

doesn 't work here?

it

YOU:

"Enter...

JACK: "What do you

YOU:

"I don't

temp

Boy! This

Okay."

JACK: "Now type 'TEMP' spacebar 'PUPPY.

YOU:

Oh!"

"Okay...

worked up

to

What

didn't work.
"

JACK: "See?"

YOU: "Thank you,

is

guy

my first

isn't letting

I don't

know what went

naive but responsible member of the company

(in this case, by saying you don't understand

what went wrong before).

on hundreds of
real-life conversations that technicians have
with legitimate users who have the similar

they said someone would

try for another generic

The "Okay..." is said as if you've tried this

same thing a million times, but it's never
worked. Thank the technician profusely for his
help, and reassure him that you are a genuinely

based

usually type?"

know. This

Jack

wrong before!"

day

here.

tell

me!"

You can

up!

answer ("Usually

I'm

either
I

type

my password here..."), but what if you guess

wrong? What if at this point an office worker is
placed at the DOS prompt or Macintosh Desktop? You see, it could be that dial-in lines are
password protected while in-house computers
are not. In-house computers might be protected
by trust, physical keys, or biometric devices.
In this instance, you've used the "new person" ploy. It's usually a good bet to pretend

this

sample

script

can recall dozens of times when I

personally have been asked how to do something that the user has already done before,
without getting it to work. Usually all it takes is
a run-through and everything works fine. My
experience has been that these calls usually end
with the person who has been helped grouchily
problems.

just a

Enter.

trying to steer the conversation to

your benefit, so make sure you stay in control of

where it's heading. "Okay, it stopped," reassures
the technician that the computer is working fine,
and that his or her ability to give instructions
over the phone has not faltered. But above all, it
keeps you on track so the conversation can continue toward its ultimate reward.

YOU:

JACK: "Okay, press

saying, "But

tried that before! It didn't

work be-

So make sure that you are nice to your

technician
you may be needing help from
fore!"

him

or her again

or her ego to

and

it

know you

will certainly boost his

appreciate the help

you

have received.

known

Here's another example of how a hacker can

pretend to be helpless when it comes to computers, but still make off with vital information.

actively firing employees, or

When a new computer system has been installed

ready to go bankrupt. Saying you're from a

temporary agency may or may not be a good

in an office, there will often be business cards or

phone numbers taped near the terminals which
are used to contact someone from the technical
department of the company which supplied the
computers, to deal with bugs that haven't yet
been worked out.
The business cards (or you may just find a
phone number on a slip of paper) may also be

you're a
that the

new

person, unless

company is

it's

widely

is

Temps

will generally

have a

site contact or
they report and ask
questions. The technician might not know that,
however, and in any case you can always say
that your supervisor is in a meeting and told

idea.

local supervisor to

whom

you to call the computer department for advice.

taped to a section of wall devoted to important

ter Five: Social Engineering

-

53

,...

messages, or they may also be hidden someplace

behind a clerk's desk or counter. Crane your
neck if you must to get the name and number off
the card (or simply ask the person, we don't always have to do everything on the sly!).
Let's say you managed to get Frank Smith's
number at Corny Computing while you were
doing some business at a branch of an insurance
company. Call the number and say, "Hi, this is
Lauren from Booboo Insurance. There was some
weird stuff going on with the computers and I

had to shut them off, and now I'm stuck...." And

let them lead the way.
One time I saw such a business card taped to
a public access terminal at a library.

copied off

the information, then called up, saying, "This

Jack [a

guy named Jack

from Whoopie

really

worked

at the

is
li-

having
trouble getting into the circulation system from
public access mode. The computer's behind the
counter, so I don't know what it was doing in
PA mode to begin with, but..."

brary]

I'm

Library.

(who else would possibly dare to proclaim

themselves General So-And-So?). But if you act
as a high-up without being angry, make sure
you've done your research beforehand and

know what your name is.

This

is

a sample encounter:

PERSON ON OTHER END:

"Good afternoo

"

YOU: "THIS IS GENERAL FROBBS. I AM APPALLED BY THE CAVALIER WAY IN WHICH

THIS PLACE IS BEING RUN! I WENT AWAY

FOR TWO DAYS AND WHEN I RETURN I FIND

I HAVE BEEN ERASED FROM THE COMPUTER! WHO'S IN CHARGE OF THESE COMPUTERS? I'M APPALLED! I DEMAND YOU
RESTORE MY ACCOUNT. I HAD MANY IM-

PORTANT DOCUMENTS SAVED THERE!"

PERSON

ON OTHER END:

'GROUP.l/ 'SEC? That still

"Did you try typing

works."

YOU: "THAT'S THE DAMNED GROUP CODES!

MY OWN PERSONAL ACCOUNT

BACK! I AM APPALLED!

Hacker In Power

appealing to a technician's sense of godliness won't work in your situation, perhaps it's

NEED

If

time to become a god. In a military setting, pretending to be a high ranking officer can put fear
into the hearts of any lowly receptionist. Just call
up, saying either that

you

are the general, or

you're the general's personal secretary. In either

both of you are pissed off that your

computer isn't starting up the way it should.
Demand to know why your account isn't being
case,

accepted as valid. Don't whine or complain

just

make angry demands. You will get results.

CEO
CEO or presi-

In a corporate milieu, pretend to be the

or the president, or secretary of a
dent, especially in organizations

known

where

it is

is

a hothead.

help

you with your own

find someone

codes.

"I'm sorry, I can't

Would you

like

me

to

who can?

Notice in this example conversation you

have managed to procure a username/password
combination which, while not too powerful, at
least will gain you access. Even if the person on
the other end never does manage to find the
general's password, at least you've ended up
with not just one, but several accesses to the system. After all, if there's a GROUP.I, there must
be a GROUP.2 , right?

well

No

one
demoted. The anger routine
is useful because the person who picks up will
want to be rid of you as fast as possible, and will

wants

that the leader

PERSON ON OTHER END:

Hacker As Helper

to get fired or

do anything to get you off his or her back.

Presidents, leaders, military officers,

and the

like,

is like reverse social

engineering without the sabotage (see next

Here you pretend that something has
gone wrong with a place's computers, and you
chapter).

CEOs

don't have to be angry, however.

mention that you are whoever you say

you are will work wonders for your credibility

Just the

This type of role playing

are the technician

who is calling to fix it.

"

"

say you want to break into the computers at the mayor's office. You call up his secretary, and you say something like this:
Let's

"Hello, this

We

is

Jake

McConnel from Computers.

were wondering, have you been having any

problems with the computer system?

Of course

"

been having some sort of

there's always some problem

she's

problem with it
with computers!
The secretary answers: "Why
was happening, then blah blah

You

there's

yes! First this

it!

That wasn't

computers, and we're having trouble fixing

it.

When

you first turn on the computer, what do you type in

to get it started? One of the other guys here was
has something to do with

last

at that time information is forced to

through an alternate route to get from the

travel

mainframe located at a
on the other side of town. If I were to try
some social engineering on the library, I would
do it during the 3 o'clock slow down, when most
library's terminals to the

college

problems occur.
I've noticed

who

another thing: The library pa-

don't realize that there's nothing

wrong with computers (who

don't

know

that

down around that time) call

room" at the college and ask
why their computers are down. Don't you think
it would be a pleasant surprise, if one day they
got a call from the "computer room" (i.e., me or
you), asking if there's anything we could do to
help? Surely they'd be more than willing to tell
you the logon procedures they use, if only you'd
they always slow

something wrong with the

screwing things around

maybe

trons

blah...

say, "Yes! That's exactly

your fault

or

night and

we

think that

it.

The secretary will not be suspicious; after all,

you've identified yourself. Even if you hadn't,
what harm could possibly come from telling
someone a password over the phone? You see,
the secretary, or any other underpaid, overworked, menial user of the system, is a very
link in the chain of security. The secretary
doesn't understand computers and doesn't want
to. All she knows is something's going wrong
and you're going to fix it for her. This is a very

weak

effective ploy.

up

the "computer

speed up the system for them!

Computers tend to be at their slowest toward the middle to end of the day, when the
most people are on the network. Especially in
university settings, this is true. Frequently students and faculty will log on in the morning,
then stay connected throughout the day, regardless of whether they're using the system. On the
other hand, some systems will actually get faster
as the day proceeds, so research is always a
must. For example, the Prodigy service is proud
of the fact that toward the

end of the day and

into the night, as usage increases, system speed

Peak Hours

also increases. This is because data is stored

on a

There are the mainframes situated in Prodigy headquarters somewhere on the

globe, and various minicomputers scattered
about the country. Users connect to the
semi-local minicomputers, called Local Site Controllers, and as they use the system, data is copied from the far away mainframes, to the local
dual-tier basis.

Don't use the above mentioned sort of ploy

around lunch time or early in the morning. It'll

be harder to work effectively. Let the pressures
of the
If

work day start to pile up before you call.

the system you're breaking into

is

a place

you have access to, such as a library, dentist's

office, bank or school, you should do a little research and figure out when the best time is to

make your call.

At one of the

belong to, the computer system has

slow down." At
around 3 o'clock every afternoon, the computers
suddenly slow down to half their usual speed.
This leads to various other computer problems
and, ultimately, very frustrated library workers.
I don't know why the computers slow down;
maybe the system gets the most use at 3 o' clock,
libraries I

a "3 o'clock

By the end of the day, most of the data a

would request to view will have already
been transferred to the closer computer, making
minis.

user

for less waiting time.

It's

places

good to be aware of pace trends in the

you intend to social engineer. If you can

find a noticeable difference in pace (like a 3

o'clock slow down) naturally you will want to
work your magic around that time. Good times

don't have to just be

pace;

if

when

the computer changes

the workload, noise-level,

number

of

"

-v-

customers, or

some

other aggravating condition

worsens during a particular time, that

is

gener-

time to social engineer. To find these

times, try to visit your target's office at various
times throughout the day. Find out when the
office is busiest. If it's something like a library or
travel agency, go visit the building or make
some phone calls. Ask a question about something, and if they seem to be having trouble
when they look it up in the computer, call back
as the guy from the computer department. Really a nice

member,

offices will

be

at their

most

buy some electronics equipment. As the woman

was taking his order, she casually mentioned
that she was doing everything by hand because
the computers were down. Bill asked if she
knew why they were down. She said she didn't
know, but she was pissed about it because computers in other parts of the building were

working fine. Well, as soon as Bill got off the

phone, he called back and hearing a different
operator on the line, proceeded to have this conversation:

hectic after

being closed one or two days, so Monday

morning is always a good shot. Just make sure
they're not so busy that they don't have time to
schmooze on the phone with you.
Social engineering will work with any computer system, of course, but you will naturally
find it a lot more difficult to fool a system administrator at the community college, than a
teenage bank teller. Social engineering has been
successfully used to gain access to corporate
networks, schools, government offices, and other
systems. Social engineering is a powerful tool,
but you have to be a good actor to use it properly.

OPERATOR: "Shark's
"
ing. May I help you?

BILL: "Yes but actually I called

Pam

speak-

to help you. This is

Bill

Robinson, in the computer department. Are you

still

having problems with the computers?"

OPERATOR: "We sure are!"

"Oh, okay. What's the computer showing

BILL:
right

now?"

OPERATOR:

"Nothing,

we have them

all

turned

off''

Other Hints

BILL: "Oh I see. I thought you were having problems

with

If it's

Radio Supplies,

possible to research the place,

do so be-

Do as much as you can to find out

about busy hours and what kinds of problems
they might experience with the system. If it's a
public place like a library, for example, then try
to figure out which people working there know
nothing about computers. Try to get those people on the phone. Also, make sure you identify
yourself as so-and-so from the computer department (or computer division, or section; if the
person answers the phone, "Hello, registration

but I guess you're in the part of the building

it,

where they're not working at

all.

forehand.

then use the same terminology

computer office). And when you do so, use a common, everyday first name, and also a familiar
last. If you can't get the login information the
first time, try again at a different time, on a different day. Don't speak to the same person,
however.
friend of mine, Bill, told me this story. One
summer day he called up a mail order place to
office,"

OPERATOR:
BILL:

"Well,

"Yeah."

have you

tried

turning them on

lately?"

OPERATOR: "No
BILL:

"I think they

oh, are they back

might

be.

Now

on again?

"

would be a good

time to try."

OPERATOR:

"Okay....

Nothing

screen."

BILL: "Can you type in anything?"

OPERATOR: "Lemme see.... No."

came

on

the

BILL: "Sometimes, even

letters

typing in
first

if it

doesn't look like the

are going to the screen, they

all the

still

go

stuff you usually type in

there.

Try

when you

YOUR RESPONSE:

"Yes, I know. What's-her-name

my

hasn't had a chance to take

picture yet.

Maybe

later today."

turn on the computer.

RECEPTIONIST:

OPERATOR:

"What

you

do

'What's-HER-name'? Jack's the one who

"Okay."

mean,
takes staff

pictures."

The operator went on to give Bill all the information he needed to know. When the operator was finished "logging on," Bill gave a resigned sigh and said, "Oh well, it was worth a
shot. I'll go back and tinker around some more.
Thanks anyway." Of course, he still didn't have
a phone number to call. He didn't even know if
the computer system was connected to outside
after all, this all happened on account of
lines

a freak accident, his finding out about the

YOUR RESPONSE:

"Oh yeah, Jack

RECEPTIONIST:

won't be able

"I

have your staff ID. What

is

right!"

to help

you

until I

your employee ID num-

ber, please?"

YOUR RESPONSE:

"Oh, I don't have one. I'm just

a temp. I'm filling in for someone

who went

cff to

have a baby."

downed computers. But now he knew how to go

about logging in to Shark Radio Suppliers computer system, and he had made a friend on the
inside. The login information was important in
case he did find a phone number, or if another
hacker needed the information. Having an inside friend was important because now Bill
could use her as a further information source, if
the need ever arose.

Sample Social Engineering

easy to get yourself into awkward situations, especially at the beginning of your social

RECEPTIONIST: "You're Charles Green? But

is no Mr. Green in our computing department.
"I've just been here a

the

my

badge yet

was some mix-up or something. My supervisor

said she would give it to me tomorrow, maybe. You
know haw it is, no one knows what they're doing,
and all that..."
there

boss/supervisor/-

YOUR RESPONSE:
thing about him/her?

Do you know any-

"M_
"

(You shouldVe done your research, so you

should know the answer to this sort of question.
If you don't know and it's a large company, or a
large building, you can try either answering
with a false but common name, or try the old,
"Uhm... Something with an

'S'

Schindler?

Schindling? Schiffer? Schifrin?")

Here's a different situation:

RECEPTIONIST: "But I don't have a computer I"

few

"That's funny, I didn't see your

up on

"I didn't get

there

days."

picture hanging

YOUR RESPONSE:

YOUR RESPONSE:
wrong.

RECEPTIONIST:

ID

will speak to reception-

and other company insiders who know the

lingo, know policies and screen setups, and
know how to spot a fake. Whether intentional or
not, you will be asked questions to which the
answers are not readily apparent, due to the fact
you are an impostor. Here are some samples,
and possible solutions.
ists

YOUR RESPONSE:

off your

number

manager?"

It's

You

"Just read the

badge."

RECEPTIONIST: "Who's your

Situations

engineering career.

RECEPTIONIST:

New Staff bulletin board.

(M

Is

M
is

"I'm sorry. I must've dialed

"

available?

the

name of the receptionist's boss.)

Chapter Fti^e: SociM Engineering

If you can manage to work in some company
news or personal tidbits in an unobtrusive way,
if the person you're speaking to
then do so

seems

friendly.

This

just

is

another

way

of

gaining credibility points.

YOU:

"Sorry, I didn't hear that last thing you said.

It's really

loud here with that construction they're

doing next door.

YOU: "By
Little

the way, does

League?

M_

have a kid in the

My son has a friend named

Note that

for

maximum

questions, should be

benefit, credibility

worked

in before asking

about login procedures.

Miscellaneous
Social Engineering Tips
To improve your chances of getting in with
social engineering, here are some tips.
Notice how the person you speak to reacts to
your questions. If you speak to a receptionist or
other worker on the bottom of the pay ladder, he
or she may not want to chit chat or fool around
with computers if he or she's being monitored,
or if calls are being screened by the boss.
Go to some public place where they have
terminals hooked up, and look at the wall where
the terminal is connected to the phone box.
Write down the four digits that appear on the

box

line that the terminal is

first

phone
Guess the

(these are the last four digits of the

three digits of the

hooked

to).

number by looking

at a

directory for the "public place" in question. Call

a couple times at different times of day to

sure the line

is

make

always busy. Keep some of these

phone numbers handy when you

social engineer to give to people who want to
call you back. This is especially true of sysops
who suspect you're a hacker and want to see if
you're brave enough to give them personal
"leased line"

about yourself. This is

than
making
up
a phone number out
better
just
of thin air, because if they do call up, the busy
identification information

some reassurance in
weren't
a complete fake.
that you

signal will at least create

their

mind

57

Just giving them a number will usually relax

them enough so they feel you are one to be
trusted.

Confront people in a lighthearted way when

they give you a password. Say, "Are you sure
that's really the one you use?" Secretaries may
have two passwords. One is their own, which
grants them access to a low-level group account.
The other is their boss's password, a higher level
one that they know about because, frankly, secretaries know everything about an organization.
Challenging someone in a non-accusatory
way about the password you are given may also
cause them to fess up if they had indeed given
you an invalid password to get you off their
backs. Second guessing them shows that you already knew the correct password, and that you
caught them in a lie.
If they are bewildered when you ask for a
higher password, just say, "Didn't they upgrade
your access yet? They just bought this whole
new system that's supposed to work fifty times
faster and everyone's saying how wonderful it
is...." Then quickly change the subject.
Have a background tape playing with office
sounds or whatever is appropriate for the number you call. Before using this tape, try to take a
tour of the company and listen to the real
sounds made during the work day. Also, play
the tape for a friend over the telephone, and
similarly have a friend play the tape while you
trying to adjust the tape
listen over the phone
to a realistic sound level. Remember that if
you're the "first one in the office" as with our
naive user example, you don't want the tape to
include background chatter or typing!

When

you're talking to people, even

if it's

keep a smile on your

friendly manner. Pretend

just over the telephone,

face

and

act in a jovial,

you're that person's best friend.

picks

up

the

phone with

a,

If

the person

"Hello, General

Widgit Corporation, Lulu speaking," you respond with, "Hi Lulu! This is..." and go on with
your spiel. Now Lulu doesn't know if you two
have met before, and as you continue with your
friendly attitude, she will begin to treat you
more like a friend. Try looking through some
books on voice marketing, telephone selling,
etc.,

to get

more

ideas.

.;,

The way

in

ceived can also

which your phone call is reaffect your credibility. Often a

company telephone will make a different sort of

depending on whether the caller is on an
inside or outside line. Since you are pretending
to be an inside caller, you will want your telephone ring to reflect that. To fix that, call a
wrong office or department in the company, and
have them transfer you to the number you're afring,

PERSON
help

,.,.....

Y,,;.^^

speak to Mr. Palooka about that one; would

you like me to connect you?" She will then transfer your call to Mr. Palooka's secretary. Palooka's secretary comes on the line, and you say
to her, "Hello. This is so-and-so. Mrs. Colt's office suggested I speak with Mr. Palooka about
to

Here you have a recommendation from

another company member! You're now much
more likely to get in to bullshit Mr. Palooka.
shoes."

Happy engineering!

For instance:

ter.

v.;.-..

ON OTHER END:

"Advertising.

May

Other Roles

you?"
Social engineering in

YOU: "Vm sorry, I guess I dialed wrong. Would you

"
mind transferring me to extension 4358?

Now you'll get that in-house ring,

it,

an

air of authority

(and

and with
special

on the telephone,

too).

Another

way

to get that desirable inside

caller ring/light is to dial, not the listed number,

but one next to it. Any organization with more
than one phone line almost certainly owns a
block of phone numbers. So if the listed number
to call is 123-4567, try calling 123-4568, or something a few digits higher or lower. Your call will
usually go through, and it will take on the clout
of having been placed by someone who is ap-

company

anyone else
would have dialed the listed number.
Another thing to consider is if you're trying
to reach a higher-up in the corporation, you may
only end up contacting secretaries, receptionists
and/or other underlings. A good trick is to call
an office of higher or similar prestige as your
goal office, and let the secretary transfer you
over. For example, suppose I want to try social
a middle manager
engineering Mr. Palooka
who runs the shoe division. But I can't get
through to speak with him personally. What I
do is, I call up Mrs. Colt, who is either a
same-level, or higher-level manager, and I ask
her secretary to connect me with Colt personally. Colt's secretary asks what I wish to speak to
Colt in reference to, and I say, "Shoes!" But Mrs.
Colt handles only the rubber band accounts, not
shoes. So Colt's secretary says, "Well, you'll have
parently a

insider

most important

group passwords by making up a story about

and role playing it, hoping that whoever you end up speaking to will play along. But
the goal of social engineering doesn't just have
to be passwords. And the method of engineering
doesn't just have to be over the telephone. Conversations may take place in person or through
yourself

maybe even a

inside caller light will flash

its

sense refers to the obtaining of personal or

the mail.

The

and
The second is more suited
difficult to ad lib telephone

requires strong nerves

first

greater acting ability.

to those

who

find

it

SE conversations.

In-Person Engineering
Any

is a form of
The impersonation may be of
an individual person (the president of a company who demands to know why his password

instance of impersonation

social engineering.

isn't

working) or of a generic person

have come up).

because

it

(Jill

Tech-

any computer problems

The telephone is normally used

nician, calling to ask

if

enables a hacker to reach distant

businesses without travel, as well as creating a

defensive barrier between the hacker and the
people he or she calls. If the conversation starts
to go sour, a telephone can be hung up; if a
face-to-face talk gets out of hand, it could be difficult to get out of the building.
A good rule of thumb when doing in-person
social engineering is to

always wear a suit

good

properly.

suit,

one that

fits

Make

yourself

look like you just stepped out of a fashion

magazine. At the very least, wear a shirt and tie.
Females, wear suitable business

attire.

Many kinds

SE that work over the phone,

won't work in person. You can't pretend to have
an office, or pretend to have a computer terminal. Because of this the information you get from
bullshitting in person may be minimal or only
peripheral. You will probably end up with more
background material than immediately useful
of

information.

Pretending to be interested in wanting a job

going on a tour of the place, or
simply squeezing in and wandering around on
your own, provide lots of good data on how
employees interact among themselves. Hackers
and crackers have also impersonated maintenance workers, painters, and other workers to
get inside a company. Being a security guard is
also a nice ruse.
The prototypical in-person social engineer is
the survey taker. You make up a survey, and
stand in the lobby of the building with a pen
and clipboard, and get people passing by to fill
one out for you. The survey asks for name,
spouse's name, hobbies, pets and pets' names,
at the firm, or

and

similar info.

Then you go home and

You might want

that stuff as passwords.

there's

some

try all
to say

prize involved. For example, that

filled out forms will be entered in a

winners get tickets to a local show, or a
free meal at a nearby restaurant. (Hint: Don't ask
people to fill out surveys in the morning when

completely
raffle;

they're late getting to work.)

Written Engineering
Social engineering

may be done

through the

mail or through other forms of written contact

with users of a system. For example, the survey
method can be altered such that the human element is eliminated. If you don't want to wait
around in a lobby all day, just leave out stacks of
the forms with either a drop-box or an address
to mail them to. Expect minimal response.
Other written ruses take the form of advertisements. Put up a notice in a computer room,
saying that paid volunteers are needed for a
special project. "Become a System Manager!
Great Experience!" Have interested folks mail
you a post card with their name, address, desired password, and possibly the machines they

currently have access to

on the

net.

While mak-

ing the ads you'll say to yourself, "Sheesh! This

is

you won't believe how many

Have them address the post-

so obvious!" But

people

fall for

it.

cards to something like "X University, Computer

Science Department, Roger

Hamm's

Office" fol-

lowed by your address. If your address is thirty

miles away from the university, forget about it.
Two Manhattan hackers tried this stunt.
They noticed there was a blank space at the bottom of a particular magazine advertisement for
one of the popular pay-for-play information systems. They went to local area libraries and borrowed all magazines they could find that had
this ad in it. Using a "sideways printing" utility,
they fed the pages into their printer, which
printed out, "Manhattan Area Residents, Call
[phone number] For Free Six Month Membership." Then they returned the magazines to the
library.

When people called them up, they would

begin by playing a corny recorded message:
"Welcome to X-Net's Free Six Month Membership Program! Listen to all these great things
you can do with X-Net...!" When that was done,
one of the hackers would come on and ask the
caller a few questions: "Where did you hear
about this program?" "Have you ever subscribed
X-Net in the past?" "What other fee-based
computer networks do
you belong to?" "When you call up X-Net, what
would you like your sign-in name to be?" "And
your secret password?" "Are you sure you're
going to remember that password? Perhaps
you'd like to choose something else?"
In this way, they ended up with a dozen
names, computers they visited, and one or two
passwords to try out. You won't get as big a reto

bulletin boards, or other

sponse

if

worth a

you

don't live in a big city, but

shot. Advertising

can also be done by

slipping a printed card into the magazine, or

advertising

it's

by

on BBSs.

similar ruse is to advertise your

phone

number as a local call switcher, especially in

places where there isn't already a Telenet or
Tymnet link. When users log on they will see
what appears to be the usual opening screen,
but is in reality a simulation which you programmed. From hacking, you should be familiar
with which networks have which addresses, so

rr-r?s-air---T-"iaw-Yr-rft^^

your program can simulate appropriate login

screens for each of them that a caller might try.
(Otherwise, respond with a message like, "Line
is busy" or "Connection can not be established."
Look at actual call switchers to see not only
what messages are displayed, but to get the
timing

Seeing as

how we have been

misled for

on the flaws
Z,
Component
or

six years, I expect either: details

which

inhibit

reimbursement for

which amounts

down right.)

years

six

Component

non-functioning

of

twelve

Zs, the cost of

to $14,000.

expect a quick reply.

After "connecting" to a computer or network,

program continues its simulation, collects

name and password, then aborts due
erratic line noise or some other ghastly prob-

the

the user's
to

lem.

If

the user tries calling back immediately, a

message can be put up that warns certain

transmission routes are undergoing maintenance, or similar baloney.

Or

the "Let's

work

together to

world a better place to live

in,"

make

this

approach:

Dear Mr. Abel Jones:

I

was dismayed

to

read

in

of Computer Magazine

edition

Friday's

that

your

Component Z is defective.

My business uses twelve of these devices,

Request For Information

And now, back to some pure social engineer-

working.

ing through the mails...

Scan

all

the computer

mags and journals

fu-

even the bad ones, for warnings about

riously,

product failures and security loopholes. Journalistic morality generally prevents dangerous secrets from making their way to the mass media,
so the exact details of system security failings
won't make it to print. You'll see things like,
"Four hackers were caught yesterday, after exploiting a loophole in the V software on the

X Military Base." Or you'll see things

"Company Y has released a warning about

machine
like,

at

Component Z, which is supposed to keep

unauthorized users from penetrating a sysits

tem...."

What you do
official

is,

go print yourself up some

looking stationery, mail a concerned

let-

company, and wait for

You can try the annoyed ap-

ter to the folks at the

their

speedy reply.

and I would regret very much if we

experienced a data loss due to their not

proach:

send

Please

an

of

the

problem in the enclosed envelope, so that

my technicians may remedy the problem as
soon as possible.
Thank you for your help.
Sincerely,

you should
your letter to the
company or organization. On one hand, you
don't want them to suspect your letter is phony.
But on the other hand, they're going to be receiving many letters similar to yours, most of which
are legitimate. You shouldn't have any problem
I'm divided as to whether or not

mention

specific threats in

as long as

you type the

letter

on good quality

paper, with either a real or imagined letterhead

on top. For added effect, type the address on the

envelope, and instead of stamping it, run it
through a postage meter.
business card of your

Dear Mr. Abel Jones:

explanation

You may

own

also slip in a

design; they are

cheap to obtain.
has come to my attention that there are
serious shortcomings in your product,
It

Component Z.

My

business

operates

assumption that our data

Component Z.

is

under

the

secure because of

If

the

company

you without
you're on your

refuses to help

proof of purchase, well then,

own. You can always try to social engineer the

company

technicians into revealing the security

computer security
associations, organizations and other groups
which will have the particulars of the loophole.
flaws. There are also plenty of

You might
juicy details

by

also

make an attempt

to get the

calling the publication in

which

you read about the

security failing. Try to speak

who

reported the story. People at

to the person

magazines and newspapers are surprisingly

easy to reach on the phone, but getting them to
talk is a different matter!

Dear User:

As

is

most embarrassing.

the director of PinkyLink, America's

largest on-line information service,

shocked to discover that a

was

theft of several

backup tapes took place over the July 6th

weekend.
Contained on one of those tapes was,

among

other things, the personal security

on

data

small

percentage

of

our

While your name was,

that stolen tape, there is

As

of

now we

luckily, not

still

some

on

threat to

are uncertain whether

any users with programmer-level computer

access were backed up on the stolen tape.
Therefore, we request you fill out this
application and mail it back immediately in
the postage paid envelope provided.
Fill

Imagine Joe User gets this letter in the mail. It

looks authentic, having the logo and letterhead of
the service, and arriving in a metered, typed envelope. But will Joe believe that PinkyLink actu-

him?
The whole situation is preposterous! Any real
life computer service with a password problem
would require that all password updating occur
on-line. It's simply the cheapest and easiest way
to update hundreds or thousands of pieces of
ally sent this to

user information.

out the form and return

it

to us as

soon as possible. Once received, we will

update you to this new, secure ID.
Thank you for your cooperation, and to
offset

may

will

off your

any trouble this

be subtracting 75%

cause you,

we

August bill.

Joe's account.

And what about that 75%

deal at the bottom?

That makes Joe twice as likely to respond to the

letter. Not only does he have a responsibility to
himself to make his account secure again, he has
a responsibility to the database: if they were nice

warn him of this and pay him for it,

the least he can do is comply with them. And the
enough

to

return envelope

is

postage paid!

course, PinkyLink probably has an on-

way for users to change

their

password, but

mention that when you write

a letter like this. Remember, the style is more
important than the wording of the letter. Before
you send out something like this, be sure to look
at real examples of PinkyLink's correspondence,
to get an idea of the kind of paper and printing

you don't have

Address.

Zip

Day Phone(

to

used, sizes of fonts, coloring,

Night Phone(_
(Invalid)

Joe User looks at

cerned that he'll start getting huge bills in the

mail from the criminal charging system usage to

line

Old

when

ate

Of

Name

Still,

he will notice that he

isn't in immedidanger as some other users of the system are;

unlike those other poor losers who got their
passwords stolen, Joe doesn't have to be con-

this letter,

customers.

you.

Please keep a copy of this for your records.

Message From God

This

PinkyLink, America's Largest On-Line

Information Service, guarantees that the
above personal data will be inputted no
(following
later than September 1, 19
verification), and will be kept confidential
before and after such time.

J-

Password

You should

swindle, especially
letters to are

New (Updated) Password,

etc.

expect high returns from this

if

the people

you send

the

absolute rookies. Later we'll talk

more about how monitoring BBS

pay off.

activity

can

Trouble In Paradise?
Impersonating a huge corporation, or induc-

you their passwords under

can get you into big trouble. The
Post Office considers such activity postal fraud,
even if you're just doing it for laughs. These
ideas are provided to stimulate your imaginaing people to mail
false pretenses,

tion

not

gal.

Before you go and

you to do anything illedo something stupid, you

to encourage

might want to read Chapter Fourteen.

When you

social engineer there are

factors that inhibit the

many

person you speak with

from giving out security data. Consider, when

that person

you social engineer someone,

may have been warned about security leaks

may be knowledgeable about social engineering tactics

can not verify your claimed identity

might know you are not who you claim to be
has no reason to assist you, and can give you

wrong or misleading information

can report your call to a security manager.

For all these reasons, a person you try to soengineer may not want to or may not be able
to tell you passwords and other information that
you request. Considering the above list, would
cial

you divulge confidential information to someone

asking you for it over the telephone?
That's the problem.

The solution?
See you in the next chapter!

" "

TnmmnTm-iTfimTnTmTrmTii

. . .

-..-..
,.-

.-..
... ...

--.

-,,,-------.--,.-^.-, ..,.,. ...

....

,---

Chapter Six

Reverse Social Engineering

Reverse social engineering, or simply reverse

engineering (or the simpler RSE or simplest RE) is a

sometimes

risky

and

effectiveness

endeavor
in

its

that

in

However,
and often so

that it provides a flashy alternative

humorous
other methods of breaching system security.

You

to

an
accepted and revered method of finding out what
you shouldn't know, it has its faults. No system is
perfect, and clearly the list of flaws from the
previous chapter shows that there are deficiencies
see,

even though

shows some of the pros and cons

of each

form.

its

applicability.

from RSE are so strong

results

varies

chart that

social engineering is

SOCIAL: You place call, are dependent upon them.

REVERSE: They place call, are dependent upon
you.

SOCIAL: You feel indebted to them, or they believe

and act as if you should be.
REVERSE: They appreciate your help and concern,
will oblige you in the future if ever you need
assistance.

in the usefulness of social engineering.

In

many

respects

RSE

is

better

than

SE.

However, reverse SE can only be used in specific

situations
and after much preparation and
research. In addition, the best reverse engineering

can only be done by more sophisticated (and

mobile) hackers. Don't expect this technique to be
your bread and butter as you are first introduced to
the world of computer-criminal culture. Reverse
social engineering in its most consummate forms
takes information you don't yet have, and skills
you may not have acquired. Here is a comparison

SOCIAL: You need help from them.

REVERSE: They need help from you.

SOCIAL: Questions

often remain unresolved to the

victim.

REVERSE:

All

problems

are

corrected;

no

suspicious loose ends.

SOCIAL: You have less control.

REVERSE: You retain complete
direction

and

control of the

subject of conversation.

SOCIAL: Little or no preparation required.

REVERSE: Lots of pre-planning required; previous
access to the site is needed.

enough

reveal the password" warnings seriously

to

see through your bull. Social engineering is based

on the premise that the person you contact is naive.

You can't always guarantee that will happen.

SOCIAL: Can work anywhere.
REVERSE: Only can be used under

In RSE, the legitimate user

certain

trustworthy,

circumstances.

Much of social engineering is based on the

premise that you, an impostor, pretend to have
difficulties and need assistance from another
computer operator to solve your problems. The
reverse to this

is

that a legitimate system user has

and he or she asks you

difficulties,

the hacker for

assistance. In the process of assisting the user

his

or

her

problem,

(effortlessly) find

the

hacker

is

with

able

to

out account names, passwords

the works.

An RSE attack consists of three parts:

Sabotage

Advertising

Assisting

is an initial brief contact with an oncomputer, during which the hacker causes a
malfunction of some kind that will need correcting.

Sabotage

site

Advertising
available to

is letting

the user

know you

are

answer computer-related questions.

which you solve
problem, and the user unknowingly

Assisting is the conversation in

the user's

advice. Consequently

member

calling you for

is

he or she believes you are

of

the

company

or

approved by the company, and one who already

knows passwords and protocols anyway. There is
no reason not to divulge this kind of data to you. In
fact, it won't even be thought of as "divulging"
since the person you speak with will just
matter-of-factly spill his or her guts to you without
hesitation.
It

should be noted that reverse social en-

gineering

is

not

social

engineering.

It

takes

backwards approach to the problem of getting

users to talk, and so it won't be recognized by a
person familiar with conventional hacker tricks.
Furthermore, even if the person is so sophisticated
as to understand RSE, that person will probably be
so wrapped up in his or her own problem that he
or she won't notice what's going on. He or she needs
your help to correct the problem; he or she realizes
that if he or she doesn't cooperate, you won't be
able to assist.

Cannot Verify Your Claimed Identity Or Might

Know You Are Not Who You Say You Are

solves yours.

how

accomplished and
what good it does, you should understand why it's
better to have them call you than the other way
around. Let's step through that list of bad stuff
about social engineering that was given previously,
time demonstrating how reverse social
this
engineering overcomes all of those problems.
Before

explain

this is

Overcoming Social Engineering

Drawbacks

Social engineering suffers because to the person

you call, you are an enigma

know personally. Besides, you never know if the

person on the other end of the line has been tipped
off that

you are

Trying to social engineer someone who knows

social
engineering,
hip
about
especially
programmers and other hackers, won't get you
anywhere. Even if the other party doesn't know
about "SEing" per se, he or she may take "Don't

lying about your identity

using

cues such as Caller ID, a distinctive in-house telering, or a knowledge of employees and
protocol. In any case, magic passwords might not

phone

be readily given to "mystery technicians" and

"perplexed users" with modem troubles.

BUT in

reverse SE, those

of passage have

May Have Been Warned About Security Leaks

Or May Know About SE Tactics

someone they do not

you are the one

who

no reason

who know

to suspect

they call for advice.

the

you

words

of deceit:

You are the one

going to help them out of their misery. In

fact, when they call you, you can legitimately
request that they identify who they are. It is a matter
is

of security, after

all.

vnuptm
Has No Reason To Assist You, Or Can Give You
Wrong/Misleading Information

jj<

rather than wasting his time trying to do so. That

power user knows he will get the solution when
you reveal it to him, so he can solve it himself the

comes to such intimate topics as passwords and

computer security. Ordinary users are reading
more in the mainstream press about how we
hackers break into systems. They are attending
computer security lectures given by their
companies, their community colleges, and their
local law enforcement branches. The systems themselves contain warnings not to reveal anything to
anyone; their employers tell them that, their
conscience tells them that. I
yes, even J
tell
them that some vile people are out there trying to
rifle through their computer files.
I doubt strongly there will ever come a time
when all computer users know enough not to blab.
Perhaps in a few years, businesses will have output
from their telephones on a time delay, and have
them hooked up to voice monitors. Then, if a
naughty word is spoken, it can be detected and
eradicated before the electrons that compose it

next time

leave the confines of the building's wiring.

What does

the social engineered person care

whether you are helped or not? I know if I were a

busy back-stabbing office worker or receptionist in
the midst of a hectic day, I would be furious if some
idiot on the phone asked me to give up a few
moments of my time to tell him things he probably

know

first place. I would probably

anything to get rid of him.
On the other hand, reverse social engineers
know that the people they are speaking with require
their assistance. Even the grandest guru of power

shouldn't

just tell

in the

the caller

users will call

you

if

he thinks you will be able

quickly and simply pinpoint the problem and

it

fix

to
it,

occurs.

it

Even if such a
commonplace, or even

Might Report Your Call

To A Security Manager

become
combe bullshitted any
does

thing
if

95%

puter-using public decide not to

by

of

the

you're trying social engineering. She can then go off

still be those
hundreds of other new and old
hacking methods, and there will still be Reverse

and

Social Engineering to get the hacker through his

longer

The trained user

tell

will

know immediately when

others about your attempted pilfering of

Those "others" include co-workers,

bosses, computer managers, the person you tried to
passwords.

emulate, guards, or security officers.

None

day.

of this

Reverse Social Engineering

Sabotage Methods

you get in later on, even if it doesn't

immediately get you caught or hurt your chances
of penetration. Discovery is certainly not on your

will help

list

of birthday wishes.

On

the other hand, reverse SEing

make you
people

a friend on the inside.

overcome

obstacles,

word

is

sure to

When you

they

will

help

happily

your courteous, efficient

manner of help to others
thus spawning more
calls and more passwords.
The preceding explanations were motivated by
spread

the

three goals.

why even

of

want you

to

comprehend the reasons

such a powerful force as

engineering will

fail

social engineering

on

occasion,

classic social

my main concern is this:

The first step of RSEing is to disable the target

computer or the user's ability to use that computer.
Generally this means you will be disabling a user's
workstation, terminal or computer so that he or she
can not access the system properly. You want to do
something that is hard to detect yet easy to correct.
Here is a list of five general ideas, ranging in the
amount of setup time and system familiarity
required:

Yet
Social engineering can not
failings.

remain as a mainstay of the modern hacker's bag of

tricks without word getting out to ordinary
computer users. Ordinary users are becoming
increasingly aware of the need for discretion when

Alter a parameter, the kind of parameter that

novices

and how reverse

can eliminate those

social engineers, there will

five percent, the

don't

know about

or

think about.

Examples: default printer port, screen colors,

macros, obscure printer codes, technical
peripheral settings.
Set files to read-only, or rename them, or make
them invisible in their directories. Example: if

66

Secrets of a

Super Hacker

WP.EXE is the word processor used, change

name to WP.$A$.

the

details, the ability to define character translation

Hardware tampering. Examples: switch a color

monitor to monochrome mode; reverse disk
drives; disconnect or loosen the keyboard, or
unplug the computer or surge protector.
Install memory-clogging TSR programs. User
won't know why program fails to run.
Run a simulation program, such as an
operating system simulation, which gives lots
of ugly error messages.

both incoming and outgoing data.

Sometimes people want to be able to press a
certain key on their keyboard, but have it come out
as a different key on the computer they're
connected to. For example, a lot of times editing
keys such as Backspace don't work the way they
should when you connect to a different computer,
because when you press Backspace, the remote
computer ignores it. To really send a Backspace to
the remote computer, you might have to type
tables for

Control-Backspace.
If

up a

call

translation table

Backspace, the computer

install

can easily get out of hand. Do

NOT sabotage in a way such that the
operating system refuses to boot: they may
not have a bootable DOS disk handy when
viruses: they

they

RSE Case

Study:
Translation Table

because of the speed with which he'd managed a

number of great hacks was once almost resigned

he couldn't get any information

about the computers at a particular embassy. "They
to the fact that

he told me. "I tried bullshitting them, but they wouldn't have any of it.
And line connections were hard to establish. And
once on, they only gave you two chances before
disconnecting you. So I needed some other way of
really tight-lipped,"

you want
file,

anytime

it

translate that to

that to the

work

computer

the other way.

to get rid of

for instance,

you can

sees a Control-J,

it

annoying
set

up

translates

the
it

to

Phlash realized that a translation table could be

used to his advantage. He took a copy of the
terminal program and composed both an incoming
and outgoing translation table, both of which were
made to jumble characters. If someone were to
connect with a computer using these translation
tables, nothing they typed on the keyboard would

match its on-screen output. Any data they received

would be totally garbled gibberish.
He typed up a short INSTALL program and
saved it to a floppy disk. His INSTALL program
looked in the directory for the already-installed
terminal program,

getting in."

he

found evidence that at least one computer there

used a particular cheapo-brand modem. Since it
was his only clue, Phlash got some literature from
the modem manufacturer, and found that all their
modems came with a home-brew terminal

among

that contains

a null, or to a tap of the spacebar.

A hacker and phone phreak nicknamed Phlash

emulator, which featured,

file

take incoming data from the remote

computer, and translate the characters into other

table so

in the trash bins

set

They

characters. If

From scavenging around

would

Translation tables also

linefeeds in a

were

is

Control-Backspace, and send

on the other end of the line.

you later!

The

you can

each key you can type, and the character that is to

be sent through the phone lines when you type that
key. If you had this Backspace problem, you would
set up your table so that any time you pressed

Sabotage should not be permanently

harmful to the user or the computer! Do
NOT delete files or directories: they may

Do NOT

it,

translation table to press Control-Backspace

for you.

WARNING!

become unrecoverable.

your terminal program allows

other technical

tables

to

the

moved any

floppy

disk,

existing translation

and

copied

his

newfangled tables over.

Phlash then printed up a convincing letter from
the desk of "Technology Office, Second Branch,
Director"

which

said,

To comply with new regulations governing

cryptography, and the exchange of com-

Chaptet Sp

correct the problem. This

instructions

explicit

install this new, more secure version of

communications software which includes
all

state matters.

which

give instructions

He gave explicit instructions for the installation,

then concluded with, "Any questions or comments
should be directed toward Sr. Benjamin Marcques,
at telephone number 9-212-WXY-WXYZ." And he
mailed it to a top person at the embassy.
Weeks later he got his phone call. "Actually,
they had tried calling before but I had been away,"
Phlash told me later. "That poor woman went
almost a week without being able to use her
modem because I did that sneaky thing to her!
When she called me, I went through the whole
engineering bit, asking her to try logging on like
she usually did. Of course it didn't work. I asked
her if there was anyplace else she usually called,
and there was. So we tried that. Didn't work either.
Finally I decided it was in her best interest to try
going through the reinstallation again. Naturally
that

reversed

the

four

translation

tables,

so

everything was peachy again. Of course now I also

had all I needed to get into two important
government accounts!"
Phlash said that he was getting so caught up in
his pretend role that he almost forgot to get the
passwords and phone numbers. During the course
of "helping" the embassy worker, he suggested that
perhaps it was a problem with the phone line:
"Which phone number are you dialing in from?"
You would also want to ask if there were any
alternate numbers to try.

Unlike

reverse

typical

engineering,

If

solution

no physical entry of the

computer site. Normally, access is needed to set up
a hardware or software problem of some sort, and
to set up advertising for your unique brand of
assistance. How to gain access is touched on
elsewhere in this book.

Solving The Sabotage

call

on

is

you, after going through the

and finding the error still there,

the user what he or she can do to

tell

user.

example, "Go into the word

disk. For

this case,

SETUP was a

file

that you put

which contained the renaming

a

on the disk,
and also

instruction,

command to delete itself at the end of its run.

Hardware problems may be difficult to fix

explain over the phone, but then, most

or

RSE won't

you had enough onsite time to physically mess up their computer, you
should have had enough time to glean the
information that you are trying to get.

involve hardware anyway;

if

RSE Advertising Methods

Here are five general advertising techniques
be used to get them to call you:
Switch notes. If you see a slip of paper taped to
or nearby the computer, with the phone
number of the computing department, get rid of
it and slip a note with your own phone number
in its place (or some number at which you can
wait for a call from them). Elite hackers will
simply dial into their local telco computers and
change the number of a local pay phone to the
listed computer help desk number. Also look
for business cards and Rolodex numbers to

that can

either hide or switch.

Post

public

(thumbtack

message.

style,

On

bulletin board

not electronic!) put up a huge,

brightly colored, professional-looking sign that

says something along these lines:

Technical Helpline

COMPUTER PROBLEMS?
CALL US FREE AT
OUR NEW NUMBER:
(123)

ABC-WXYZ

login procedure

you must

wary

will soothe the

software-related, put a software

this

particular case involved

they

the sabotage

processor directory and type 'SETUP' and press

Return. Now try running the program again." In

When

67

can be done by giving

such as: "Type 'rename
WP.$A$ to WP.EXE'..." But if it is a knowledgeable
user who calls you, he or she will notice something
fishy going on.
So how to get around this obstacle? You have to

munications between ourselves and others

in any foreign nation, we ask that you

functions to ensure the confidentiality of

Reverse Social Engineering

Technical Helpline

Be sure to put the name of the company you're

and

hacking,

on the poster to make it look like it's endorsed

by the company. Put these signs up all over, or
drop them as flyers on people's desks,
especially in view of the computers you
sabotaged.

up

day before
or
even a few hours before
the sabotage and tell
the person who answers about the computing
department's new phone number helpline
(your number). Ask whoever answers to put it
in the Rolodex, or to keep it otherwise close by
and handy for whenever anyone needs it. Ask if
Social engineering. Call

he or she
terminal;

make

if

the

the only one

is

the answer

sure others

Trouble For Nothing?

and logo somewhere

their address

who

is "no," tell

know about

the

uses that

the person to

new number

initial setup and planning

an exciting, amusing kind of thing
to do. But is it worth the effort? Why not just stick
with the easier social engineering and not worry
about the remote possibility that the guy on the
other end will be wise to you?

Okay, granted the

and sabotage

Well,

Get a company's internal

phone directory and add your number to the
either by crossing out the existing technical
support line and writing in your own, or by
inserting a visible printed addendum to the
book.
list,

On-line

When

advertising.

sabotage, see

if

doing the

initial

you can post a note on

the

board (electronic this time!) concerning

your computer helpline. Alternately, have part
of the sabotage program give out the phone
number. For example, rename WP.EXE, then

bulletin

create

simulated

word

processor

which

crashes to the operating system after the

few

keystrokes,

characters

first

behind garbled
and this message:

leaving

and colors,

<Beep!>

XERROR
call

Consult fdox 90v3.2a or

3
Jim at technical support @ (123)

ABC-WXYZ
In your advertisements,
realizes

they

it is

know

an

make

sure the user

outside line they are calling (so

to dial 9 or 2 or

whatever to

exit the

company PBX). That is, do that unless you have

managed to appropriate an inside office or
phone (by sneaking into an office while
someone's away on vacation, for example).

of

all,

that's

foolish.

Especially

want to hack most will be very security-aware.

You must, in many circumstances, assume that they
know what you're up to when you're bullshitting
them. And if they know what you're doing, you

will

shouldn't be doing

it.

Another factor, one related to both this and a

remark I made earlier: when you reverse engineer a

you

create a friend

on the

inside.

Once

hacking big-time you'll never know if

somebody's on your tail unless you have an inside
connection. If you've proven yourself to some user
by solving their computing problem, you can then
call back a short time after breaking in and ask
questions like, "Hi, remember me? I helped you
with that problem... I was wondering if you heard
about anyone else having that problem, or any
other weird stuff going on with the system?" If
they've heard about attempted break-ins or system
failures, you will be the first to know. You might
want to tell them to call you if they ever hear about
"hackers" or whatever. This way if you are
discovered and, let's say a memo is distributed
telling everyone to change their passwords because
a hacker is on the loose, your contact will
innocently call and let you know about it.
The continuing loyalty and assistance you will
receive from the inside is well worth the beginning

you

Directory tailoring.

first

considering that many of the people and places you

situation,

too.

is

start

trouble

you may have in setting up the sabotage.

Jforf

/UXirifij

ill:Bll!;Illl

Jrx tl C

Two

69

Chapter Seven:

Public Access Computers

And Terminals

Introduction

puters have a secret side.

To The Three Kinds

wants

Have you been

to a mall lately?

mean one

clothing stores, electronics shops

and food

courts,

but miniature golf courses, arcades, banks, post offices, and anything else you can or can not think of?
Instead of the large "You are here

they used to have,

set

up with

find your

you now

>" maps

often find computers

you
and inform you

touch-sensitive screens that help

way around

the mall

about mall happenings.

Personally, I've never hacked a mall computer

but the

potential

do so is there as

is

there

and

the motivation

Hackers hack because they

are in love with the idea that any accessible computer has a secret side that can be broken into. The
the gencomputers at the mall have a secret side
eral public is not supposed to be able to change
around the names of the stores on the computerto

well.

ized

map

of the building

but

there

is

way

of

doing just that. Similarly, when you go to Ellis Island and look up your ancestors in the computers,
there is obviously some rear end to the system that
you are not being allowed to see. All public com-

A hacker is a person who

it.

This chapter addresses two aspects of publicly

of

those huge, sprawling malls that not only have

to get at

accessible computers:

How to get into the behind-the-scenes parts, and

using public computers to collect information
know about the people
who use them.
you're not supposed to

The computers and dumb terminals that are

boon to anyone interin
hacking.
ested
Even if a general-access computer
doesn't have a modem hanging off the back, or
does not allow out-dialing, hackers can benefit by
using the computer to gather information about
publicly available are a great

legitimate users of on-line databases, school net-

works and other computing systems.

Computers are publicly available in
places

lots

of

lobbies of office buildings, malls, muse-

ums, airport club lounges, public fax machines,

public and private schools, and in stores. However,
the place they are most often seen is at libraries;
consequently, the following discussion

mostly on the computers found there.

is

based

Computers
available

now

for the

at

use of the general public are

most public and academic

librar-

They fall into three groups:

CD-ROM databases and information computers,
public access terminals, and
general purpose microcomputers.
Let's look at each one of these in turn, and see

terns in

an

computer usage by certain individuals, or

be in the
certain times, both of which are helpful to

overall tendency for less people to

ies.

room

know, as we will see.

how these can help the hacker help himself.

CD-ROM Databases And

Information Computers

CD-ROM

databases, like InfoTrac

and News-

at

If the guest register program itself doesn't let

you see who was there before you, try exiting out to
the operating system and checking for relevant
data files. This will be discussed in the upcoming
section on general-purpose micros.
Access to CD-ROM databases and information

computers is not usually of much use to the hacker.

There are exceptions of course, and it's well worth
investigating any computer of this kind that you
find.

Net, are computerized listings of periodical articles,

updated monthly. Other databases are available

with slants toward business news, census data and

have CD-ROM encyclopedias, and many government depository libraries

will have databases listing government publicathe like.

Some

libraries

tions available.

In a similar vein, IVe seen libraries with com-

Macintoshes)
set
up with
user-friendly programs designed to teach patrons
how to use the library and to dispense other helpful

puters

(usually

advice. All of these

computers are useful to the

hacker only for the information they carry, due to

the fact that they are set up on independent machines, without modems, and without access to
telephone lines. They usually serve the single pur-

pose of dispensing information on their specific

topic.

and a bit odd

but occasionally you will see a computer being used as a
"register". As people walk into the computer room,
office, or wherever, they sign into the computer
with a name and ID number, and perhaps answer a
few questions about themselves. The purpose of
this sort of computer setup is to keep a timed and
dated record of who uses the public facilities. Of
course, unless a light pen or graphics tablet is used,
signatures can not be collected and so their use for
Finally

this is rare

security purposes is lost.

Unlike databases and tutorials, there is a bit

more you can do hacker-wise with a guest record
computer, though not much more. One application
might be to use the computer to see who else has
been using the facilities. This information could be
helpful

room.

if

the facility in question

You might be

is

a computer

able to find exploitable pat-

Public Access Terminals (PATs)

These are usually dumb terminals (although
sometimes you see IBM compatibles) set up in libraries as electronic card catalogs. They have
names like IRIS and GEAC. These systems allow library patrons

to search for materials (books,

magazines, videos) by various search restrictions;
to see the current status of materials

(On the

shelf?

Charged out? Overdue? Missing?); place holds on

items; get library news, and other library-related
functions. Often dial-in lines are available, especially at university libraries.

The challenge
there

is

to the hacker

is this:

He knows

a secret side to every library computer.

How can he get into it?

Every library computer system is divided into
two parts. There is the publicly-accessible catalog,
and the private stuff. The private stuff (the secret
side) includes

procedures to discharge materials,

get confidential patron information,

fines,

block library cards,

used by library

etc.

add or

alter

These private func-

must

rely on the same

found on the PATs. (If
the librarian checks out a book to somebody, the
fact that the book is not present in the library must
be shown on the public terminals.) Therefore, the
tions,

staff,

database of information as

is

functions that are available to the public are a subset of the entire library

program. That

is,

gram

make

on books

the public uses to

part of a larger

inquiries

the prois

program which includes higher

managerial functions.

The two program parts are obviously sepaanyone could walk into the library

rated, otherwise

.11LIJJIU..

'-'-'

and erase all the fines off their library card, or put
$100 worth of lost items on an enemy's card. So,
how is the public side separated from the private
side? Take a guess.
Yup, a password.
Actually, it's usually a combination of two
things: first, a hidden menu command, and then
the password to authorize usage. Go to the main or
earliest menu on the library system and try various
commands like BYE, END, EXIT, X, XXX, SYS,
SYSTEM, LATER, and OFF. Usually this kind of
system will accept either three-character commands or single-character commands, but of course
things vary widely as you go from one system to
another, so vary your tactics accordingly. If something like BYE works, and you are exited from the
public portion of the system, you will probably be
asked to supply a password. Well, you know how
to get

for a

passwords!

password

at

tion to determine

but not

who gets to go backstage.

it,

then

it is

If

your

possible

that achieving system operator

on uncovering a password, but

some sequence of little black stripes. I

The Bar Code Hack

A certain academic

library, close to

my

house,

dumb terminals and IBM compatible micros set

up throughout the building for the public to use.

The IBMs also have light pens attached. On those
computers, patrons can access and change information about themselves, using the bar codes on
their library cards for security.

One fine day I decided I wanted to hack the sysI knew from random trying that BYE from the

tem.

Main Menu brought me

my bar code number.

staff access,

to a screen that asked for

Naturally,

so scanning

was not allowed

my library card

did noth-

ing. I needed a staff card

preferably one with
high access levels, like the library card of the library director, or some supervisor or someone like
that.
I

card.

if I

access levels,

have a story about this.

has

that

every bar code

status relies not

finding out

doesn't change from one person to the next. This

meant

On the other hand, it may not ask

has a bar code on

certain

the zeros, since the library identification portion

all...

Several library systems use bar code identificalibrary card

way of solving the problem. I would

use computer technology to defeat the computer.
When you look at a bar code, you will generally
see little numerals printed below the stripes. This is
the number that the bar code is encoding. On a library card (or the bar code put on library books),
the number is about sixteen digits long. There is an
initial grouping which identifies the bar code as
belonging to that particular library, followed by
some zeros, and then a concluding seven or eight
digits. This kind of numerical arrangement applies
to your checkbook account number, and many
other numbers used to identify you.
Now, the only part of the number that really
matters is the last group of eight digits, following
hacker-like

was not about to become a pickpocket to get a

There was a better, more flexible, more

trillions of

wanted

to try a brute force entry of

number

until I found one with high

wouldn't have to try trillions and

numbers

only a hundred

million or

so.

Naturally I wouldn't be able to type in those bar

code numbers from the keyboard (and who would
want to, anyway?). You see, the computers do not
allow people to walk over and type in bar code
numbers. If they did, then anyone who knew anyone else's code number could easily access the private records of anyone else. That meant, even if I
found out the bar code number of the library director, I still wouldn't be allowed into the backstage
areas of the library program. I would still need the
director's library card.

A way you might be able to get around this is to

scan your bar code, and look at what happens. Did
the computer put a carriage return at the end of the

number?

If not,

see

if

you can back up and

alter

digits.
If a carriage return was added, try scanning
your bar code again, this time sending a break or
pause signal as soon as you do. You might be able
to make the computer think it's receiving the entire
bar code, although you will be able to change and
add numbers to suit your needs. If you pushed control-S to pause the bar code
and it worked
try
pressing control-C and see if this stops it from
reading in more digits from the scanner.
The bar code will be read in and placed on the
screen rather quickly, so it may be difficult to stop
it halfway through. If there's a printer attached to

the computer, try sending output to

slow

down the bar code enough

at the right time. Also, if

working on (not

it is

it.

to let

This might

you break

it

a computer you're

just a terminal) there

might be a

you can press to take it out of

turbo mode. If there is no button (but you know it's
"Turbo" button that

mode because

in turbo

mode through

DOS

shell

something
something

there

be some

up), there will

is

way

a "Turbo" light

lit

of disabling turbo

either the software (break into the

and see

if

there's a

similar), or

SPEED command

or

through the keyboard (often

like Ctrl-Alt-Minus sign will take

it

out

of Turbo).

Another

difficult

thing to

do

is

to try giving the

scanner only a partial or erroneous code. Occasionally bar code readers can be duped into thinking a bar code of a kind it's not supposed to be able
to read is the correct type. Then it may read that
code and stop halfway through, to wait for the rest

of the input.
Lastly, if there is a way of accessing terminal
parameter menus, by all means do so: often there is
some sort of switch which toggles automatic sending of input, or the key code used to send input. By
disabling the automatic send, you can manually
input the bar-coded information.
All of these above suggestions imply that you
have managed to get ahold of the bar code number

someone important in the library hierarchy

someone whose ID number you can use to access
the rear end of the system. If you do happen to
know the number, then you can try to print up a
bar code for it, either by using bar code generating
software, or by carefully examining bar codes until
you have determined what thickness and pattern of
of

lines are

used

to represent the different digits.

have anyone's number. The purpose of my hack was to find one. So I had to find a
way of using the light pen to scan in a hundred
million bar codes that I didn't have, until one was
But

didn't

discovered that could access the library program's

secret side.
I

all

could've used a bar code

program

to print out

of those different combinations of digits but that

would have been a huge waste of time and effort.

The light pen (also known as a "wand," "bar
code reader," or "scanner") works like this. Light is
emitted from an LED inside the pen, focused
through a sapphire sphere (which acts as a lens)
onto the bar code. The light is then reflected off the

page, and now focused through the sphere onto a

photo-sensor, which converts the reflected light
into bursts of voltage. The electrical output of the

photo-sensor

is amplified, thus generating a signal

proportional to the series of black and white lines

of the bar code label.

The pen is attached to the computer either via

some external box, or an internal card. This
box/card decodes the on-off

of the
At the time of
decoding, voltage corresponding to white lines is
approximately 0.11 volts, and
volts for the black
lines. My plan was to send voltages into the scanner, making it think it was reading a bar code,
when really all it was doing was being victimized
firing pattern

voltage into usable ASCII characters.

by a clever hacker's brute force attack.

If you are programming a computer or signal
generator to create fake codes for you, some fidgeting around might be necessary before you arrive at
the correct numbers for that particular system.
it takes to generate a complete code
have to be adjusted accordingly: usually scanners will accept bar codes at up to 45 inches per
second. Perhaps you can manage to locate appropriate technical manuals or some source code listings, or call up the company and ask to speak to a
technician about what ideal values are for voltages
and timing.
If it is a computer you are working with, rather
than a dumb terminal, it is possible the bar code
decoding program is memory resident. You might
be able to circumvent that program, or trick it into
reading input from a disk file you supply. A good
idea would be to copy the contents of the fixed

Also, the time

will

way

of

making

the scanner decoder think the keyboard

is

the cor-

drive, then at

RS232

home

see

if

there's a

look at for input data.

Finally, remember that there will be a check
digit at one end of the bar code, or both ends, although it will almost never be printed on the label
itself. If the check digit is printed on the bar code
label, study some sample bar codes and try to work
out the method used to generate the check digit.
You don't need to look at only bar codes on library
rect

serial interface to

which you would probably have

examine bar codes on
finding enough
you cansame
and come up with
cards

difficulty

of

books

the

result.

For example, the check digit formula used by

Code found on supermarket
food packages is the following: 210 minus three
the Universal Product

times the

sum

of the alternating digits (starting

with the separated digit to the left of the bar code),

minus the sum of the remaining digits. The check
digit is the last digit in your answer.

Back to the target of my attack, that academic

my home. The light pen at one of the
computers was attached with a telephone-style
modular clip. It could easily be removed. I bought a
receiving jack of appropriate size and used a cable
to connect it to the modem port of one of my
smaller portable computers. Then I modified an
auto-dialer program to spit out bar code numbers
library near

needed. I was all set.

A few days later it was Saturday, and it was a
gorgeous day. I had expected to pull off this stunt
on a Sunday because I'd seen the results of a user
survey which indicated that less people came into
that particular library on Sunday than any other
in the range

day of the week

the last tiling I needed was a
bunch of onlookers. But it was such a beautiful day
I figured everyone would be at the beach. I was
right; practically no one was there.
I detached the light pen from the library's computer and connected the plug into my portable's
jack. I typed BYE, which brought me to a prompt
which asked for my bar code before it would allow
me to go backstage. Then I started the program
running. It worked fine
the program was sending bar code numbers through the modem port and
into the light pen cable. The library's computer had
no way of knowing that the data it was receiving
was not coming from an actual bar code.
I closed the cover of my little portable, and hid
the whole thing under a newspaper. Then I sat
there and read a magazine while it went through

the numbers.

Figure 6

After a while
The

UPC

check digit system.The

initial digit

appear in either of the spots marked with a

0.

The

to use

with the check digit appearing in either of the

two places marked with a check mark.

For

this

UPC check digit formula is:

is:

210-3(0 + 2 + 4 + 6 + 8 + 0) -(1 + 3 + 5 + 7 + 9) = 125

The last digit of the answer is
Thus 5 is the check digit.

5.

to

change the status of

superuser status allowed

I

now had

and

was

my own

itself,

as-

able

library

but having

me to go one step further.

access to patron records,

could

phone numbers, student

numbers
and birth dates of eveIDs, social security
ryone with a card at that library. This meant I had
background information on virtually every student
at the school, and every professor and staff member. I could also find out what books were checked
out to people, and therefore the subjects and hobfind out the addresses,

+ e + g + i + k)-(b + d + f + h + j)
sample bar code, the formula

it

card to a virtual superuser.

That was great in and of
Since

210-3(a +

did find a bar code number

sociated with a privileged account,

subsequent digits are placed under the bar code,

The

may

bies that interested them.

it

was a simple

accounts

otherwise.

Using

all this

task getting into

information

many network

should not have been able to get into

may be mnemonics used which, on your

own, you would never think of trying. So you must

There

Hidden Commands

you can. What I mean is,

PATs allow you to enter these
three-letter commands to do different things: INQ
(to make an inquiry on a book), NEW (to get new
therefore try everything

Whenever you're hacking any public terminal

of this type you have to remember that it's common
to

have different

levels of security for potential us-

ers of the system.

With each

level, the

various

commands may or may not appear listed in the

although you may still be able to activate
menu
them via an inadequacy in the program. If a menu

let's

say a library's

user information), and

are dozens of other

don't

and other "weird"

has a

three-letter

to try

characters

possibility of

letters

working.

these unlisted

anything

It

else that

may not be enough

commands just

once; sometimes

you

can have the program display an error message

once or twice, and then suddenly crash out of the
system or enter private territory. I grant you, usually

you won't

find that

programs have been so

badly coded as to allow misuse, but you'd be surprised at the number of bugs that do go unnoticed
by the authors and testers. This is especially true of

program editions.
remember this: There are many functions
you may not think would be on a library computer
(or whatever computer it is you're working on).
early

Also,

(patron information, to

doesn't only support those three

given with options ranging from one to four

try five! And six... and zero too. Always try Z, Q, X,
is

PAT

find out about yourself). Naturally the system

commands

commands. There
that you simply

know about.

Try things like CON, ILL, CHG, DIS and other

combinations (or whatever number of

commands
called

is

appropriate).

On some

systems,

all

are three characters except for one

NEW USER

that's the case,

or

RECALL or something. If
know the computer will

then you

support commands of more than three characters.

Consequently, you should try longer commands as
well. The commands I've chosen above are abbreviations
for
CONversion, InterLibrary Loan,
CHarGe and Discharge, respectively. Before I told
you what ILL stood for, you may have been wondering how the word "ILLness" or "I Love Lucy"
could have anything to do with a library. But ILL
happens to be a very commonly used abbreviation.

n>

-^

tomr\

Figure 7

To fool the PAT into believing you are feeding it bar codes, first (a) remove the light pen from the computer.
Then (b) plug the jack into a receiver that is connected to your laptop via the communication port.
You can then output bar codes through the comm port, straight into the PAT.

If you're trying to break into a system you know

nothing about, it's more than likely they'll use
codes and abbreviations that are related to their
field. Consequently, ongoing research is a must.

One United Kingdom system uses things like

LCO and LIN for Library Check Out and Library
DSIquiry. Also,
staff

members

due to certain overseas privacy laws,

are not supposed to access patron

accounts to see personal information like addresses

and phone numbers, and what books are checked

out to patrons. This poses an obvious problem to
the librarians

who

who MUST know how

to contact

refuse to return

Anyway, the point is this: dumb terminals often

include exits to controlling programs. You can access these secret parts by either issuing an exit
command (a "trap door") and entering a password,
or by entering a hidden menu item or command
statement. Access may also be unintentional and
due to an error, as with a program that lets you in
even though you are not situated at a valid terminal, or

have not entered the password.

It is

also advisable to turn off the terminal, wait

ten seconds, then turn

pens.

Some

it

on again

to see

what hap-

terminals respond to various combina-

and

(Sometimes Alt is laif you keep it

while typing out a number 0-255 on

tions of Ctrl, Shift,

Alt.

beled "Compose Character" because

pressed

down

PATs

is also another kind of publicly accessible

one easily found in the computer rooms
of any college. These are different from the information-dispensing ones found in libraries in that
these are meant to be used solely by authorized users
people with accounts and passwords on the

There

terminal,

system.

You should

try the different function

and con-

keys on these terminals, too. This isn't likely to

get you anywhere, but often you can use various
control codes to access parameter menus or change
trol

borrowed items (and

for countless others reasons, must know what items
people have borrowed), so the people who wrote
this library program installed a command that is
invisible to EVERYBODY
even library employees. Pressing "X" at the book inquiry screen will access a patron inquiry mode. This is something that
the library staff obviously knows about and uses,
but is not supposed to have even heard of.
people

College

keypad on the right side of the keyboard, the corresponding ASCII character will be

screen colors.

Press ? or type

HELP and
Most

see

what commands

run an
mation system, possibly connected with the
are available to you.

colleges

infor-

library

you information on such

things as student activities, phone numbers, office
hours, campus news, and might also allow you to
system, which gives

connect with other college information systems

around the country, or possibly federal or state systems. It should be a trivial matter to find out if a
public information system is present on the system

and if so, how to access it. If you don't

know, call up the computing department and ask.
(Remember to ask for the dial-in phone numbers,

you're using,

too!)

Generally you will be able to use telnet or other

networking protocols to connect with computers all
over the campus, country, and possibly, the world.
However to do so will more than likely require you
to login as a registered user first. This section deals
with some techniques hackers have used to uncover passwords and IDs through the use of public
access terminals at colleges.

the numeric

Here's story #1.

produced.)

Also look at the function keys, and combinations of Shift, Ctrl, etc., with the function keys. Try
various other control codes like Escape, Ctrl-C,
Ctrl-X, Ctrl-Q, Ctrl-G, Ctrl-Break, etc. You can
never tell what's going to do something, or if anything unusual will happen at all. But sometimes
you can get pleasantly surprised.

Doing It The E-Z Way

Barry, a computer enthusiast from Las Vegas,
Nevada, used a quite easy way of finding out info
without any programming skills or special equip-

ment.

At the university Barry attended, there was a

computer lab that had Macintoshs set up in the
center of the room and terminals around the pe-

^^___

rimeter. He had his own account on the system, but

he wanted to do some serious hacking. He knew if
he tried anything logged in under his own name he
might end up in trouble. All he needed was some
measly low-level account from which he could
hack without risk.
The public terminals at his school worked like
this. Available commands or menus were displayed on the screen with an underline

where the
would input his choice. You could move
around on the screen with arrow keys and type
elsewhere, but when you pressed Send, only the
characters written in the space where the underline
had been would be acknowledged.
Barry went to the main menu of the information
system. He used the arrow keys and space bar to
erase all the text on the screen, then proceeded to
reproduce the login screen that was used to access
the mainframe. At the bottom, he put the appropriof appropriate size placed at the bottom,

user

Another computer user,

who had

sat

side her shortly after she entered the

down be-

room com-

mented, "They've been acting weird all day." Barry

was elated; on his first try, with almost no effort on
his part, he had a name and password and could
do all the hacking he wanted to without having it
being traced back to him. Plus, the bit of strangeness he had caused was being blamed on unrelated
system malfunctions.
There are many variations of this tactic that
should also be considered, depending on the nature
of the

command

system, the terminals used, layout

You will want to

of the room, etc.

adjust your strat-

egy accordingly.

Some

you

change screen
color. I've worked a ploy similar to Barry's on one
such terminal. First I erased the screen and typed
up a fabrication of the login screen. But it wasn't an
I put my underline one line
exact reproduction
below where it normally would be.
terminals allow

to

screen

moved the cursor over to the place on the

where commands were supposed to be en-

ENTER NAME/PASS IN FORM

tered

(above

nnnnnnnn,pppppppp

color-change function key to

ate prompt...

then

my

fake

underline).

make

used

the characters

same color as the background. I typed "log-on." It was black letters on a

black background, so only I and the computer
entered next appear in the

...and

positioned the cursor at the beginning of the

He

switched the Caps Lock key on, and

Then Barry took
a seat at a Mac near his prepared terminal, and

underline.

he shut

off all the other terminals.

knew it was there.

Then

repositioned the cursor at the beginning

waited.

of the underline, used the function

Everyone seemed to want to use a Mac that

day. He had to wait more than an hour until a person finally came in to use a terminal. As Barry had
hoped, that person walked straight for the one that
was already powered-up. From Barry's position at
the Mac he could easily see what the person typed

and took a seat

on a nearby armchair.
I didn't have to wait long. About twenty minutes later a group of people came in, and one sat
down at my terminal. Unfortunately, he saw the
screen, thought someone else was using the terminal, and he got up to leave. I told him, "No, no one's
using that one." So he reset the terminal and pro-

in.

As you can imagine, when someone uses the accomputer covers up passwords with asterisks. The woman who was using
the terminal did not seem to realize that anything
unusual was going on as she typed her vital data.
tual login screen, the

When she pressed Send after her password,

she

got the usual beep of disapproval (because she

had

pressed Send without entering anything in the

commands,
space that was supposed to be used
which Barry had erased). The computer redrew the
information system main menu, and the woman,
surprised, logged in again and went about her
for

business.

key

to

change

the text color back to bright white,

ceeded to log onto a totally different system!

A couple hours later I got luckier. I set up the
terminal again and took my position on the chair,
pretending to study a numerical analysis book. After a long while a guy sat down, typed in his
name/password combination and pressed Enter.
All this

was easily able to see.

But the computer couldn't see what he was

typing because he hadn't entered

it

in the special

input space. The computer only recognized

my

hidden (black-on-black) "logon". The computer

then connected to the ungradx machine, and asked

The user, thinking he had

a typing mistake, entered them again. I was
already out of there, as I had the information I
for the user's identity.

made

needed.

work with systems

codes on a single

This will only

you

to enter all login

that allow
line,

on
and

or

machines with certain appropriate capabilities

setups.

might be

lost. Additionally, if you're doing this on a

university terminal that has access to lots of different computers, there might not be a reasonable way
to set up the screen.

There are plenty of things that can go wrong

with this ruse, but for the small investment of time
to set it up, then who-knows-how-long of waiting,

worth it.
If you try this, remember these tips: Do what
you can to make reading the screen from a distance
easier. Switch on the Caps Lock key if it helps.
it's

way

is

to use a text editor to simulate

the login screen.

If

you don't have an account on

do not have access to the

Another
the system,

and

therefore

e-mail text editor, there is probably a "Send Comments to Sysop" section in the public information
system that you are able to access. You would
probably want to use a public editor anyway, to
avoid having this evil-doing being traced back to
your ID.
One way of using a text editor to simulate the
login screen is to write up a document such as this:

Brighten

up

tor a bit to

And

if

the screen

if you're able. Tilt the monireduce glare from your viewing angle.

possible,

Name:

busy to avert suspicion, but don't get so

involved that you miss your quarry.

The above two methods are

Above this you may want to have the tail end of

commonly seen menu, list of commands, or a
body of text one normally sees when turning on the
a

terminal.

position the

on the screen

ible

is

document so the
"Enter Name:".

cursor right after the colon,

key,

if

there

you

Shoulder Surfing

Enter Password:

You

large fonts. Before

yourself

>login
Enter

select

choose your waiting spot, make sure that when a

person sits down in the chair, his or her body won't
be blocking your view. While you're waiting, keep

is

and turn

examples of what's called "shoulder surfing."

Shoulder surfing is when a hacker looms over the
shoulder of a legitimate user as that user logs onto
a computer system. While the user types, the
hacker watches the keyboard to pick up the pass-

word
last line vis-

You put

the

off the Insert

one.

A person sitting down at the terminal will think

someone else before him typed in the "login" command. He will type in his name and press Enter.
Pressing Enter scrolls the document up a line,
making it look as though the computer is asking
him to enter a password, which he then does to
your utter bliss, because you are sitting there
watching this unfold.
There are some problems with this method (and
all these E-Z methods, actually). What if the first
person to sit down doesn't want to log onto his account? Or what if he makes a typing mistake which
goes unnoticed until after he presses Enter? In both
cases your little deviltry may be found out. There's
always the possibility that some guardian of the
computer room will switch off any terminals he
sees left on needlessly, and then all your work

slightly involved

Remember, most login routines will not display the password on the screen,
so you must look at the keyboard to get any useful
as

it is

entered.

information.

Pure shoulder surfing can only be done under

such as if you are legitiwith a problem and you
helping
the
user
mately
have to stand there for the user to show you what's
wrong. Most of the time you will not be able to just
stand behind a person without drawing suspicion
to yourself; you will have to rely on more crafty
certain circumstances,

inventions.

A strategically placed mirror,

in the

upper

cor-

ner between wall and ceiling, can do the trick. It

must be small enough to stay put with duct tape,
but big enough to be read from a distance.
Binoculars are frequently used by calling-card
number thieves to illegally obtain people's code
numbers, thus enabling the thieves to make free
long distance phone calls. You can do the same to
read passwords off keyboards. It might be neces-

the keyboard to a specific orientation to

better enable you to see what is typed. If the keyboards have kickstands to prop them up, make sure
sary to

tilt

you use them before you take your stalking

terminal does not log them out of their account.

Occasionally I would find more than one terminal
left in a logged-in state. It was a hacker's paradise!

posi-

Doing It B ASICally

tion.

do your watching outside,

you do, make sure you
Before
window.
through a
won't be visible to those inside. Even at night you

You might have

to

will

be easily seen through the glass

has

outside lights.

Do some

if

detective

the building

work

before

hacking; go into the computer room and see how

visible someone outside the room would be. Per-

haps you can partially close the blinds or drapes, to

further shield yourself from view.

or if you go into the

you have an account
computer lab and find someone else's account
you can write a simple
logged in and abandoned
BASIC program to simulate the login procedures,
then leave it running. Here is a very simple examIf

ple:

10

PRINT "Welcome to Y University Computer Network!"

20
30
40
50

PRINT
INPUT "Name? ";N$
INPUT "Pass? ";P$

REM Now store these two variables in a

file

60

REM and logoff from the account, giving

70

REM message. Or, use the inputted data

an error
to

80
90

have

REM the program login to the system.

REM Finally, delete this program.

Remember
lays, if

it

to

program

in necessary time de-

usually takes a few seconds for

to register. Also

remember

to

commands

have the program

print asterisks (or periods, or dashes, or whatever's

appropriate)

on the screen instead of the

user's

password.

Sometimes commands are available to users before logging on, like allowing

Figure 8

is

An example of a menu on a public computer.

Tricks

can be used to break free from the menu, then either

alter the

menu or the application programs

to collect private user data.

Finally, think

need any of

about

this.

Perhaps you don't

Over the past two

weeks, every day that I've visited a certain school's
this advice at

all.

computer rooms, there was at least one instance

where I would switch on a terminal and find it
stuck inside somebody's account. Apparently the
account owners didn't know that shutting off the

currently logged on.

them

to see

who else

You may or may not be able

to program phony responses to a user's queries.

The program doesn't have to be extremely elaborate, however, as most users will probably just sit
down and login right away. You might want to sit
around in the computer room awhile and look to
see what commands get used the most, so you will
be able to program simulations of them.
After the user is done typing his name and
password, the program should store the information, and exit out of your account. If you wrote the
program in another person's account (like the ones
I mentioned finding logged in already) then the
program will have to transmit the data to you

somehow 1

once you log out of that acto get back in again. On

the other hand, the operating system might allow
you to save the file in your own directory if given
the right access codes, or if you can make your own
account temporarily less secure, allowing others to
write to your directory.
.

After

all,

you won't be able

count,

very important
you never
know what superuser is spying on your activities.
Therefore, it would be wise to encode volatile information like other people's passwords before
they get stored in a file in your personal directory. I
use a simple code, such as storing 13 + ASCII code
of each character, with every other number stored
being random. So for the name/password combi-

Hacker security

nation

is

SMTTHERS/RANGERS my program would

97 85 82 95 96 / 95 78 91 84 82 95 96,
with random numbers between each of these numstore 96 90 86

bers.

An expansion

of these ideas

is

found in an up-

coming chapter.

den

little

computers inside the terminals! There

was not enough room in the terminals I was using

to do that, but in certain situations that would be a
preferable thing to do. Make sure the computer you
put in and any wiring associated with it stays separated from the internal goings-on of the

dumb

terminal. When hackers hide portables in this way,

they are generally putting their computer inside an
otherwise hollow, bulky base of the terminal.

General Purpose Microcomputers

Now we come to the

Computer from that list

third type of Public Access

I

gave several pages back:

the General Purpose Micro. I'm going to be talking

here about IBMs and MS-DOS machines, although

nowadays we're seeing more and more Macs out in
the open for public use. Of course, all techniques I
discuss can be translated to any computing

environment.
Let's say you

call

up your

local library

and

make an appointment to use a computer there, for

word processing or business or whatever. Ordinar-

Hardware Methods

non-network machines, although if

there's more than one they may be connected to the
same printer, or to some other peripheral. At colleges, the word processing software may be on a
non-writable disk
on some sort of mainframe or
minicomputer. There are also businesses set up
now where people can go to rent time on a computer to type up their rsums or reports, and have
ily these are

One

is to take an old, unused

found hiding in a basement storage facility, and wire it up to a portable computer. At about
four in the morning I smuggled the thing into the
computer lab, and replaced a terminal that was
already there with my own, connecting the cable to

terminal

thing IVe done

I

the portable.

hid the portable under the table. It was a

table with an overhang. I used an electric
stapler to make an old pair of cut-off jeans into a
pouch that hung down from the underside of the
table, and I enclosed the portable within it. I had
the portable programmed to save on disk the first
ten characters that appeared after "Username:" and
I

wooden

"Password:".

Basically,

the portable

acted as a

monitoring device, working between the terminal

and the mainframe. It worked well.
The only thing that didn't work out was when I
replaced the computer room's original terminal a
week later. The guy thought I was trying to steal it.
There have been hackers whoVe taken old
terminals,

opened up the

plastic casings,

and hid-

them printed out on a good quality printer. Set-ups

such these can be exploited to the hacker's benefit.

Breaking Free
The
of

first

some kind
The people who
don't need some snot-nose kid coming

thing you'll notice

menu system on

run the joint

is there's

these micros.

along and formatting their hard drives or leaving

behind obscene messages, so certain protective devices are used to guard against such activities. It is
generally a trivial matter to get out of the menu
program, even though its very existence
at least
partially
is to keep you from doing just that.
If the computer is turned on already and at the

main menu, look on the screen

1 Methods to covertly transmit data are discussed in the
chapter

"What To Do When Inside."

of

commands

that shouldn't

"Alt-X to Quit." Try

it

does

for

any

be

there,

it

indications

such as

work? You might

,'
menu, only to get a message like this:
any key to return to Menu." What
happened is this: when the computer was first
turned on in the morning, the menu system was
called up by the AUTOEXEC.BAT file. By typing
Alt-X,
you have been returned to the
AUTOEXECBAT shell, and are experiencing the
next line of that BAT file. Simply Ctrl-C your way
exit the

"Error! Press

out of there.

Even if it doesn't say on the screen how to leave

menu, you will want to try various function
keys, the Ctrl-Break key, the Escape key, and different combinations of Alt and Ctrl with C, X, and Q.
Often menu systems will have you enter a
password before allowing you to exit to the operatthe

ing system.
hacking,
starting

If this is

by

all

means

with blank

or company,

the case with the one you're

try various

lines, the

name

passwords

of the building

and other obvious work-related and

Computer systems are at their weakest when

moving from one program to another, so try
choosing a menu item and using Ctrl-C as soon as
it's selected. Actually, for best results you should
repeatedly tap Ctrl-C and the Ctrl-Break key simulthey're

taneously.

none of this works, turn the computer off,

it on again and see if you can Ctrl-C or
Ctrl-Break your way out of the AUTOEXEC.BAT
startup procedures. Alternately, you should have
your own program disk ready to boot. If both of
these tactics fail, use the menu system to run the
various programs listed and see if any of them have
an escape to the operating system.
For WordPerfect, you can shell out with Ctrl-Fl.
Wordstar allows shelling or single commands to be
If

then turn

entered with Ctrl-K, F.

'"
'

'
"

'

Vi./,

v
.

My recommendation is to copy everything relevant to your cause onto floppies, then take them
home to examine them at your leisure. This is akin
to the burglar who steals the entire unopenable safe
so he can work on it in his basement with noisy
power tools and blow torches.

Copy

the

AUTOEXEC.BAT

and the menu

file

system first of all, and any directories you find containing files with BAT, DOC or TXT extensions;
miscellaneous disk

utilities (especially public domain-type programs); security, maintenance, or

updating programs; anything having to do with
telecommunications; memory resident programs;
other explanatory text files.
Especially if the computer's on a LAN, there
may be a D: drive, F: or H: or an L: drive, or some
higher-lettered drive that you wouldn't ordinarily
even think of looking for.

hidden files and directories. Copy

you find any. Also see if any files have
been deleted, and try to recover them if they appear

Check

them, too,

business-like words.

\.. mi i^m.mii--

for

if

applicable to your needs.

Depending on the

situation

the computer,

the place of business, other relevant factors

may

you

may

not find anything on the computer.

Often it's worth hacking a public computer like this
just for the thrill of getting by security measures.
However, the computers are often so poorly protected that even this thrill is a minor one.
Many times I've found public domain and
shareware utilities that I'd never seen before, so it's
worth doing this just to see if you can pick up anything new along these lines. You may even pick up
or

some valuable programming hints or ideas

some
of the batch and script files you'll find can be impressively complex.

Another thing that's common is to find in-house

programs on the system
things like employee
schedulers, databases, or other programs that are

Freedom Means Free Roaming

Once you are able
will

to exit the

menu system you

be able to explore the computer.

computer-wise people
around, or people looking over your shoulder, or
people in charge running all over the place, then
you'll want to get back to authorized sections of the
computer ASAP so you're not discovered in the
private parts and thrown out of the building.
If

there

are

lots

of

not available for public use, and are reserved for

use by the managers of the business or library.
If the computer has telecommunications or

may be handy phone

networking

abilities,

numbers or

sign-in protocols

there

you

will

be able

to

use.
If
you have encountered prompts for
passwords in your exploration of the computer, try
to find out where the master list of passwords is
stored on the disk. One time I broke out of a public

menu program

in a special library, and after

looking around awhile, found a carefully hidden
called

PASSWDS.

why they were there.

systems

in

the

tried those

names on

without success.

fingering the people ("finger" is a

all

A Swiss Army knife is good,

Very

or at

often, es-

on CD-ROM workstations, you will

find locks or covers placed over the disk drives

area

tools:

least bring a little screwdriver.

typed it to the screen and

was surprised to find a list of about six user names,
along with passwords, addresses and other
personal information for each name. Naturally I
was overjoyed, but to this day I haven't figured out
file

Other

pecially

A large, unbent paper clip is

hacking Macs. If you have to leave in
a hurry, you can slip the end of the paper clip
into the hole next to the disk drive, and your
to limit access.

handy

the

for

disk will

tried

UNIX command

eject

pop out.

That's often the fastest

way to

a disk.

that allows you to look up information about

system users) on the major computers, to no avail.
The people listed in the file seemed to not exist
anywhere I looked for them! Perhaps someone was
just using the file as a test or demo, or on some

Menu Simulation
And Other Sneakiness

computer system... but then why was the

file hidden away so well?
Sometimes you will discover red-herring clues
of this kind, trails that seem to lead nowhere. It's all
part of the nature of being what you are. Hacking is

For protection and simplification purposes, just

about all general-purpose public computers will
boot up to a menu program. There are three fruitful
programming ideas the hacker can employ with

frequently a matter of intense research, with the

altering the

goal being to establish a hypothesis, a question that

altering the

needs answering. Once you have decided on a

creating

private

question ("Will this password list work on the

Raamses 3?" "Does the President of Moroll Corporation have a secretary with system access?"), then
you can do higher level research and try to answer
it.

these:

Menu programs
tion.

will

menuing

have a menu-editing op-

This allows the people

computers to create

menu

"Business Programs,"

"Word

tage

When you go

out on a public hacking expediyou'll want to be prepared by taking along

your PACK: Public-Accessible Computer (hacking)

Kit. This kit should include:

Plenty of blank, formatted disks, in both 3%"

and 5W sizes, so you can quickly copy the
menu's security programs. Make sure these
disks are the proper density for the drives you
will be using.

Auxiliary programs, such as superzappers and

other utilities. You will also want to bring any
special programs you have written (such as

menu

simulations, as discussed in the next sec-

tion).

Public

are available to

shut off the internal speaker. This can be useful

if you're hacking a computer that lets out a loud
and suspicious beep every time a wrong pass-

word is entered.

of the

and

who

maintain the
such as

categories

Processing,"

and

the

add and edit the programs available for

The way to work menus to your advanuse the editing feature to add or change

to

public use.

PACK

domain programs

menu program, or
your own simulation

system.

like,

tion,

menu,

is

to

an option that will appear to be taking the user into

an area where a password is required. However,

what the menu will really do is take that user to a

program that you wrote, that simulates an environment the user is familiar with. The user innocently enters his user ID and password (which your
program stores), then an error message is given and
the user is returned to the menu. Later, you can go
to where the computer hid the passwords and IDs,
and retrieve them for your personal use.
The first question is, how does one edit the
menu?
The menu-editing feature may be part of a secondary program, such as INSTALL.EXE or
SETUP.EXE. You may also be able to do editing directly from the menu program itself, by pushing a
function key or control code.

Problems start arising because you were not

meant to be able to change the menu setup on pub-

ecrets of

Super Hacker

computers. The menu-editing feature

eliminated once the menu was set
been
may have
up, or a password might be required to do any-

password the user entered, thus eliminating any

trace of weirdness. Otherwise, have it print the
standard "password not valid" message, and then

thing.

connect to the network.

licly available

program, recreating the present menu from scratch, while putting in

your own additions (to be discussed soon, hold
your horses!). Alternately, you might be able to use
a text editor or superzap program to change the file

Maybe you can

re-install the

where menu information is stored. If you start getting error messages when you try to change the file,
the ATTRIB command might have been used to
"lock" the

file.

Just type "attrib filename -r" to un-

MS-DOS systems).
The way these menu programs work is, the per-

lock

it

(on

son doing the editing must supply a short phrase

that will be displayed on the screen. He then must
choose a file to be executed when that phrase is selected, possibly providing a drive path, and other

In other situations, the "Telecommunications"

option will bring the user to a commercial terminal
package such as ProComm Plus or SmartCom.
it is easy to make your own fake version of
one of these programs. But there is a catch. When
the user enters your fake terminal program, he will
select a phone number from the list, and attempt to
dial it. He will be awfully suspicious and confused
if the speaker is on and yet no dialing sounds come
out of it! (Remember, you somehow have to make
the program appear to dial out, so you can then
simulate the network that is called. Then the user
will enter his password thinking he has actually ac-

Again,

cessed the network.)

The most reasonable way to solve this dilemma

to have the program give an exotic error message

information.

is

Suppose you want to infiltrate a university

computer system. Your initial target is a public
computer with word processing, spreadsheet and
telecommunications abilities. When someone sits
down and selects "Telecommunications" from the
menu, he or she is either connected to a host server,
or asked which computer he or she would like to
connect to. Then the connection is made.

like:

That's

What

what it's going to look like is happening.

happened was that when the user

actually

pressed "T" for "Telecommunications," the

menu

ran a program that you snuck onto the system,

instead of actually connecting to the network.

The program you put on should look like it's

doing whatever normally happens when someone
For

example, it
might prompt for which computer the user wants
to connect with, and then pretend to connect to that
computer. Your program then presents the name
selects

"Telecommunications."

and password prompts, and saves those lovely

words to disk!
Next, you can have the program give an error
message and return the user to the main menu, but
that looks suspicious and will cause the people in
charge to take a closer look at their computer setup.
You'll be better off having your little simulation
program being called from a batch file. When it's
through executing, have the next step in the batch
make a real connection to the system. It might be
possible to have the batch file feed in the name and

Operating Error 2130 Line Noise Interference.

Shut off your speaker and try again.
:

Of course,

message should closely conform

messages that the terminal pro-

this

to the other error

gram actually puts out.

Once the user shuts off the speaker, the program can then pretend to dial out, and give the
standard login screen for that network. The name
and password is taken and quietly stored to disk,
and then an error message is given and the user is
logged

off.

You may want

to have the computer just put a

garbage and random characters on the screen

lot of

after the

look

name and password

realistic

we've

all

like the

are entered.

kind of

Make

it

line noise that

gotten at one time or another

but make

excessive. The user will be forced to log off almost immediately. If he doesn't, or if he tries doing
anything, just have the computer display the standard "Logged off. Good-bye!" message. It may be
possible at that point to have the computer load the
real terminal program, so it will look like nothing
it

very unusual has occurred.

It is unusual to find commercial terminal packages on public computers, mostly because that
would lead to people coming in and placing calls to
halfway around the world. But offices and busi-

nesses might have them, so consider these ideas

when you think about hacking on-site.

go back to the menu program.
The menu program might not be a commercially available one. It might have been designed
in-house, or in an interpreted language such as BASIC, or for some other reason the source might be
readily adjustable. The program might be just a
Let's

batch

file.

any of these are the case, you will be able to

change the menu program itself, either
by building subroutines that store names and passwords, or by adding a telecommunications option
if one is lacking.
The final variation on the menu ploy is to compose a simulation of the menu. That is, if you are
not able to change the already-existing menu, you
will have to write a program that looks like the established menu, but with your own embellishments on it.
If

effortlessly

It

gram.

can take a while to replicate the

If

the

menu

uses pop-up

menu

windows you

prowill

have to write routines for screen dissolves, or program-in windows that explode open and implode
to a close. You will have to carefully take note of

and special characters displayed, how

program handles invalid data, and other
peculiarities of the menu.
While the programming may be difficult, you
are better off using your own menu because that
screen colors

the actual

make

easier to hide the captured

passwords

and other goodies that are the goals of

this project

will

it

in the first place.

Hiding Your Goody Basket

All of the above menu methods, as well as
many of the techniques explained earlier regarding

simulating network login sequences and capturing

file being saved to disk.
There are two things you have to worry about: That
your file will be discovered, and that your file will
be read. Let's look at how we can prevent both of

keystrokes, result in a

from occurring.
The thing is, since most of this takes place on
public computers, anyone at all may locate your
precious files. This includes the people who run the
computer labs, those who fix the computers, other
these

and the oh-so-curious general public. It

also includes the computer itself.
Most public computers you encounter will have

hackers,

a self-cleaning routine installed. Weekly, monthly,

or perhaps every night, the computers will have all
their old data files erased, to keep room on the
drives for

new material.

Most public word processing computers have

notes attached that beg people to bring their own
disks on which to save their work, but there usually
is a special USERS directory, or some other area
where anyone can save files.
The cleaning program is used to clear away old
files from this directory. The program will often
scan the rest of the drive, clearing

away

files

that

users have stored in other directories. Often on

public computers you will see dozens of empty directories scattered about; usually these directories

have human names to them. These are private directories that people made for themselves in the
hopes that other users wouldn't read or delete their
files
never realizing that their files would be deleted by the computer. Often the cleaning program

too dumb to recognize that the directory,

should be deleted.

is

Before

you put your

altered

too,

menu program

or

whatever onto a public computer, you must do

some experimenting to see what kind of cleaning
system it has, if any. There's no sense in spending
hours on a project only to have it erased soon after
it's implemented.
If a cleaning program does exist on the computer, you should have it copied over, along with
everything else, from your initial investigation of
the computer. Take a look at the program; there
will be plenty of ways to defeat it. The cleaner
probably has a data file that holds information on
which directories it should examine, what should
be done with the outdated files it detects, what calendar date constitutes "oldness," and other pertinent variables. You may be able to use this file to
your advantage by adjusting it so that your own
special directory or program will be ignored by the
cleaner.
If

the computer activates the cleaning program

automatically, your explorations might lead

you

to

it off and causes it to delete

and not others. For example, the
cleaning program could be connected with a logoff

find the trigger that sets

certain

files

function, so that before the

computers are shut

down for the night,

wanted

files

the drives are scanned and un-

are removed.

The cleaner could

also

be

lrWed
IrThu

activated as part of a start-up routine, or a regu-

lrFri

larly-performed maintenance check. In any case, a

careful exploration of the files on the system will

Once you find the

program that sets the cleaner off, you will be able to
make alterations to your own file so that it is ig-

IrSat

reveal the pattern they follow.

nored, rather than deleted.

Often the cleaning program is an all-or-nothing

monster that wipes out everything in its path as it
crosses the hard drive. However, there are considerate versions that only delete old files. You can get
around these gentler kinds by writing a simple
program. Here is an example of an MS-DOS batch
file that changes the date of your hidden goody
basket in the example (a text

file

called "filename")

one far in the future. Append this batch file to

the end of the AUTOEXEC.BAT, or to the point in
the system's maintenance routines directly before
the cleaner is activated. Your file will never be
to

erased.

echo off
cttynul

commandl > temp

temp < command2

date <
edlin

date 12-31-1999

del temp.*

cttycon

For this to work, you need to

make up

three

Here we are calling them

"commandl," "command2," and "command3," but
you would want to name them something more infiles.

"Commandl" contains a single carriage

return (Control-M). "Command3" is a file containing only the letter e. "Command2" is a bit longer:

nocuous.

2d
lrCurrent date

IrSun

IrMon
IrTue

it's

done, return to the

Your batch

del*.bak

file

AUTOEXEC batch file).

can be suitably camouflaged as
described below, and there is now only one
imposter line in the AUTOEXEC batch for a
maintenance worker to notice.
Also remember that under certain operating
systems, such as MS-DOS, the "ATTRIB" command
can be used to make filenames invisible in the
directory listing ("attrib FILENAME +h" turns on
the hide factor). ATTRIBing a filename is not really
secure, as there are many ways someone can either
accidentally or purposely find out about invisible
files on a hard drive. But eliminating the name
from the directory certainly does much to halt the
casual discovery of your Trojan files.
once

< command3
edlin commandl < command3
edlin command2 < command3
edlin command3 < command3
date < temp
edlin filename

auxiliary

works by using the "date" command to change the date to December 31, 1999.
EDLIN is invoked to save the password file
(containing the goods), and the three auxiliary files,
under this new date to protect them. Finally, the
date is returned to normal. Note that MS-DOS can
be set up to display the date under various formats.
You might have to alter the batch file and
"Command2" if your target computer is set up in an
irregular way. Also, realize that "temp" is a common filename. You would do best to use something
exotic in your own program.
AUTOEXEC.BAT files get changed often, and a
batch file like this sample is bound to be noticed by
the maintenance staff. To keep your coding discreet
you may want to keep this and similar batches in a
separate file far away on the hard drive from the
AUTOEXEC. BAT. At the point in the AUTOEXEC
where your Trojan batch would have been
executed, you can use the DOS "call" command
("call BATCH.BAT" will execute your Trojan and,

The batch

file

Things To Watch Out For

I'm going to

is

list

a few things to be careful of

a program of this kind. My

when you implement

remarks will be directed toward this program in

particular, but they are far-ranging enough to be

Chapter Seve
applicable to just about

any program

like this that

you hide on a system.

First,

make

sure

EDLIN is

BUG, TREE and other

DE-

there, as well as

external

DOS commands.

They may not be available on the computer you are

using, and you can end up with a mess on your
hands, and discovery of your intentions. When you
attempt to copy these files you may find that the
DOS directory has been write protected. In that
case you may have to put the necessary commands
in an alternative directory. This might expose them
to the ravages of the clean-up

program.

cleaner does delete these external

will

the

If

commands you

have to figure out some solution

to get

them

The clean-up program might use some other

criteria which helps it decide which files to save
and which to throw away. You will have to use
similar programming techniques to thwart its advances accordingly.

no special clean-up program, the hard

by an actual human being.
That human being might not be clever enough to

works on

This batch only

mess up binary

text files

will

look outside the designated

DOS

directory

is

Change the
it

able one.

cddir

of course

just

fore the first

add a

PATH

but

or

commands

if

named

"temp"

open temp

already

in a

one.)

exist?

goto Start

you had

ory? Does the program try to create the temp

some other writable

dir

and then execute

to

add

Also notice before installing any programs: will

there be enough space on the disk? Enough mem-

rectory, or

file:

sixteen nestled directories

yourself to an unusual or

(If so,

a batch

statement be-

unfamiliar directory.

a locked directory?

not

an obscure directory or in an unreachthis experiment. Put the following

something you

it is

could easily overlook, especially

the special

CD

it is

:Start

as a place for the operating sys-

EDLIN

in

Try

commands into

AUTOEXEC.BAT)

no problem

hidden-file attribute so that

listed in the directory.

mkdir

to look for files to execute. This is

directory for

view. Here are a few suggestions:

means is, for a particular file to be executable, it

must either be located in the current directory, or in
a directory that has been predefined (usually by
tem

USERS

but you have to act as if that person is as

clever as you. Anyhow, you never know who else is
using a public computer, so you will have to take
measures to hide your precious password files from

Place

make sure beforehand

in the PATH. What that

is

files,

files.

Second, you will have to

that the

there

If

drive will be cleaned

onto the disk and protect them from the cleaner.

EDLIN

And Term

file

USERS

Does a

How

in
di-

file

about

you

will get

it

from the root

named

directory. After
"dir" are created

an error message. Press Control-C and

look at what has been created.

within the innermost directory

You

will find that

it is

impossible to

make any more directories

there's a limit to what
the computer has been programmed to handle.
However, you can use a disk management utility or
your own system calls to prune and graft many
more

directories

inside the deepest one. Those

"Commandl,"

grafted directories will be impossible to see or ac-

There are

cess

"Command2" and "Command3"?

alternate ways to use this program. In-

stead of having the date-changer execute before the

could be run every time the

password file gets updated. Though it takes a few
seconds to nm and that time might be enough to
noticeably slow down the user's application program. Recall that this program is meant to be used
in conjunction with some sort of Trojan horse
youVe installed; the horse itself will slow down the
computer somewhat already, the combination of
the two programs might be too much to go unnoclean-up program,

ticed.

it

uses the

DOS shell. If the clean-up program

DOS command TREE to scan all the direc-

tories,

will crash or freeze once

from the
it

it

gets to those

il-

you put there. You don't

happen: that would lead to discovery

legally nestled directories

want

that to

of your secret files hidden within that directory.

Accordingly, this trick requires that you have the
programming prowess to write prune-and-graft

programs on your own. Your Trojan horse would

have to be able to move the data file from its protected position, then back again afterward.

One thing you are certainly DOS-sophisticated

enough to handle is to camouflage the files you
want to protect within their directories. DON'T use

SECRET.PSW or HACKER.HA! Use

of creativity when naming them. Go into one

filenames like
a bit

of the applications directories

and see

if

there are

namings. If you see for example,

that a spreadsheet has files named AFGRABl.OVL,
AFGRABZOVL, AFGRAB3.0VL, then name your

any patterns to

files

file

etc. Do you
them then? You

AFGRAB4.0VL, AFGRAB5.0VL,

think anyone will bother to look at

might want to
separate

split

directory;

up

the

don't

files,

putting each in a

forget

proper drive paths in the batch

file

to

specify

the

that uses these

files.

Trojan horses on public access computers can

be an excellent way to slowly-but-surely collect
passwords for your enjoyment. However, all will

be for naught if, when you come back the next day
to see what you've reaped, all of your files are gone.
Protect yourself, and your handiwork.
Keep in mind as you read about these special
programming tricks, that I'm not implying you
should actually sit out in the open and edit menus
or sift through files looking for passwords. Never
do that! You must always first make a preliminary
examination of the computer as I described earlier.
You will have already copied over the important

and unusual files

in this initial exploration of the
computer
and you should have the entire menu
program at your disposal. At home and at your leisure, you can write the programs necessary for this

kind of hacker attack. Then, once you've finished

the programming and editing required, you can go
back for a second session at the public computer,
this time secretly installing your mutated versions
of their programs onto the system. This reduces the
amount of time you will have to spend in a public
place doing questionable things to somebody else's
computer. It also reduces the chance of error in the

you do.
You must be especially careful with computers
that are meant to be used only for short periods of

things

Guest registers, as described earlier, are used

for the few moments it takes for a person to enter
his or her name and identification number. You
will look extremely suspicious fiddling around
time.

there for forty minutes, taking notes

and

inserting

disks.
It is not the other users you have to be wary of:
they couldn't care less about you, and if anything,

you for someone who works

Depending on where you are, you

will probably mistake

in the building.

might not even have to worry about being caught

the office or lab managers, computer aides, or
whatever the official designation is for the people
in charge. If it's a college computer lab being monitored by one or two students, they might be curious, but won't pry as long as you don't stay longer
than you're supposed to at the computers. It is almost never a good idea to come right out and admit
you are snooping around for the express purpose of
gathering data to be used in hacking. A comment
such as, "Oh, I just wanted to see how they did this

by

batch file," or some other appropriate explanation,

is a good enough excuse for most such people.

Some computers
private.

are public;

many more

That is the topic of the next chapter.

are

Z^.-.-.-.-.-.-.-.-.-.-.-.-,.-.-.-.

iYiYiYiYiTiYiTiTiTiTi'iTiTi'

Chapter Eight:

On-Site Hacking:
The Trespasser-Hacker

In the previous section

we

discussed methods

computers, but
there is another side to on-site hacking. It is one
that you might think would be best left to spies and
thieves, but one that you can actually participate in
yourself. I'm referring to the on-site hacking of, not
public computers, but private ones. Basically, I'm
of exploring publicly

available

referring to trespassing.
It is risky and possibly dangerous to walk into a
company headquarters and simply start using the
computers you find there. But it's also thrilling! It is
an electrifying experience to first maneuver one's
way into a restricted place and then, while there, to
explore both the building itself and its computer

You

would be virtually
impossible to do this, but more often than not it can
might

think

it

be an easy thing to do. For example, security expert

Robert Farr, in his book The Electronic Criminals,
explains how he penetrated the "heavily guarded
company headquarters... [of] ...a well-known office
machine company" to win a bet. Farr also tells an
anecdote of his entry into a vault at the Bank of
England: "There I was standing inside a vault containing millions of dollars with a bewildered look

on my face, wondering what to do next."

system.

Sometimes, on-site hacking is a necessity. In

situations, computers will not be connected

many

phone lines. More secure setups might

use some facet of the hardware to validate authenticity. You might have to use a particular kind of
terminal or modem, or install a certain security
chip to access the system. In these cases you would
to outside

have to hack

engineering often requires admission to the

site. Hacking is about computers; there
are lots of reasons why a hacker will need to be
able to touch and see those computers in person.
cial

computing

on premises. Furthermore, reverse

so-

with prethought, planning, and

sometimes blundering. You can do it too. In some
Farr did

ways
this

easier to enter large organizations like

than the local insurance

ness.
eras,

it is

it

office or small busi-

Wherever you go, you will often have camguards and possibly biometric devices (see

below) to deal with. All of these can

make

it

tough

______
hacker to get close enough to even touch a
computer on site, let alone infiltrate it.

for a

were). Another approach is to place

era frame in

an

actual camera in

Closed-Circuit Television

My home computer broke a little after 5:00 p.m.

one night.

called

up

the store

trying to reach the service

Nobody answered

and

where

bought

it,

repair department.

the phone. Finally

spoke with

someone in the computer department who assured

me that people would be in the store until 9:00 p.m.
with my broken computer. So I drove over
there, lugged my computer downstairs to the repair
guess what? The place was
department and
empty.
The door was open and unlocked, the lights
were on, thousands of dollars worth of broken
appliances were lying around, and there were two
to deal

of the store's terminals

up and running.

All

had to

do was step behind the counter and I'd be able to

see what made them tick. But surely someone was

an empty caman

obvious location, while hiding

an unusual

spot.

A trespasser will

then cringe from the dummy camera, straight into

view of the well-placed real camera. Dummy cameras may also be used to give a false sense of
high-security, when in reality only a few, or maybe
no security precautions are in place. If you see
some cameras visibly panning back and forth, but

one or two remaining stationary, it is likely those

motionless ones are either broken or fake.
Many cameras, especially ones used
out-of-doors, will be contained in some sort of
housing. This housing may be a conventional metal
box, or one more suited for covert surveillance. For
example, cameras are often placed in housings

made

to resemble a light fixture,

smoke

loudspeaker, or utility box. Cameras

detector,

may

also

be

placed behind grillwork, pipes, or a one-way mirror, or hung from the ceiling inside a translucent
plastic

dome.

you must be aware that

but you shouldn't necessarily

rang the bell. I

walked behind the counter and into the back areas
of the shop. The place was absolutely devoid of life.

hidden cameras

And there were those two terminals there....

give a camera a full-frontal shot of your face and

The only thing that stopped me from fooling

around with them were the hidden security cameras I spotted. Now, as it turns out, I did some
checking around the store until I managed to find a
room that appeared to house the viewing monitors

body. You're better

there?

yelled for assistance.

associated with the store's security cameras. Naturally

no one was paying any

attention to them, so

went back downstairs, closed the door behind me,

and had my way with those terminals. Even
though the monitors were not being watched, it
was good that I had seen those hidden security
cameras. You, too, should be wary of such things
when you attempt to hack on private property.
The correct terminology for security cameras is
Closed-Circuit Television, or

CCTV. Both black

&

white and color transmissions can be sent over privately owned cables from distances of a few feet to
hundreds of miles. Usually black & white is used,
as it is less expensive and color is generally an unneeded feature. No licensing is required for most

CCTV

so given the relative

cheapness of the technology, such security meas-

private

installations,

ures can be found in

many settings.

The cameras employed may be

visible or hidden (as my department

either openly

store cameras

If

you

are trespassing

try to seek

oughtn't, to

exist,

them

walk

out. After

off,

tall

all,

you don't want

to

when walking where you

and proud, but don't

the corners or ceilings of rooms.

If

stare at

a shape pro-

trudes from a wall or ceiling, pay it no mind

it
won't do you any good to stare.
Note that many surveillance systems are not all
that great. Images picked up may be fuzzy, dark,
full of shadows, and generally hard to see. Others,
however, give perfect views of a point or an area
within the camera's range. Concealing a camera
may hinder its usefulness. Placing a concealing
grillwork in front of a camera will result in a loss of
detail in the images the camera picks up. Hidden
cameras are more likely to be stationary and focused on a single point, such as an entrance or exit,
or a particular point in a hallway.
You often see cameras outside buildings, near
rooftops or over doorways. These will be protected
from the elements with suitable housings, sunshields, fans, wipers,

and/or defoggers. Outdoor

cameras are often contained in a white or aluminum housing with vents on the sides. If they are
outside, they will have night viewing capabilities,
and so you may be detected even before you enter
the building. I remember walking across the lawn

of a Johnson & Johnson building one rainy night,

and as I got closer to the building, I looked up to
see two guards with their faces pressed against the
glass, staring at me.

you absolutely must trespass a building or its

property to get to its computers, try to go at night
during a thunderstorm. Visibility will be poor, you
can use your umbrella as a face-shield, and if you
get chased away they will be reluctant to chase you
If

very far.

system user. Finally there are retinal pattern recwhich look at the pattern composed by blood vessels in the eyes. These too have
been shown to be reliable in their accepognition systems,

when user complicity is high.

point out the flaws in these systems so you
will get a feeling for what it must be like to work in
tance/rejection rates
I

a building where you're required to get your eyescanned every time you want to walk through
a door. Or imagine being in a place where you have

balls

speak foolishly aloud to switch on the computer.

first few times it may be seen as a novelty, but
soon these gadgets become another ho-hum part of
office life. Add to that the time delays these devices
cause, the frustration when they don't work properly, the feeling of subservience that comes from
having to remove gloves and glasses, speak distinctly into a microphone, present a clean hand, or
hold one's face immobile, and you will find a
bunch of people who
even under the strictest of
to

The

Biometric Systems
Controls based on personal characteristics are
the ultimate in

they

work

computer access control

properly.

Known

when

as biometric systems,

these devices limit access to a

computer or the

computer room by verifying physical attributes of a

person. A biometric system may look at any one of
these individual traits to verify user identity: fingerprints, voiceprint,
print,

handwritten signature, palm

security conditions

are sick of the

hand geometry, or retinal patterns.

Unless there

Biometric systems are costly to implement, but

they are not always as accurate as television

would

have one believe. For example, a legitimate user's

may be rejected because of a change in
voice pattern or voice speed due to illness or stress,
or because of interference from outside noises. One
system I tested would occasionally offer responses
to the noise my finger made as it scratched die mivoiceprint

is

some

incentive for workers to

use these biometric devices

for example if their
time cards will be punched depending on the time
they register in, or if their actions are being moni-

by guards

follow the rules,

is

a motivation to
that everyone
going to try their hardest to break them. People

tored

like

showing

unless there

is

you know very well

how

friendly they are. People like to

crophone!

show

and palm print technology can

be thrown for a loop due to cuts and scratches on
the hand, dirt on the hands, bandages and blisters,
or scrapes in the glass tray on which a user places
his finger or palm for scanning. Signature and

racy that runs the place

they

open

for strangers.

Similarly, finger

handwriting analysis systems sometimes fail to

pick up nuances in pressure, style and velocity;
people do not always write their names the same
way every day. I imagine this would be especially
true for someone rushing into the computer room
to print out a report three hours past deadline.
Hand injuries could also make a person's signature
look different.

Hand geometry

devices

whole damn

thing!

those which meas-

don't
ure the length and translucency of fingers
seem to have much going against them, although

again a Band Aid or scraped machine tray could

easily cause the rejection of an otherwise legitimate

that they are not a part of the stupid bureauc-

for others,

mind allowing

even

like

others to use their

gain access to a room.

holding doors

They

don't

own clearance to

Nobody wants

to look like

she is so caught up in protocol that she has ceased

being a human being! And after a while, people
don't like that their humanness has been reduced to
a digitized picture of their thumbs, or the snaky red
rivers in their eyes.

you

sometimes find these costly machines turned off and unplugged. You'll find garbage cans placed in the doorways to prevent them
from shutting anyone out. You will find helpful,
smiling personnel who will open doors for you and
hold doors open behind them to let you through
even when they've never seen you before in their
So,

will

lives.

!,

:: .

-.-

.y.,;..:.

.;.,;

j.-

r y. ::. -^^^.^v^v^:-^^;;;;;:^

phones or computers, so no hackers can gain

access by dialing in. Even if a hacker were to discover where the (unmarked) underground lines
are, and even if that hacker were to manage to dig
down undetected, and cut open the pipe to tap the
cable, the drop in gas pressure instantly sounds an

Look what has happened here, and what does

happen: the most effective way of ensuring user
legitimacy is overthrown by the users themselves.
Well, that's good for you, the hacker. Don't abuse
the access that has been offered you by being malicious in your explorations of the facilities you find

side

laid out before you.

alarm.

This

Always

A Way

realize that

when Steve Jackson got his games

taken

away

because they were thought to be a menace to society. Sure, the Secret Service and the FBI may be
powerful, but maybe they are feeble-minded too.

We read about all these scary spy gadgets that

have been developed that can read our lives like a
README.DOC. We hear about the "impenetrable"
government computer systems that have been set
up, and we are scared away because they sound so
hermetically protected. For example, we know that
any transmission of an interesting nature has a
100% chance of being intercepted. Therefore, all
those spy guys in Washington have set up ultra-secure network links in an effort to protect their
valuable secrets. Their most safeguarded lines are
fiber-optic cables buried deep below the surface of
the earth and sealed in gas-filled pipes. These are
strictly isolated systems
no connections to out-

heavy protection, and sounds

would be impossible

Think about the enormous amount of power

government possesses over us. Think of the billions
of dollars it can spend to pry into our lives, to photograph us, record our movements and our daily
activities. Think of all the expertise available to such
or
a powerful entity. Anything that government
in
for
that
matter
power
big business, or anyone
wants to know about, wants to happen, or wants to
change, will become known to it, will happen, or
will be changed.
When we start to think about all the covert actions going on around us, and all the myriad ways
in which we don't even know we are being manipulated or spied upon, we begin to think of government agencies as unbreakable, unstoppable...
unhackable. And even if we think we have a chance
at hacking it, we know we will end up in prison.
But all of that is simply untrue!
Government agencies are limited in what they
can do and in what they know. You only have to
look as far back as Operation Sim Devil a few years
ago,

is

even

if

to hack, especially

there

like it

when you

were some way

to get at

need various levels of permisthose lines, you

sions, passwords and access codes to reach the
highest and most secret classifications of data.
But think again. Never forget that behind every
still

nothing more than some

are human beings if not
fallible? In the case of this seemingly impenetrable
system, we can imagine the humans who sit night
after peaceful night, watching their TV monitors,
waiting for the alarm to sound that signals a
breach. They're probably asleep more often than
awake, especially if the temperature and humidity
is high in their work area. If ever the alarm did
sound, they probably would ignore it, or wouldn't
know what to do. Or they would take a quick look
out the window and go back to sleep.
Even if the guards did go out and check the
wires to make sure everything was okay, do you
think they would continue checking them after five
or six false alarms? "The boy who cried wolf' trick
always works, especially on a dark and stormy
night. No guard is going to go out sloshing through
complicated system,

is

human beings. And what

mud and rain to investigate an intruder he

knows won't be there. There is always a way. Don't
be fooled by first appearances.
And here are some more ways you can beat the
the

security:

Acting For The On-Site Hack

On-site hacking requires

some

acting ability

the ability to act like you have a valid reason for

being where you shouldn't be and undertaking
questionable activities while there. There's nothing

pretend you own the

place. Strut down the center of hallways holding
your head high. Smile and say hello to the people
you pass. I learned this trick in school, where we
needed hall passes while classes were in session if
difficult

about

this

just

we wanted

to leave the classroom. All throughout

and senior high,

never got stopped once by

a teacher or hall monitor for not being in class,
simply because I acted as if I was on some official
mission for the principal. (It helped that I was a
"good kid.")
So do your best to keep your cool. Have a reasonable story prepared in case you are stopped and
questioned, and try to tell it without fumbling for
words. Here's a hint to help you do that.
After rehearsing a story in your head for the
umpteenth time and finally repeating it aloud to a
security guard, the quickness with which words
come to your mouth may seem to you to be too
well-prepared, too fake to your ears, and you start
throwing in "uhhmm"s and "uhhhhh"s to slow
junior

down. Don 't do that

it sounds really bad
away from your credibility and sincerity. Talk at a normal pace. Say your prepared script
without worrying if it sounds fake. And throw in
some company insider lingo or gibberish to give
yourself an extra believability edge.
yourself

and

it

takes

Piggybacking
There are two kinds of piggybacking. Electronic
piggybacking is dialing up a computer and finding
yourself connected to the account of the last person
who logged off. Physical piggybacking is using
another person's access to gain entry to a computer
or computer room.

One way

of getting in at hospitals, offices

other buildings

which require the

and

office building, dress like an office worker. Perhaps

carry a briefcase or a lunch bag.

know these

things are possible because I have

spent last week at the regional headquarters of a large bank, doing temporary work for
them. From the moment I drove into the parking
garage I was inundated with all sorts of warnings
about security measures. First there were the signs
I

done them.

hanging up in the parking garage about how my

car would be towed if I parked there without a
hangtag. A guard was sitting in a little booth near
I went over and explained
him that I was a temp worker and I didn't have a

the entrance of the place.

to

hangtag. He told me not to worry about it, that they

don't really tow cars unless there is some problem

with them,

Then

like if

they are double parked.

went into the building, up to the sevenand came out of the elevator facing a

teenth floor,

locked door that required a magnetic card to get in.

sign informed me that I was supposed to buzz
the receptionist and have her open the door for me,

but there was no receptionist sitting at the desk. I

waited a few moments until an office worker approached the door from the other side, held it open
for me, then went on his way.
The entire week I got in and out of the office
without a security card, and in fact later on I even
found a concealed door that allowed entrance to
the same offices, without a key or card of any kind.

So you

see,

piggybacking

the use of another's

legitimate access to gain entry into a building or

computer

is

an on-site hacker's best friend!

insertion of a

magnetic card to gain access is to stand around and

wait for someone with access to open the door for
you. Many offices stay open late at night and on
weekends, for people who need to come in to clean
or work overtime. I especially like going into big
office buildings on Sundays. Just wait around
outside until you see a car pull up, then time
yourself so you will be behind the employee as he
or she heads toward the door. Let the person
unlock the door and hold it open for you. If you can
get in, the whole building is yours for the asking.
There may not even be a maintenance crew around
to get in your way.
The thing is, though, you have to plan ahead to
be successful at this and not arouse suspicion. If
you're going to try piggybacking your way into an

Other Successful Tricks

& Antics

There have been hackers (and thieves and

spies) who dress as one of the maintenance crew to
get into a place and get closer to the computers
there. Grab yourself a ladder and a can of paint,
and see if there's any work you can pretend to be
doing. This sort of impersonation works best in

companies where no one will question you,

because everyone assumes you're there because
someone else wants you there. As long as you act
like you belong, you will be accepted.
One hacker/spy completely re-wallpapered the
employee lounge while learning codes, names, and
large

procedures over a five day period. You may not

have the stamina or the patience to invest in a

scheme such as this, but similar actions can be

worked effectively on a smaller scale. Besides, you
may find that you're suited to being a delivery boy
or sandwich girl for a few days.
You can gain access to dozens of offices by
signing up at a few temporary agencies. Then, even

you are assigned don't take you near a

computer you will be able to later use your tempif

the jobs

ing as justification for a return visit to the

is,

you wouldn't

necessarily

That

site.

come out and

tell

people you're there on another temporary as-

you would let them think it, meansignment

while roaming freely around the building.

I love cubicles! Because

Cubicles are great
once you're in one of those gigantic gray ice-tray
rooms, you have the entire area to explore: no
locked doors and lots of corners to hide behind. If
you ever trespass into an office of cubicles, you can

out-think either the computer, the user, the Goliath

corporation, or the computer designer.

computing, or "lounging," is like

watching a sporting event on television, rather than
going out to the field and playing the game yourself. Passive computing is the act of eavesdropping
Passive

monitoring computer usage and

collecting the information that

In seventh grade

is

surreptitiously

transferred.

was amazed,

the

first

day of

my intro to computers class, when the teacher told

us that each of our Apple computers were connected to his. Thus, by a flick of a switch he could
send any of our screens to his computer monitor, to
make sure we did the work we were assigned and
didn't goof off. He was screening our screens! Some
paranoid bosses do just that to their employees today, to make sure they do the work they're assigned.

entry keys are used. Thus, instead of pressing Re-

it's no great technological feat to contwo or more monitors to the same computer
and switch between them. If you have access to the
computer your target will be using, you can attach
an RF adapter to the back and secretly run the cable
to another monitor or television set. Then sit back
and watch as what occurs on your target's screen
unfurls on yours. You won't get to see your target's
password, since it will be covered by asterisks, dots
or spaces as it is typed
but you can get other information this way. This is a good technique if your
target has a lot of encrypted files for which you

command, you type Fl, or

don't have the key. Monitoring your target like this

roam from one cube

passwords
taped to ink blotters and stuck to walls. You can
find pictures of kids, people's names, hobbies, etc.,
from which to guess more passwords. You can easily eavesdrop and find out inside dope on people,
as well as shoulder surf with ease. Yes, to a hacker,
those yucky gray cubicles can be wonderful!
Sometimes you will be trying helplessly to hack
an on-site computer, but for whatever reason the
data you type refuses to be entered. Note that on
some terminals (or computers), non-standard data
to the next, finding

turn or Enter following a

Home, or Insert. I know, it's crazy, but I've seen it.

On-site hacking doesn't only have to imply the

hacking of computers behind closed doors. In airports one can often find unattended terminals. Step
behind the counter and you can hack until you're

chased away.
Before concluding this section on the hacking of
private and on-site computers, I want to touch on
an area that is connected to the subject by a tenuous
thread.

Electronic Passive
I

Computing

don't like to use the term, but active computer

hacking can be thought of as a "sport," or a

that is to

be

won by

many hackers view

this activity of hacking

intellectual exercise in

game

the hacker. That's the

which the hacker

way
as

an

tries to

Actually,

nect

will let

you read whatever he reads; and

files, you get to read them, too.

if

he de-

crypts his

may

not be possible to sit down close to the

target at your own monitor and watch. You may
have to attach a broadcaster to the RF connector,
and listen from outside the building with a receiver, which in turn is connected to a viewing
It

screen.

you hook up a VCR to your monitor, you'll

get a hard copy of your target's activities. It may
If

even be possible to directly connect the VCR to the

computer your target will be using. If you do so, it
is best to have a remote way of turning the VCR on
and off, so you don't record while the computer is
idle. If the target has a regular schedule you can
simply program the VCR to tape at a certain time.
There's no law saying all screen output has to
if for some reason you can't use
go to a screen
any of the above techniques. An alternative is to

Chapter Eight: On-Site nucktnv: The Trespasser-Hacker

have information sent

to a printer buffer.

sure that either the printer

is fast

Make

or the buffer

is

Otherwise the target's computer will slow

down tremendously and he won't know why. Also,
of course, the printer has to be located far away
from the target, preferably in another room or anlarge.

other building entirely.

As an example

of one limited

way in which this

can be accomplished, consider the "print from keyboard" option found on many word processors.
"Print from keyboard" causes that several thousand

any old junky typewriter,

printing characters directly as they are typed on the
dollar

machine

to act like

keyboard.

While your target

slips

processor for a coffee break,

away from
you can

slip

his

word

over and

Another option
software which

some

write

is

make use

to

of monitoring

commercially available

is

yourself, to satisfy

your

95

own

or

personal

needs. Managers of offices routinely spy on their

and other computer

software which stores

secretaries, data entry clerks

operators through the use of

key presses. Other monitoring software keeps track
of which programs are being used and how, often
time-stamping such information as well. Doing this
form of research does not, as you might at first
think, necessitate going back to your target's computer to see what keystrokes have been recorded. I
hot-wired one such keystroke-capturing program
to print a weekly report to a hidden directory.

When
site,

secretly installing the

program

posing as a confused user

(visiting the

who had

a vi-

from keyboard" feature. From

then on, anything further he types within the program will be sent to the printer. As I said, this is of
limited use, but it shows one more way that even
impromptu situations can be exploited by the com-

tered the computer's startup file which executes

upon login. I altered it to look for that hidden report on certain days and e-mail it to me through an
unknowing third party. Now I get weekly reports

puter-knowledgeable investigator.

on

activate the "print

By

printing "Shift-PrintScreen"

computer, the "print from keyboard"

on any

mode

DOS

will

be

However, if the printer is not ready, the

system may hang up.
As an example of passive computing which is

activated.

really very active, in that hacking is required, it

might be reasonable to log on to a network and use
programming to direct the target's output to your
own terminal. If you have the target's password,
the host computer would have to be tricked into
allowing the same user to be logged on twice simultaneously. Additional programming might be
required if the computer refuses to send the target's
output to your screen, or if the target is getting
your output.
If you have a password other than the target's,
some programming could send the target's screen
to yours, or yours to the target's (if you want to get
into simulation). On UNIX systems, you would be
thinking in terms of altering already existing programs such as TALK or WRITE to get the job done.
These two programs induce a link between two
separate accounts. Any time two accounts are
joined, there is a potential for misuse of that linkage. But these programs are written with security
in mind; the hacker's job is to rewrite the programs,

eliminating the security measures.

rus-attacked disk that needed repairs),

one poor system manager's every

this

also al-

last key-

stroke!
I

didn't think of

at the time,

it

been a good idea to add a few

but

it

would've

lines to the startup

batch to look for the existence of a piece of mail

from me containing a few key words which would

program to remove all incriminating files

and program lines from the computer.
You might ask, "Why would you need such a
thing
don't you have the guy's password and
everything from reading those weekly lists of his
signal the

keystrokes?

Good

You can

question,

word, but

You

it

delete the evidence yourself."

and actually

do have

took a long time to get

his pass-

it.

see, the keystroke-capturer

can only go

into effect once the user has logged in

and the

by then there is no need

executed
to enter one's password. (You can tell that even
though I put a lot of thought into this hack, there
startup

were a

file is

lot of things

which

didn't ever consider be-

coming in. Hacking

often involves making assumptions and then seeing how one's assumptions were wrong.) It took
fore the actual results starting

awhile, but eventually

did get the password,

when the system manager invoked a second
sub-shell within his logon.

Tapping the phone

wave

line or intercepting micro-

transmissions are always open options, or

bugging the phone

if

the

modem

is

coupled to

it.

Then you get the added bonus of hearing the

tar-

voice-phone conversations as well. Printer,

modem, monitor, and other computer cables can
also be tapped to good effect. One nice method is to
tap the modem line, making a recording of any
get's

modem calls
number

that take place.

You go home,

call the

computer called, and play

back the recording for the remote computer to hear.
Remember, the high-pitched squeals and cries in
that the tapped

you made will include

codes. Your goal will be

the recording

that lawful

user's access

to synchro-

nize the playing of the recording with the remote

computer's prompting.

If

you can get

it

right,

you

get yourself in.

You know, once someone gets their computer

plugged in and set up, it is only on very rare occasions that they ever look at the backside or underneath it again, especially since they probably
have a messy tangle of cords running out the back,
an office cleaning staff to keep it dusted, and the
back of the computer pushed against a wall. That
RF adapter or extra wire coming out will surely go
all

unnoticed for a long while.

If you like to watch television while you use

your computer, you may have noticed something
funny happening when the channel is turned to
certain stations. With the computer on, channel two
on my television is complete static, while channels
3 and 4 get decreasingly snowy. This happens
when electromagnetic fields radiating from my
computer and cables are picked up by the television antenna. If I'm watching channel 2, 1 can even
make out a very fuzzy representation of what I see
on the computer screen.
There is a simple reason for this happening. The

amplifiers,

coupling between cables, the power

supply to power line coupling, switching transis-

cables, the

tors,

the

ground loop, internal wires, and even

all act as antennae to conduct electromagnetic radiation. The components,

cables and whatnot will not only pick up the radia-

printed circuit boards

tion,
it

at

but transmit

some

it

electrical

as well, sometimes re-emitting

wiring and meted pipes can fur-

ther act as antennae.

Computers operate

at radio frequencies

they are also radio transmitters. That's

prove

all

and so

why

the

Commission must ap-

Federal Communications

computers (and

many

other electronic

appliances) before they can be sold in the United

The FCC wants to make sure those radio

emissions aren't strong enough to interfere with
other licensed radio receivers (such as television
States.

sets). In fact, there have been cases of unregistered

computer monitors whose screens have been

picked up on the next-door-neighbor's television

set. This sort of thing is more likely to occur when
the neighbor has a black and white television and
the computer has a composite monitor, because a
black and white set can more easily adapt the synchronization signals that

it

picks

posite monitor (especially

if

the

up from a com-

TV has an antenna

amplifier attached).

When my

television receives computer fredoing so accidentally. Imagine the

consequences of someone setting out to purposely
receive radiated information. Indeed, such a thing
is possible, and has been going on for quite some
time. For years the Department of Defense has
stashed away its most hush-hush computers and
communications devices in copper-lined rooms to
prevent radiation leakage. They have also produced guidelines for a security standard called
TEMPEST1 , which defines how military computers
are to be constructed so that the radiation leaking
from them is minimal.

quencies,

Radiation Comprehension

various components of a computer

Nearby

it is

Special military computers

might be well pro-

but your run-of-the-mill PC or terminal is

not. The FCC ensures that equipment won't interfere with other equipment; it makes no promises
that equipment is safe from prying eyes. In fact,
those eyes don't even have to be at the scene of the
crime. There is an electronic marvel called the Van
Eck device which picks up your favorite leaked
radiation and projects it onto a television screen.
Hook up a VCR to the television and you've got a
living document of everything that goes on in your
tected,

target's

computer account.

distance from the source equipment.

1 Transient

Electromagnetic Pulse Emanation Standard.

Chapter Eight: On-Site

Van Eck And Britton

In 1985 a group of Swedish engineers, led by
one William "Wim" Van Eck, presented a paper
called "Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk?" at the Securicom Conference in Cannes. The paper, which was
published in Computers and Security 4, described
how one could easily and inexpensively convert a
normal television set into a non-trespassing, pas-

and reconstruct the information from any digital device, most notably computers. Scientist Don Britton had already gone
it was the Van Eck paper that got people to sit up
and take notice.
We were talking before about how you could
set up a radio receiver to pick up the mess of signals coming from cables, wiring and circuit boards.
This is possible, yes, but you would end up with an
unintelligible mishmash of signals. It would be difficult to separate and decode the various signals
though not entirely impossible. Doing so would
enable you to determine what a distant computer

was

"thinking"

through

its

as

those

pulses

electrical

shot

system.

"Pulses" is the

key term here.

how computers are

story about

essing streams of ones

We

all

know

and zeroes

to create the

fabulous tapestries of color and sound that

to appreciate

every time

we

the

digital beasts, proc-

we

get

boot up a copy of the

game.

latest Sierra

In reality, there aren't actually tiny Is and Os

coursing through the wiring. What's going on

high or low electrical current passing through.
think of these high

and low currents

is

We

as being Is

and Os because it is convenient for us to imagine

them this way. Any electrical device is going to
have radiation emissions. But only a digital device,
like a computer, will have pulses of high and low.
Keep all this in mind while we take a little side trip.
Computer screens operate on the pointillist
school of display painting: what you see as continuous shapes and lines on the screen is actually
composed of thousands or millions of tiny dots,
called picture elements, or pixels for short. Each dot
is

little

(fluoresces)

screen

is

speck of some substance that glows

when

energized,

covered with the

and the

stuff.

inside of the

F t< r-Hacker 97

lug* * **, * **

Video control circuitry located either within the

monitor or plugged into the computer, controls the
position of an electron gun, which repeatedly scans
the screen top-to-bottom, firing an electron where

appropriate to energize a bit of the fluorescent sub-

up the appropriate pixels and keep

them lit, and you end up with glowing dots that
can combine to form the lines, characters, symbols
and graphics that make up our daily experience
with visual computer output.
stance. Light

You may ask

sive device to intercept

public with a virtually identical device in 1979, but

Ha

up,

yourself, "Well, once a pixel

how do you darken

the screen?"

it

The answer

is lit

to clear that portion of

is

simple. Hitting the

phosphorescent matter with an electron only produces a very brief burst of glow before extinguishing. That's

why

the electron

gun must

systemati-

cally scan the entire screen sixty times a second to

constantly refresh the image appearing on it. If we

wish to cancel a pixel or series of pixels, we simply
discontinue firing an electron at that section of the
screen.

Every time the beam fires we get a high voltage

pulse of electromagnetic emission. Britton's and

Van

Eck's idea

was

to simply use a television re-

ceiver to listen for those bursts of high voltage as a

monitor emits them, and have the television respond by firing a pixel in the corresponding place

on

its

own screen

thus ending up with a

screen that exactly matches, pixel

by

display

pixel, that of

the target computer.

A good thing for a spy to have,

huh?
The problem

that while a television can

is

ceive those bursts of

re-

high voltages, they don't know

what to do with them. There's nothing inherent to a

high pulse that signals where on the receiving
television that pixel should go 2 The Van Eck or
Britton devices bestow this function upon any
lowly TV receptor, by producing an artificial syn.

chronization signal.

used to create the

Two

adjustable oscillators are

vertical (picture)

and horizontal

For technical reasons,

proper reception requires a constant re-tuning of
the oscillators. This could theoretically be done by
hand, but this is the computer age: the signals are
(line)

synchronization.

2 Actually, such signals are readily available from the

mishmash, because the originating monitor's synchronization components also generate signals as they function. However, the pulses are too weak to pick up from
a distance.

....

...,

,.-.._....

mathematically combined and fed into a logic

cuit which performs the job automatically.

cir-

realms.

and Van Eck's

on United
States NTSC technology, while Van Eck's model is
based on European PAL receptors, using European
voltages, and includes a built-in digital frequency
meter. If you have the techknowledge you can
build one of these for $10 to $15. Models are also
The

difference

between

Britton's

designs are that Britton based his system

commercially available through spy shops.

Besides the oscillators and the logic processing
sync restorer board, you will want to hook up a directional antenna to help focus in on exactly what
you're after. Someone using one of these devices
should be able to fine-tune their receiver to the
point where multiple CRTs within the same room
may be distinguished. This is due to differences in

components making up the monitors. Pieces

come off of different assembly lines or from
different countries will have varying radiation-emitting characteristics. Your suitably engineered Van Eck or Britton device can discriminate
between the several traits presented. Just pick one
line of signals which you wish your machine to
follow, and off you go.
the

that

Ups And Downs

This
safer

method

of on-site computer cracking

than most because

it

is

no trespassing
computer. Van Eck has

involves

your target
reported that he was able to use his invention to
view the contents of computer screens from distances over a kilometer away. His working group
housed the device in a van which they parked on
the street, usually right in front of a target's home,
at all to get at

without incident.

These devices give us hackers the opportunity

we

innoalways say we want to do

cently look around in computer systems without
hurting, without changing, without destroying. But
Van Eck and Britton machines also deprive us of
freedom of direction, of choice. We can only use it
to see what the user himself sees; there is no chance
for us to hack, only to spy. Very rarely do passwords appear on a computer screen, so we most
likely won't even be allowed the opportunity to use
a bit of learned knowledge to coax what other exciting information we can from the system unless the
to

do what

user chooses to allow us entry into those secret

Seeing the contents of a forbidden computer

screen from a kilometer
of itself when one

is

away

flutters of distant radiation

ditional hacking

allow us

is

marvelous in and

discussing, as

methods

we were, pulling

from the

through

ether.

to delve into the forbidden

further

away than a

section

we

But

tra-

the telephone

from much

kilometer. In the following

will start looking at

how

a hacker can

roam through all the confidential computer systems of his neighborhood, his country, and, if he
chooses, the world.

Chapter Nine:

Hacking At Home:
Dialing Up Computers
With Your Modem
Now we get to the stuff of which dreams are
made. You flick the switch on your computer and a
few moments later it's purring away. You press a
few keys, type in a phone number and after some
beeps you hear the wonderful shriek of connection.
The handshaking is fine, but you're looking for a lot
more than a handshake.
You
name?"

name

press Enter a few times. "What's your

it

You respond

asks.

not with your own

with someone

When
mean

it.

say

hack from

their

let

the directories

sift

to

to

past you, letting

mesmerized by their framework. So

much to do, and then you see connections to other
sites, and more sites, and more secret files to read!
You smile as you realize something: every hack, no
yourself be

matter

its size,

leads to

line

and federal agents. When I say

"Hacking at Home," what I'm really referring to is
the phenomenon of dial-in lines. Ways in which, if
you are so inclined, without even leaving your
house, you can connect yourself with the world.
tracers, tricks, traps

Who To Connect To
Who can you expect to connect to,

Menus! Options! Choices to be made! Files

read and to learn from, software to run, games

You

houses for fear of Caller ID,

else's.

a luscious display.

play.

don't really

Most computer hackers nowadays won't

Then you
let your fingers whisper that sweet secret word
through the keyboard and the screen lights up with
of course

Reality
"Hacking at Home"

new hacks, new computers,

new horizons of exploration and gain.

home? Lots
puters,

of places. There are other

calling

from

home com-

mainframes, minicomputers, companies,

you will be able to call

government offices, clubs
any organization or individual who owns a computer, and has need to communicate via computer
with other entities.

You might
tabases

also find yourself calling on-line da-

and pay-for-play services.

^:,^:j.

:v'

^;V

,^..,, ;

,:

,,,,,.,.,,;,,...,.,,;,;

Paying For The Pleasure

A hacker named
how
for

enthralled

one aspect

Rebel was recently telling

the service. For this reason,

known

CompuServe

sign replacing the

S.

CompuServe

is

often

is

CompuServe, with an oversized

as

me

he was with CompuServe, except

the stiff price one pays for using
dollar

not the only

vendor charging the public a fortune to pay back

their huge advertising budget. There are literally
hundreds of on-line services to which one may subscribe, or hack one's way in if that's more your
style.

Databases are available to look up any sort of

news, stock market information,

data: census data,

government research, science and

results of

tech-

nology reports, books, personal information, history, and popular culture. There have been times
late at night when I needed one crucial piece of information for something I was writing, or just to
satisfy my curiosity. Anybody can access one of
these databases and find what he or she needs any
time of the day or night. Of course, we must be
prepared to pay through the nose. There is usually
a charge to subscribe to the service, then there may
be any number of the following charges:

A display charge for each piece of data presented on the screen, or a search charge for each
query made to the database.

Minute-by-minute charges as long as you stay

connected to their computers.

High-speed surcharge for using a faster modem

(thus gaining the ability to grab more info per
minute).

Long distance phone charges

doesn't have an access number

if

the service

in your local-

hackers refuse to pay the inflated

these services can run up,

up

to give

special
in.

bills

though they also refuse

the service, particularly

when

so

many

and useful features can be gained by dialing

On-line gaming, electronic mail, multiple-user

chatting, bulletin

membership

one of the on-line services.

They hacked the system of one of the stores that
sold the computers and obtained a list of customers
who had bought it. Many of those customers were
individual people or families, but a good number of
the computers had been bought by stores and businesses. They went to these businesses and snuck
around in their back rooms and offices. Sure
enough, pushed aside on bookshelves, unopened
and untouched, lay the envelope that included the
trial

boards and a plethora of other

1

make the services attractive to the hacker.

The many ways to get past paying for them are also
goodies

With StarBase On-line" manual

and trial access codes that had been included with
the computer. They helped themselves.

Packet Switched Networks

There are corporations and government agencountry that have computers you
will want to get your hands into. But you're not
going to want to get your hands into your wallet to
pay for all those long distance calls. The solution?
Public Data Networks (PDNs).
A PDN is a network of hundreds of computers
scattered nationwide. You call up one local to you,
then type the address of the computer system you
want to connect with. The "address" is usually
something like a phone number. When you enter a
cies all across the

valid address, the login display for the desired sys-

tem

will appear.

hacking.

of the fee-based services

if

You

are then able to interact with

you were

directly connected to

it,

when in reality everything you type is being broken down into chunks of text (packets), possibly
compressed and encoded, then shipped across the
country, from one computer to the next, until it
reaches

its

destination.

There may be hundreds of other sessions going

on simultaneously from points throughout the network, as thousands of users interact with the many
computers on the net. Sending messages this way is

known
Many

which offer bulletin

boards even have a message base or two devoted to
1

to

"Getting Started

the system as

dialing area.

Many

very attractive. You will find many ideas throughout this book.
You'll be interested to hear about one trick a
pair of high-school-age New Jersey crackers used to
get some service for free. One brand of personal
computer was being sold in a special package that
included several pieces of software, along with a

as packet switching.

puters that

Packet

do

all

the

The intermediate comare called PADs, or

work

Assembler/Disassemblers,

because

they

take incoming packets of data, strip away the encoded insulation which tells that PAD where the
packet is headed, then reassemble the data with
new directional information, sending it further

along the route.

Hackers take great glee in connecting with a
PDN. Once there, a hacker can try out various addresses at random. In a matter of minutes, he will
find himself with a wide variety of login prompts

made through a local phone call.

The most well-known PDNs are Telenet and
Tymnet, and there are also international packet
networks, and networks in other countries as well.
Generally you can call any one of these services to
get a list of PADs in your area you can dial in to.
to crack, all

words punctuated with periods, and refers

one particular computer in the millions that

of code
to

make up the Internet.

typical

Internet

address
M

might be [email protected]. We
can deduce that at the University of Boulder there
is a computer in the computer science department
called zowie4, and on that computer there is a person whose first name is Daniel, and last name begins with K. The "edu" is a standard thing stuck at
the end of educational computer addresses. Other
identifying components used are:
,,

COM for commercial sites,

NHL for military sites,

GOV referring to governmental organizations,

ORG for non-profit organizations, and
NET meaning Internet administrator sites.

Other Networks
The only other network

that counts

is

An

the Inter-

Internet

address

may

also

two-character country abbreviation.

net.

an international network of networks. There are academic networks, government

networks, businesses and organizations throughout
Internet is

the world,

all

end

in

Some exam-

ples of these are:

AUAUstralia
IL IsraeL

connected together (by PDNs) to ex-

US

change ideas, software, technologies, gossip and

guacamole recipes.

United States

JP JaPan

UKUnited Kingdom
DE Germany (tricky! DE is for DEutschland).

was ARPANET, a military

network which has since been replaced by MILNET
Before Internet there

well-guarded network of United States military

and other smaller networks used by the US
military. Altogether, these make up DDN, the De(a

Finding Dial-Up Numbers

sites)

fense Data Network. DDN is now just one of many

networks participating in the Internet.
Others include the National Science Foundation
NETwork (NSFNET), which includes supercomputer centers and other research sites funded by the
NSF. CSNET is a network established to encourage
cooperation between sites doing development work
in computer science. JANET is the United Kingdom
network, one of many national networks around
the world that is bridged with the Internet. Internet
is truly a global community.

Some of the pay-for-play services offer access to

the Internet.

Many

are connected to

it.

university computer accounts

Basically,

having an "in" with

around the world

the Internet allows one to travel

and back without leaving your armchair.

We were talking before about packet switched
network addresses. An Internet address is a series

To

with computers, you will

phone numbers. Very often you can call
up a company and ask the switchboard operator
for the computer department and/or computer

need

"direct connect"

their

lines. If that

doesn't work, try calling individual of-

firm and ask if they know how to access

company computer from their home computers.
If they don't know the phone numbers, perhaps
they have a terminal program on their office computer which has the phone number stored for use.
fices at the

the

Phone books are a big help. First there are the

internal kind: companies and other organizations
will have a directory of people who work there,
with their extension numbers. Internal directories
might also be of the kind that list numbers for the
different departments; some go so far as to list

home phone numbers and addresses of the people

who work there. Names can be used to pretend

with the people you speak to when you

But you won't even have to call and ask for

familiarity
call.

dial-up lines

if

those numbers are listed in the di-

rectory.

A second useful source

grade line directories....
When

is

a person speaks

phone company data

the other

it

if

you see listed

Then sort the

Software
ries

you're doing

calls that quickly,

legit: if a person picks up, they get a short recorded message: if a modem picks up, they get a

callback later.

end gets a

company in the phone

and try calling everything
in that exchange that is not on your list.
It can be helpful to use a criss-cross directory
for this task. Criss-cross directories are sorted by
number, not name, so if you know that Company J's
numbers fall into the 390- range, using such a directory you will have an even bigger list of numbers to
avoid. This makes the job of calling every potential
number much quicker and easier.
digits

book.

many

looks

on the telephone,

every once in a while the voice on

bit fuzzy, or if the tone gets
momentarily higher or lower. When you're transferring data between computers, however, audio
noise can be a problem. So the telephone company
has special lines which offices can install (for a
price) to ease the flow of data between telecommunications devices such as modems. If you can
get a data grade line telephone book, you will have
found a huge and wonderful collection of computer
phone numbers (and fax numbers too). Many hackers get theirs by scavenging.
The third way phone books can be helpful is by
looking in the public white pages and yellow pages
that every phone owner gets for free. Large companies will own big blocks of telephone numbers,
with each office or extension being one digit different from the preceding one. To call the different
departments at Company J, you would dial
390-WXYZ. The 390 stays the same for every department, but the last four digits change for each
phone line. So turn on your computer and type up
a text file listing every occurrence of those last four
doesn't matter

when you make that

and with such precision.
I've often thought it would be a good idea to combine one of those computerized telemarketer machines with an autodialer. That way everything
knows what

is

for that
list

available to repeatedly dial

up a

se-

of phone numbers, reporting on whether a mo-

dem

is connected. These programs, often available

on hacker and cracker BBSs, are known by many

"WarGames Dialers," "autodialers," or

"demon dialers." If you can't find such a program,
write one for yourself; it's simple to do and will cost

names:

you only a few hours of time.

Once you have your autodialer, be very careful
how you use it. The phone company security patrol

Dial-Up Security Measures

Some
bind.

security directors get themselves into a

They recognize the important value of having

but they also

understand that anytime a person is able to call a
computer directly, a security breach is not only
direct dial-up lines for easy access,

possible

it's

unstoppable.

To overcome this, security-minded folk will not

allow direct dial-up access to the real computers.
They

will only allow access to

an intermediary de-

computer which firewalls important data

from potential hackers.
For example, one may dial-up a computer
whose purpose is only to check authorization
vice or

codes.

When access is confirmed, the caller is trans-

ferred to a line connected to the actual computer.

There, the caller

private account

may have

to identify his or her

by username and password. As

long as the password to the

computer

kept
secure and changed frequently, the important data
initial

is

on the actual computer is free from harm.

In states where Caller-ID service is legal (and
even in those states where it is not, or isn't available)

it is

possible to set

who

up

modem to only hand-

from an authorized phone number. The system administrator

keeps a list of the home phone numbers and office
numbers of legitimate users, and if the computer
sees that the incoming call is not from one of those,
there is an immediate disconnect. The call would
also be disconnected if the caller had enabled
Call-Blocking, which disallows the Caller-ID from
reading one's phone number.
Where Caller-ID is unavailable or unknown, a
ring-back feature may be put to use. Once a caller
shake with a user

is

calling

inputs correct identifying information, the host

computer disconnects and

back a stored telephone number which goes with the identity that
has been entered. This is the normal way ring-back
calls

works, but in some instances (such as the RBBS-PC

board system) the ring-back option means that a caller lets the phone ring X times,
then hangs up and calls back again. This time the
BBS will answer the phone. If the caller had originally let the phone ring more than X times, the
computer would have ignored the call completely,
thus providing a layer of security. So if you have a
number you know belongs to a computer, but there
is no answer, try letting it ring a different number
of times, then call back immediately.
A host computer may also not connect a caller
until a certain code is played on a Touch Tone
electronic bulletin

phone. Since the code would ordinarily be played

by the terminal program of the calling computer,
this code may be very long and complicated, thus
difficult to crack by chance or force.
As you can see, all of these dial-up security

measures make

may

life difficult

social engineer the

for the hacker.

knowledge out of a

One

legiti-

mate user of the system, but often the hacker won't

even know that such extreme security measures are
in effect to begin with.

You may be randomly

dialing through a range

phone numbers because you have reason to suspect that a computer line exists within that range. If
one of the numbers is never answered no matter
how often you call, you can surmise a ring-back or
similar device is connected to the other end. If you
call one number and hear a computer at the other
end but aren't connected, suspect that the computer
is looking at your phone number and seeing if it's
valid. 2 (Either that, or what you're really trying to
of

connect to

is

a fax machine.) Caller-ID type sys-

and those which call back a phone number,

will be especially common on computer systems
whose users are situated within a close regional
area. The remote system may also be faying to detect special tones encoded in the modulation.
Though it is a dial-in line, special equipment may
be needed to connect with it.
Sometimes the system managers get so tricky as
to disguise the fact that they have a dial-up comtems,

When

up

use
the computer, a special device answers the phone.

puter available at

all.

a user calls

to

Instead of hearing the characteristic

modem noises,

a user might get a recorded voice, static, or nothing

at all until a specific password is sent from the
calling modem to the remote system. You can see
how this would easily foil any WarGames dialer.

devices which inhibit access to the actual computer are nothing more than one more
All in

all,

layer of security to get by. Luckily, the majority of

computers do not employ such tactics, and are

easier to crack than a hard boiled egg.

Scrutinize

The Login Environment

The login environment is the area of the remote

computer which you are allowed to access before
identifying yourself as a valid user of the system.

The login environment of most computers is

limited to a username and password prompt. Some
environments are more expansive, giving a general
command prompt, at which you can type any
number of instructions. Those instructions won't
necessarily be carried out (you probably have to log
in first) but they can be helpful.
There are a number of common commands that
one can type at a board command prompt, and a
list of these is given in Appendix C. Try typing
"help" or "?" first, and see if that does anything. A
command like "users," "show users," or "who" will
be helpful, in that you can see the names of people
who are on the system and try to guess their passwords. The advantage of having certain other
commands may not be as apparent, nor will there
necessarily be any advantage at all to the hacker.
One good thing about general command
prompts is that often one is reverted back to them
after failing a login. Thus if three incorrect username/passwords are entered, instead of disconnecting you, the computer will bring you back to
the command prompt for another go-round.
When you find yourself at a general command
prompt with no help available, try doing different
things, paying attention to the error messages you
receive. Try entering commands in all upper or all
lower case, then mixed cases. Look at the maximum
and minimum lengths of commands. See which

characters are recognized. All of this

2 A knowledgeable hacker could temporarily change his

phone number

to

one that the computer recognizes, by

hacking the telephone system mainframes. However,

is still necessary to know that phone number.

it

that

it

narrows

helps you

more

down
easily

is

helpful in

number of unknowns. It
figure out what you should

the

be doing to get things moving.

If

every time you

type "HELP"

you

get a "line too long" error, then

you know the system is probably looking for

three-letter commands. That is useful information.
If you type "CONNECT," and the system responds, 'The verb

CONNE

is

not available"

it

im-

plies that only the first five characters of input are

examined. If, on the other hand, your entire entry is

examined, advanced help may be available. For example, if by typing "HELP" you get a list of commands, typing "HELP COMMANDNAME" may
give you help with that one particular command.
Such help systems are common.
Let's look at the actual entering of username
and password. Some terminals tell you you're
wrong when you enter a bad name, others wait
until you've given both name and password to in-

form you. The first way is preferable, as it is less secure and requires substantially fewer guesses to
crack than the

latter.

The IBM VM/370 was

inse-

immediately informed you

that the username was no good with a "userid not
in cp directory" error message. One system that I

cure in this regard;

know

it

of (Dynix) follows the

same

format. First

it

for your "Nine digit ID code"

what could that be? A social security
number perhaps?) and when the correct one is entered, it will say, "Good morning Samantha. Now

helpfully

prompts

(hint, hint,

type your password." This particular computer allows you to easily break into one of several command languages and reprogram the menu interface. It also comes equipped with dial-in ports.
Dynix is a joy to hack.
If you get a computer of the second type (one

which asks you for name and password before

saying if your login is accepted), then time how
long it takes to display the password prompt on the
screen. This can help you decide if a username

you try the

for
the comtwo
seconds
name "Jim,"
puter to respond with the password prompt. Every
time you type "Jim," it takes that long. Now try the
username "Zzzzzzz." This is obviously a made-up
you're entering

is

and

name

that the

files. If it

valid or not. Let's say

it

takes

computer won't be able

to find in

consistently takes longer for the

its

password

prompt to appear after typing the name "Zzzzzzz,"

you know that "Jim" is a valid username, and you
should continue guessing passwords for him. That
is, on systems where sequential search is in effect, it
takes longer for the computer to search for a nonexistent entry in its data files than an existent entry.

In any case, source codes are often available, espe-

UNIX files, and so you can look them up

how the inner workings of the login prompts

cially for

to see

function.
If you have no idea what kind of username
and/or password is required on a particular system, do the same kind of checking you would do at
a general command prompt, checking for which
characters and lengths are recognized.
A completely different way you might like to

research the login

prompt

is

by

control codes.

Pressing certain keys, or combinations of keys,

delivers codes to a remote

computer which

may

ways that it was not meant to

behave. For example, you can send an ASCII code
force

to

it

to act in

command the remote computer to stop reading a

password

file.

end-of-file

command)

Sometimes it is then possible to

quickly retype the password you entered, and
make the computer believe it has found your input
as part of the password file, thus letting you into
the system. Sometimes pressing Control-Z (the
at the right

time will bring

strange results too.

Look up

all

abbreviations, weird letters

other things that appear

on the

screen.

Any

and

decent

have an encyclopedia of acronyms.

(Any indecent library will have this book.) Very

library will

often

you

will call

up

a packet switching network,

then get something like

"Welcome to VHMSD! Password?" on the screen.
So, you do your research and find out that VHMSD
stands for Viking Horn Manufacturers of South
Dakota, and the whole task of hacking the place befind a valid

comes

address,

infinitely simpler.

Remember, when you are

hacking a computer, you are really hacking the

people that run the computer. Thus, if you can find
out who is running the show, you have a multitude
of resources at your disposal, including all the research tools mentioned earlier. Otherwise you're
just taking random stabs at a computer identified
only by some strange abbreviation.

Chapter Ten:

Electronic Bulletin Board Systems

The Electronic Bulletin Board System (EBBS, but

is how most
people get introduced to computer telecommunications. A BBS is a computer program that anyone
can set up on his or her computer. The program
usually referred to simply as a BBS)

watches the computer's modem, waiting for the

telephone to ring.

When

it

does, the

BBS program

answers the phone. If it is another modem calling,

the two computers are connected. The person who
is calling is then able to use the computer on the
other end of the line as if he or she was sitting directly at that computer's keyboard. The BBS program allows the caller to choose various options
from menus, letting the caller write messages to be
displayed to other callers, read messages, send files
back and forth, or play games on the remote com-

son running the BBS

(sysop).

Schools,

libraries,

the

system operator

stores,

user groups,

and organizations often rim BBSs to

spread the word about activities and to keep memchurches,

bers in touch with one another. Sometimes com-

up electronic BBSs as a way for customers to mail order products from them, to see
new product information, or to report problems
with products or services.
The US Congress has even set up a bulletin
board system. Run on RBBS software, the BBS was
created in late 1991 by Congressman Bob Wise and
his House Government Operations subcommittee
panies will set

on government information, justice and agriculture

way for government employees to anonymously inform inspectors about wrong-doing at the
as a

puter. In essence, the caller actually controls the

workplace.

computer through the phone lines. However it is

only the BBS program that he or she is allowed to
control. The BBS program separates the caller from
the computer itself. At least, it tries to.
BBSs are generally run by computer hobbyists
on their home computers, and are used as a way to

Other BBSs are private ones, the phone numwhich are not made widely available. For
example, the FBI runs the National Crime Information Center (NCIC) which makes use of a BBS to
keep track of wanted persons, missing persons, and
people with criminal records. Franchise businesses
such as fast food places often use BBSs to upload
inventory or financial data to their company head-

share information in the spirit of the original hackers.

Usually there

is

no charge

look around, but that

is

to call these

up and

at the discretion of the per-

bers to

n
quarters

on a daily

basis.

And

of course, there are

otherwise "public" BBSs which maintain silence be-

cause the people

who

use them do so for

illegal

purposes.

Access to most BBSs is controlled by a

name/password combination. When you call up a
BBS you are asked to enter your name, or NEW if
you have not called before. If you are a new user,
you will be asked if you wish to register for the system and, if so, you will be asked some questions,
welcomed to the system, perhaps given a short
tour, and shown the rules of the house ("Please

keep messages clean... No discussion of illegal activities such as computer hacking, fone phreaking,
stolen credit card numbers, etc.").
After that, you might be given guest access to
the BBS until the sysop can validate your request
for admission, or you might be logged off and
asked to call back the next day. This isn't always
the case, of course, but sysops like to make sure you

who you say you are

you registered with a

phony phone number, they want to know about it.
They want to make sure the people they will be
are

if

allowing to use their computer can be trusted.

Electronic bulletin boards are important to the
computer enthusiast and to the hacker for many
reasons. They enable us to communicate (possibly
anonymously or semi-anonymously) with other
computer users. We can learn from those who have
more experience than us, and we can use BBSs to
help newcomers to the world of computing.
And of course, there are the immoral and illegal

ways of using BBSs, ways to exploit them and the

people on them for your benefit, ways to make contact with the underground and deviant computer
users of the world, including hackers.

Finding
Once you

BBS Numbers

find one

BBS number, you

will auto-

matically have literally thousands to choose from.

The sysops of BBSs are not competitive. They don't

care if you use their system exclusively, or if you
call

up every BBS

in existence. Thus,

you

will al-

most always find a BBS list on any BBS you call.

The list may be nationwide or local, and will detail
BBS names, phone numbers, perhaps the sysop's
name and special features of the systems. BBSs also

usually have a BBS message center, or a place

where other sysops can advertise their BBSs.
So once you call up that first BBS, you will have
the phone numbers for many more. The trouble, for
beginners, is finding that first number.
To start with, if you know anyone who has a
computer and a modem, ask them if they have any
BBS numbers.
Many computer users groups, libraries, religious organizations and schools have BBSs. The
companies that manufacture modems and other

telecommunications equipment, as well as the

software companies, often have BBSs. If one isn't
advertised in the packaging, call them on the telephone to ask if they have one. Hayes, for instance,
has a nation-wide 1-800 BBS you can call to get
product information and lists of BBSs from all over

The number is 1-800-US-HAYES.

Computer magazines often list BBS numbers.
There are many books on telecommunications,
some of which have listings of BBSs across the
country in an appendix. There are also several
computer phone books that give listings. Additionally, you might find BBSs advertised on community bulletin boards or in neighborhood comthe country.

puter stores.

Finding Hacker Boards

The most adept hacker BBSs will not advertise
Once you establish
yourself as a knowledgeable hacker, you will learn
of their existence and they will welcome you with
open arms.
There are plenty of hackers and wannabe-hackers who will openly advertise their BBSs as catering
to the kind of thing you are looking for. Perhaps
they have worthwhile information. Probably you'll
log onto these boards and find nothing more than
some no-brain kids cursing at each other. You can
ask on overtly hacker/criminal boards if the members know of any other hacker boards (or look in
the BBS listings there), but you probably shouldn't
stick around on overtly criminal boards, as they are
more likely to be busted. Since they generally don't
themselves, but don't worry:

contain anything but publicly-available or useless

information, don't feel you're missing out

by shunning these places.

on much

you will find an electronic conversome intellectual value to it. Embrace it,
add to it, and pretty soon you'll find yourself accepted into its underground. If you find such a BBS,
one whose members proclaim themselves to be
hackers, and yet the conversation is smart and conservative, you can bet that there are secret subboards lurking behind trap doors, where all the real
hacking news gets discussed. Prove yourself as a
Occasionally

Making Connections

sation with

worthy member of the above-ground community,

and after awhile the sysops and assistant sysops
will vote you into their elite society. To be accepted
as a hacker you must be willing to exchange information.

You must

and to give.
If you log on

have

good information

to a respectable

to share

BBS which you

suspect contains a secret hacker subsection, accidentally try a different unlisted

command

each

time you log on. (Don't do more than one per login,
you find a com-

to avoid generating suspicion.) If

mand that works, and you're asked for a password,

then you'll know you're on the right track. Talk to
group members about your
on hacking, and ask them what they think
about it. Modestly tell of your hacking achievements. You will already have impressed them by
finding the secret section, but you don't want to agitate them by hacking it out. 1 And you certainly
don't want to post a public message stating that
you found their trap door; you can bet there are
the sysop or other

feelings

plenty of others without that secret access

who are

roaming about. Talk to the sysop and assistant

sysops privately about your find, via e-mail or onalso

line chats.

1 One of the criticisms that law enforcement officers

make about hackers is that they say we live by a double
standard: That we think it is no crime to violate other

people's privacy, but

we

can't stand the thought of

being probed ourselves. Well, I don't find a need to

defend myself. If a hacker can get through the
safeguards I've set up, that's fine, because I know that
hacker will not damage me by it.
As far as hacking a hacker BBS is concerned, since
the users of that BBS do not know you, they don't know
that your intentions are honorable. Thus, to invade
them is to get their guard up. In your talking to the

sysop you might want to mention that you refrained

from hacking the hole that you found, in order to
reassure them that you are a fellow hacker and not a
cop.

Many of the BBSs you encounter will be strictly

legit operations.

There will be no talk of hacking,

no trading of break-in

secrets,

and

certainly

no

any kind being distributed

newcomers. You will have to start by jumping

sensitive information of

to

already

into

possibly

established,

ho-hum

conversations.

Be

polite, try to

comments

be helpful.

Add

thoughtful

Having an experido more to boost your

to the discussion.

enced hacker as a friend will

skill in that area than anything else

except perhaps some persistence, research and luck.
Soon you will have a few favorite systems that
you'll call on a regular basis, but you should also be
constantly branching out, trying all the new systems you find, your goal being to eventually find
an access into the "computer underground."
There is no single, organized underground per
se, but there are groups of hackers and others interested in technology scattered here and there. They
will keep their conversations of illegal activity secret, so it will be difficult to find them. The message
boards they use to communicate will often remain
hidden to the uninitiated, and the BBSs on which
the most interesting tales are traded will not have

phone numbers publicized at all. Your best

bet is to keep searching. If you start to get the feeling that someone on one of the bulletin boards may
be inclined to deviant computing, you may want to
send him or her a private message (tactfully) asking
if he or she is interested in that sort of thing and if
so, would that person want to trade information?
But remember: any message you send on a BBS can
be read by the sysop, co-sysops, and possibly other
system managers lower down the hierarchy, so be
discreet if the people who run the show are antitheir

hacker.

A lot of people own

computers with modems,

and you will run into a lot of different kinds of

people on electronic bulletin boards. If you look in
the right places you are sure to find computer
hackers.

them

What may be more

to accept

like to

show

you

off,

difficult is getting

as one of their own. Hackers

but they don't usually

like to ex-

how they do their tricks. You will have to

demonstrate to them that you are a thoughtful, resourceful, logical person who can hack just as good

plain

as they can

and one who has information

to

As you wander through

the bulletin board forkeep track of where you've been. Keep a list of
the different BBSs, making note of the software
used to run each BBS, and what features are available on each one. Particular features to keep track

est,

lists,

Text

file libraries.

"Welcome

share.

of are

file

transfer capability, extent of

BBS list, user

to

technical files

These contain anecdotes,

the

BBS,"

and other

handy

jokes,

information,

sorts of things that

people might like to read.

Once you get started BBSing, you'll get a handle
on the kinds of things you tend to find on BBSs...
and the ways you can exploit them to your mischievous hacker advantage!

and doors.

BBS

Exploitation

BBS Features

that
BBSs are more than just bulletin boards
is, they are more than just a place to write and read

messages.

BBSs with file transfer sections will allow you to

upload (send) computer programs and files to the
BBS, and download (receive) files from the BBS
computer. Many of the more serious BBSs have renounced file transfers as a waste of good time and
disk space, but this feature is still common, especially with sysops who cater to software pirates (or
bootleggers) who deal in software that has had its
copy protection removed.
There are various kinds of user lists and logs on
BBSs. These range from user responses to a poll or
questionnaire, to a little introductory message from
the user, to brief one or two word descriptions of
the user's affiliations and interests. Often usage

you see who logged

onto the BBS before you arrived there. These usage
logs may go back to the beginning of the day, or
logs are available; these will let

farther.

"Doors" are used to go outside of the

gram.

When you walk through a door

BBS pro-

(by selecting

command from

a menu) you enter a completely

program. Usually doors are used to play
games on-line, but any kind of program can be accessed through doors. It all depends on the BBS
software being used, and the whims of the sysop.
Other BBS features include:
Graffiti walls. These allow users to put up a short
a

different

note, advertisement, or a joke.

E-mail (electronic mail). Lets users send private

messages to other users of the system.

Chat (also called "page operator"). Allows you to
have an on-line conversation with the sysop, if
the sysop is at home.

It used to be, long ago, that if you wanted to

break into a computer system, it was easy to exploit
bugs in the system software, or default passwords,
to work your way in. Nowadays, things are a bit
tougher. Those bugs and default passwords have,

most part, been done away with.

Oh, they're still there if you know what you're
doing
but unfortunately, for the most part you'll
be stuck if you rely on those methods. What you
have to do is exploit the new line of system bugs.
Unless you have some phobia, you are not
for the

afraid of being struck

by lightning every time you

leave your house. That's just not the kind of thing

makes sense to worry about, so you probably

worry about it at all. But what if someday you
were struck by lightning? That would change your
perspective on things, wouldn't it?
My point is this: the weakest link in any security system is the people involved in making sure
that

don't

everything stays secure. Joe Blow, the average

computer user, doesn't care about security matters

why should he? He has no reason

to

even think

about security. He's never had files erased by a virus, never had his credit card numbers stolen, or
his DIALOG account breached. Joe Blow is the

weak link.

How

is

Joe

Blow

the

weak

link

be

to

ex-

a typical computer user

and a
typical human being. He's a bit into computers, but
not a fanatic like maybe you are. He's human, so he
has trouble remembering fifty different passwords.
ploited? Joe

is

So he uses the same password for every computer

system and BBS with which he has an account. Joe
uses easily guessed passwords, or maybe none at
all. He's not a computer whiz, so he doesn't always
understand what's going on when people start
talking

him

computer language to him

vulnerable to being exploited.

this

makes

And

guess who's going to be exploiting Joe

Blow?
Yes, you.

Getting

To Know You

What I'm about to say here will sound

say in this book

breaks it's own
rules. Sometimes you have to break your own rules
to have some fun. So anyway, here's my warning:
Watch out! Taboo subject ahead!
If you've followed my earlier advice, you have
this huge list of BBS numbers, and you've been
calling them all to get more numbers. Why did I
say to do this? Because the people you will meet on
these systems are people who are into BBSing. A lot
of them have accounts on other local systems or dadoes, but there are a lot of things
It's

you

true: life often

up

and you go to the

"Computers" Discussion area, and Joe Blow is there
talking about CompuServe, you have just found
out a very significant clue! All you have to do now
is find out what password Joe uses on Fred's BBS.
More than likely it's the same one he uses for CompuServe and every other computer account he
owns (not to mention, this password is probably
the key he uses to encrypt files). This is easier said
call

Fred's BBS,

in computers) will tend to choose certain obvious

passwords over and over again.

To sum up:

what you should do. Many BBSs have a

listing of which users have signed on to that BBS,
where they live, what their interests are and what
they do for a living. These lists are like gold to a
dedicated hacker. Use your program's data capture
facility to record the most useful lists you find, then
edit them down and print out the essentials.

you

find out
is

guess his or her password. If

uses a computer at

same or a

similar

what

things a user

interested in,

work

it's

you know

or school,

password

is

say you're looking through your captured

user list from Fred's BBS, and you see Joe Blow's entry. Under interests, Joe put down "bowling,

it's

likely the

used for both

sys-

tems.

I'm not trying to suggest that guessing a pass-

word
tience,

is

simple.

and a

are faster,
technical

lot

not
you have to have paof time on your hands. But there

It's

and consequently, more

ways of getting into Joe Blow's BBS acsmarter

count than a brute force attack. Let's look at these.

Bypassing

BBS

Security

Even though BBSs employ security features,

which serve to make
them vulnerable to any resourceful hacker. These
there are at least eight factors

diving, Star Trek

&

lacrosse."

Now

4.

Hacker is familiar with the remote hardware.

BBS run on home computer.
Hacker is familiar with the BBS software.
Hacker is familiar with the people involved.

5.

Diversity of people involved.

1.

2.
3.

6.

File transfer section.

7.

Hacker knows when sysop

is

and

Hacker knows usage patterns.

opportunities for a hacker to break into

his or her choice.

When you look through these user profiles, you

more about these people, you

know

them.

It is

not

you

areas of interest.
are learning

is

watching.
8.

have some clues. It's more than likely that Joe

Blow's password is a word taken from one of these

ting to

"easy" to

that person

is

Let's

SCUBA

If

new user)

(especially a

security loopholes are:

than done, of course.

This

the

password of a complete stranger.

If you've been having conversations with these
people on the bulletin boards, you've found that
some are computer experts and some are not. Obviously, it's better to try to focus on someone who is
although some expert users
not an expert BBSer
are so smug they become complacent and lazy, and
so perhaps become better targets. Use your judgment. A newcomer will be more likely to choose a
bad password. Newcomers (or people disinterested

tabases, or at their jobs, or schools.

If

someone you know than

like her-

esy to some, downright evil to others, and superficially it will appear to break the very fundamentals
of the hacker's code of ethics. Well, in some ways it
that are like that.

the password of

are get-

vastly easier to figure out

Each of these vulnerabilities

offers

numerous
the BBS of

Taken as a whole, it should be

impossible for a hacker to NOT be
successful at a BBS breach.

pretty

much

Unlike other hacking situations

such as
when dialing up a large government computer for

time
you will be familiar with practievery aspect of the BBS you select to hack.
BBSs often have a menu option that gives you the

the

first

cally

rundown on what equipment is being used to operate the system. The brand of software will also be
known to you, and from regular conversations with
the sysops and users, a personal familiarity will
develop. Knowing all these facts gives you a great
advantage in the writing and uploading of Trojan
horse programs, in the seeking out of bugs to profit
by and, yes, in the guessing of passwords.
BBSs will generally tell you upon login whether
or not the sysop

is

available to chat. Naturally there

not present when

the notice says he's not present, but the "Sysop is
IN" sign can at least warn you of when you should
is

no guarantee

that the sysop

is

There are some advantages for the hacker who

runs a BBS, whether or not the hacker is willing to
abuse the trust users place in the sysop. For example, the hacker can set up a BBS specifically as a
place for other hackers to pose questions and exchange information. If you decide to do this, you
will

want to make sure you are overly wary in your

and in your group's initiation proce-

advertising

dures, to ensure that you're not accepting law enforcement officials or hostile hackers onto your
board. So as not to get too off the topic, I will come

back to the security subject

chapter.

later, at

the end of this

Running a BBS
or at the very least, setting
one up on your system, even if you don't go public
with it
will teach you more about how BBSs op-

erate than anything else.

hacker,

and soothing

It's

always beneficial to a

to the true hacker's mindset,

be most cautious.
Even if the sysop appears to be unavailable, the
BBS software itself might be watching you like a
hawk, printing out your every move, or every attempt at crashing the software. For example,
RBBS-PC bulletin board software allows the sysop
to keep a continuous printout on each caller's
name, files exchanged, and error messages that occur. As we will see later in this chapter, this can be
troublesome depending on the type of attack you

how a computer system

works. Also, you can try setting up a limited BBS
and practice breaking into it from a friend's house,
or challenge others to do so (you're best off making
this challenge only to close friends). This will show
you what can and cannot be done on the particular
BBS software you're running, and might teach you
something about hacking as well. Then you can go
the same
out and infiltrate other systems which
software. And you can alert other sysops to the se-

wage against the BBS.

curity risks inherent in their systems. I've never

definitely

to

be

fully conscious of

nm

a BBS by myself

Running A BBS
The least difficult way

to collect

have people give them to you.

If

passwords

you

start

is

to

up your

own BBS, that is exactly what will happen.

But being a sysop takes a lot of work, and it also
involves the use of your computer, modem, telephone line(s) and possibly even your printer. That
little equipment to hack with!
The original three motivations for hacking local
BBSs were for: 1) the excitement and curios-

nm

never wanted to devote a

computer and phone line, nor my time, toward the
maintaining of a bulletin board system. But I have
been an assistant sysop with full operating abilities
on several BBSs, and in so doing I've seen a lot of
tricks that people have tried in an effort to break
I've

into those systems.

Midnight Masquerade

leaves

ity-satiating

value of

low-risk practice and,

it,

2)
3)

the opportunity for

to obtain

passwords

which might also be used by the same users on

other computer systems. When you set up your

own

first two of these reasons are sudpassword collection

the third
Only
denly gone.
remains, and there are more efficient ways of
collecting passwords than this. However....

BBS, the

One night, at around 1:30 a.m., the Treacherous

Den BBS received a visit from a hacker. The hacker
tried logging in a few times using my handle, The
Knightmare. The sysop of the system, my friend
DR dendryte, was sitting there watching the hacker
go at it unsuccessfully until finally he pressed the
function key which brought the two of them to chat
mode. The following is a transcript of the ensuing
conversation, copied exactly as it appeared in the
sysop's printout, but with unnecessary carriage re-

turns removed.

[My own comments are in brackets,

like this.]

SysOp wants to Chat!

That does igt! I don't want to be your friend

anymore! Just delete me off the BBS.
If

you

are really

who you

say you are,

let's

go

voice!

This

is

DR dendryte, Who RU?

[That

this is

Knightmair

Forgot

my password.

Log

me on.

DR dendryte knew for certain he was

dealing with an impostor.

He knew

that

dendryte

is

asking the hacker to turn

pick

up

the telephone

go

that

password I'd been using for several years.

dryte, however, decided to play along.]

Don't beliew you don't trust me

never

would never forpassword, considering that it was the same

and

called that late at night,

my

DR

modem and

voice.]

[At this point,

get

is,

off his

DR den-

GO VOICE
Theres no phone in the room..

Sure there

is!

On the bookshelf next to you!

How Did you forget your password??!

It

broke

dont know

it

just slipped

my mind,

guess!

HA!! You should have said, "WHAT bookThere IS no bookshelf in the room! HA

shelf?"
I

can't just give

HAHAHAHAA

out passwords like that

you don't have to

you can just log me in.

If you're really The Knightmare then

what is your REAL NAME?

tell

+++

me,

[Click.]

The next day, when DR dendryte told me this

story I said, "You should have told him, 'I AM The

[A pause, and then:]

Knightmare!' That would've really embarrassed

don't

you

trust

your

own

best friend

&

co-

sysop?

come on.,
i

cant beleive you!!!!!

You are definitely NOT The Knightmare...

DR

dendryte was referring to the hacker's

bad spelling and grammar; DR dendryte knew that
I am meticulous in my on-line chat writing.]
[Here

him!"

Impersonations of this kind might work, but

only if you are already intimately familiar with the
person you are attempting to impersonate. In this
instance, the hacker chose to login as me, correctly
assuming that I would not be at the sysop's home
at midnight. Perhaps the hacker also supposed that
DR dendryte would be asleep.
It seems to me that a ruse like this is more likely
to work on a large corporate computer, where no-

body knows each other and workers may not have

the great love for their computer system that sysops
have for theirs.

he never makes stupid spelling mistakes

that,

or uses

bad grammar or

[Here, both are trying to type at once.

lets

like

the cracker speak:]

Hackmail
DR dendryte
The Treacherous Den BBS was a particularly
sweet target for hackers to try and infiltrate. It was

a large system, with

many

(many of whom
and it had dozens of

users

were sysops of other BBSs),

games and digitized pornographic pictures that
could be downloaded.
The system was run off a pirated copy of a
popular BBS software package, but DR dendryte
had altered it so that it appeared to have been officially registered in his name. Once a long-time user
of the system asked DR dendryte an innocuous but
technical question about the BBS, over the phone.
DR dendryte told him to hold on a minute, he
would look up the answer in the manual.
"Oh, you bought
referring to the

"Yeah,"
struction

book

it?"

the user asked, apparently

BBS software.

DR dendryte replied, referring to the in-

manual, which he had found

at a

used

store for a quarter.

DR

dendryte answered the user's question,

and then hung up. He didn't
think any more of the conversation until the following month, when a cardboard envelope arrived in
the mail. It was a disk envelope, with a computer-printed return address label affixed that gave
the address of the company that produced the BBS
software. DR dendryte opened the envelope. Inside
was a letter addressed to DR dendryte's real name,
and signed by the author of the BBS software, the
chatted awhile longer

man who

also

owned and had

started the

com-

pany. The letter read:

LB
Not only did DR dendryte know immediately
that this was a total crock, but he knew who had
had the gall to send it to him. At once he reduced
login access for that user he had spoken with on the
phone, down to one-time visitor status. Then he
wrote a nasty note and e-mailed it to him. That

was the only person, aside from

myself, who knew about the manual. But of course,
I already knew that DR dendryte had not bought
the software, but had obtained the manual through
alternate means. The user had assumed incorrectly
that because DR dendryte had the book, he must
particular user

have bought the BBS.

Upon examination of the disk that had been
mailed to him, we found that the disk contained
eight

files:

There was a text file which explained all the

"wonderful and exciting features you will enjoy
having on your new version of L
BBS Software."
There was an instruction file called START, which
read the contents of that text file. START would
then "update" the old version of the software with
its "new" version.
There were four files on the disk that exactly
matched ones found in the actual BBS software
(apparently these were there to misdirect our attention),

Dear Mr. L

Software has adopted a new software

policy. All customers who have purchased non-entertainment packages from before July 1986 are entitled to a yearly free up-

upgrade

grade.

and a

fifth

program

that

matched

closely

but not exactly! (It is possible to compare two files

by using the "comp" command under MS-DOS, or
by using a relevant feature of a Norton or Norton-type program.) Finally, there was a blank file
called T on the disk, which served no purpose at
all.

It

took us hours to figure out what the user had

his "new" version to do. As it turned

programmed
This

new

version of your software

is

fully

all previous ones. To upgrade,

simply insert the enclosed diskette and type

compatible with

START.

Thank you
Software.

for purchasing fine quality

We

hope

to

customer in the future.

have you again as our

out there were two things different.

A copy of the

user information file was programmed to be emailed to a user the first time he logged on; a trap
door had also been inserted that would give temporary operating system access to anyone who
typed control-E, control-X, control-I, control-T, control-! at the username prompt.
You won't be able to pull a stunt like this unless
you can gain access to the source code for the soft-

Very Truly Yours

ware, as he must have been able to do (unless you

(Signature)

board system).

want

to recreate

from scratch an

entire bulletin

Once again, another of those pesky hacker

was thwarted!

at-

tacks

place during a long

Crashing BBSs

file transfer or, if it is a slow

those time lags between modem
action. The terminal program could continue pretending to receive data while you surfed the remote

modem, during

On another BBS that I was a part of, the sysop

would come home from school every day to find
his system had crashed. It had simply frozen up
and would have to be rebooted. Eventually he
found out from someone that there was a bug in
that version of that particular BBS.

which would allow you to wander around the

caller's hard drive. To cover up the fact that you're
roaming around in there, entry would have to take

A "\x" typed at

prompt caused everything to halt.

Key portions of the BBS software were written in
easily changeable, interpreted BASIC. To remedy
the problem I simply added a line after the prompt
that would disconnect anyone who tried typing in
the password

'

the dreaded '\x."

worked.
I've always wondered about that "\x." Why
would such a harmful thing be there? I can't imag-

user's drives.

PRODIGY, a graphic-oriented interactive, onwas accused of engaging in a variation

on this theme in the summer of 1991. Users were

line service,

finding personal data buried inside the software

that is used to dial up PRODIGY. After complaints
and outrage, PRODIGY'S senior vice president
mailed out a utility to those concerned, which
would erase non-essential data from the service's
terminal software. In an accompanying letter he
sincerely asserted:

It

programmer putting it in purposely, unless

perhaps it was a means to bother unlawful users of
his software. Maybe it was some trap door that had
gone awry. Maybe if I had studied the program
more I would have figured out its meaning.
ine the

Maybe

this is a credible possibility

that

bug had been placed there by the person who had

given the copy of the software to the sysop, or by
the pirate who had first bootlegged it, or by anyone
at all

along the

line.

and around the world

that literally thousands upon thousands of persons
might have had the chance to add the "\x" thing
are you
and distribute the buggy code. Hey
starting to get an idea there? I know I am!
You could either write your own BBS program
or alter a currently existing one, with some secret
features such as an exit to DOS, or whatever trap

doors tickle your fancy. You could put in a line

which checks to see if a very obscure and unlikely
control code is entered at the login prompt, and if

system access

is

gained.

twist to this tactic is to write or change a

which you give to the user.

an internal code while connected
to your BBS, you gain access to the calling computer. For example, a user would be running your
special terminal program while calling your BBS.
The BBS would send a code to the caller's modem,
terminal program,

When

it

receives

line, the

stated publicly

and written on-

PRODIGY software does not read, collect

PRODIGY Services Company any

or transmit to

information or data that

is

not directly connected to

your use of the service. We want to assure you

that we will continue to work to safeguard the
privacy of all of our members.

Maybe

theirs doesn't

do those things

but

yours can!

Years ago, one group of enterprising hackers

Pirated software travels so

rapidly across the country

so, highest

As we have

distributed their

own homebrewed,

program

Macintosh

nal

for the

line.

broken termiThe program

gave users the convenient option of allowing them

to store passwords and other login procedures on
disk so that one would never have to worry about
forgetting them. The information was stored in encrypted form on a hidden part of the disk. The program was developed to "go bad" after several
phone numbers and passwords were stored, the
hope being that users would send back the disks,
and the hackers would end up with a bunch of
precious login information.

This should be taken as more theory than actual

PRODIGY can get away with requiring
users to boot from their software because of the
unique graphics and mouse interface provided.

practice:

Unless you work something like that into your

term program, who's going to want to bother installing and learning your software when they are
already familiar with one or several commercial

what happened to that

group of hackers. Initially there was great interest
in their terminal program (which they gave away
free), but no one wanted to go through the trouble
of using it. The problem was, the hackers gave the
program out to experienced users who had already
developed an intimacy with one or more commer-

packages? In

cial

programs.

No one needed the hacker's terminal

package, and so

what seemed to be a great idea net-

ted the hackers nought.

As

You can program

fact, this is

for the first idea

doors now

changing a BBS

to in-

that is a viable possibility.

clude trap
There will always be plenty of people looking to set
up their own bulletin board system, or who are
looking for ways of acquiring new software. Distribution is less of a problem than the programming,
especially considering that you will not only have

the Trojan horse to look into

the password file and send data contained in it

back to you somehow. Many BBSs have a text file
section. You can have your program encrypt the
passwords as it routs them out, then append them
to the end of one of the text files. Then you simply
log on, view the files, obtain the encrypted passwords and decode them. People reading the text
files on-line will interpret the seeming random
characters as line noise or harmless file corruption.
Another way to get password information back
to yourself is to use the BBS's e-mail function. To
avoid suspicion (because sysops love to read the email users send to each other) you should, again,
encode the information and imbed it within an oth-

erwise boring piece of e-mail.

A Trojan horse may contain a rough version of

BBS program

to interject

some key portion

sults,

Trojan then extracts that piece of

code for the trap door but, for best redetermine a way to hide that code from inter-

itself.

itself,

The

copying

over the legitimate version already on disk.

ested eyes.

Covering Up
Trojan Horse Activity

Trojan Horses
It is usually easy for a hacker to infiltrate a BBS
with some version of a Trojan horse program. The
hacker writes a program which performs some interesting function, such as playing a game or put-

ting pretty pictures on the screen. Hidden in that

program are instructions to read BBS password
files, or carry out some other covert operation. The
hacker then uploads the program to a BBS and

here's the

of the

important part

hopes the sysop runs the

There are two things you have to worry about

when you upload

a program containing a Trojan

horse to a system:

That your Trojan horse will be discovered while

That it will be discovered either before or after it

has run.
I will talk about each of these problems in turn.

it is

running.

program.

You will want to procure a copy of the BBS

program before writing a Trojan horse, so that you
know exactly what those secret instructions should
be doing. Otherwise, how will you know what files
to look in or where to go on the disk for information?

What kinds of things can you program a Trojan

some suggestions:
Have it secretly reprogram the BBS itself to in-

horse to do? Here are

BBS program is written in

an interpreted language, you can have the Trojan
horse add some lines which would give you sysop
access upon entering some code word. This actually has been done on a popular Commodore 64
bulletin board system that was written in BASIC.
clude a trap door.

If

the

While

It Is

Running

The rational hacker has an easier time of this

than does the malicious system crasher. You see, if
Junior Joe writes a program to covertly format hard
drives, something has to be happening on-screen to
divert the user's attention while the hard disk drive
light flashes

on and on and

on.... It

takes quite a

while to format a hard drive. Junior Joe has to cleverly devise

some

non-interactive time-killer that will

hold interest for the length of the format or file deletions. The time-killer could be a pornographic
display (perhaps accompanied by digitized sound
effects: "Ohhh! Ooooh baby! Yummm-mee...!") or a
digitized musical score, or perhaps the program
could send graphics to the printer. Meanwhile, you

be using rapid-action Trojan horses (sprinters)

which do their thing in short, quick bursts.
Never have your program access the hard drive
(or any unauthorized peripheral) for what the sysop will think is no reason. When the Trojan horse
is actually going about its business, there should be
a note on the screen to misinform the sysop as to
what the program is doing. For example, if the
Trojan horse is hidden in a game, you could have it
display the message, "Saving your new high
score...", while the program changes around user
access files (or whatever your horse is trained to
do). Don't forget, the program actually should be
saving the user's high score as well, and the entire
drive access time should be very short. As soon as

Loading text

will

the Trojan horse is finished operating, the

program

should erase the note from the screen; this will ensure the drive access time goes unsuspected. If
possible, have the note be erased midway through
the Trojan horse's activities, to deliver the illusion
of very quick drive access.
Another way to access the drive unnoticed is to
have the program say something like this when it is
started up:

AutoCheck Virus Detection Program vl.3

(c)opyright 1992 Paul Bradley Ascs.

Messages should always follow naturally from

whatever's taking place on the visible program.

BBS functions (such

do so via direct
disk access if possible, and not by utilizing the BBS
program. That lets you bypass any security logs
and printouts that are made of suspicious activity.
Trojan horses that perform

as changing passwords) should

Before

& After

Sysops, system administrators, and even regular users are

board

file

now

wise to the hazards of bulletin

They understand at the very

transfers.

and so are more likely

examine a program care-

least the threat of viruses,

nowadays than ever

fully before using

to

it.

This means they will use a virus scanner to

check your uploads for viruses. This is almost a
given, but it is nothing to be feared since the available virus detection programs will not locate your
Trojan horse in an otherwise valid file. What you
do have to be careful of, is that the sysop or system
manager will manually examine your uploads for

words or erratic programming.

before, malicious crashers and system vandals have a bigger job ahead of them than you. They
have text they have to hide within their programs.
filthy

As

Scanning file FILENAME.l for viruses.,

Scanning file FILENAME.2 for viruses.

For instance, who hasn't heard of a virus or logic

that screams "GOTCHA!!" as it overwrites
the File Allocation Table? Programs are available

bomb
Meanwhile, the Trojan horse will be scanning
the computer's hard disk for passwords!

For FILENAME.1, FILENAME.2,

etc.

that specifically look for this sort of thing in

in the

names of the program and data

were uploaded with the application. A
nice extra touch is to not have the ellipses (
) written to the screen immediately. Instead, have the
periods appear one at a time between disk accesses,
to make it appear that the program is really scanabove, substitute
files

that

ning through the different files.

Trojan horse activities can also be covered up
under befitting circumstances by such messages as:

Opening data

file

Reading data
Saving selections before quitting

Even

if

grams,

files.

the sysop doesn't have one of those proif

crasher's

he or she

is

cautious enough, that

"GOTCHA!!" will certainly be discovered

program is ever run.

before the

Your Trojan horses won't have as much to hide.

programs will be text that gets

All the text in your

written sensibly to the screen anyway, text that

either part of the application

looks like

it

program, or

is

text that

comes from the program, but

is

actu-

used to blanket your Trojan horse. Also, your

program won't have any "format c:" commands
sticking out like sore thumbs. Thus, your job is
easier than the crasher's, though it's far from being
ally

a snap.

There may be commands in your program to

read or write, or to rename private BBS files. These

commands, and more importantly, the filenames,

must not be discovered by the sysop. It is not good
enough to use a simple one-letter-higher cipher to
encode commands and filenames; for there are
programs which can scan a file and display readable text it contains. If you just push everything up
one letter higher (i.e., "PASS" becomes "QBTT),
those programs will still locate this encoded text
and the sysop might be smart enough to discover
what it means. You're better off encoding text using
numbers, symbols or foreign alphabets.
A program you upload may be an uncompiled
source listing or a batch file. In this case, you will
have to do some fancy fingerwork to keep your
Trojan horses hidden. NEVER simply upload a
batch file in its raw form. Imagine if you were the
sysop who got this from a user:

cdBBSXUSERS
open USERINFO.TXT
read USERINFO.TXT: User #44
3 == systemlevel 99

set systemlevel

close
exit

This

isn't real

code.

It's

meant

to illustrate the

kind of brazen attempt at upgrading access that

would catch a sysop's

One way

attention.

have
the main application program create batch files and
other programs it needs. The batch commands start
out as encoded gibberish in the application program. A subroutine is called, which opens a text
file, decodes the commands, fills the file with them,
then goes about its business. The creation and use
of the file should probably be done on separate occasions, to keep illegal drive access time low.
to eliminate this

problem

is

to

Also for easily-readable sources, the Trojan

horse part should not be standing right in front or
at the end of the listing. Put it deep within the program. Add comments that will tend to mislead the
careless reader. Remember, if your cover program
is particularly clever, the sysop may want to analyze it, to see how you achieved such a wonderful
thing! This means your cover program could be
under some heavy scrutiny; and your Trojan horse
could be discovered by accident.
Consider having your program delete the Trojan horse after it has been executed. That is, have

the last few steps the Trojan horse takes be to erase

from the program.

Alternatively, have the sysop delete the application program (and thus the Trojan horse). This can
be tricky: how can you get the sysop to delete all
those files you uploaded, without letting on that
something shady is going on below the surface?
Ways this can come to pass are by having the application program be something that you know the
sysop already owns, or something similar yet infeitself

rior to the sysop's version.

Or you could just write the sysop some e-mail,

saying that you found a potentially dangerous bug
in the program, "so

if

you would

delete

it I

will

send you a corrected version." This can only be

done when the application you sent is a compiled
program, elsewise the sysop would be able to correct the problem himself
wouldn't he!
A particularly paranoid sysop might transfer
any uploaded files to a different computer before
he tries them out. Or the directories could be set up
different than expected, or the BBS might be set up
to upload files to a floppy instead of the hard drive.
Take these things into consideration when you
program, and have your Trojan horse only work
when the computer is set up as it is supposed to be.
That is, it will only run when it has access to the
password files, or whatever else is necessary for the
Trojan horse to function. It's also necessary to do
this because, if the application that hides your Trojan horse is good enough, the sysop will make it
available for other users to download.

A Few Tips For

The Do-It-Yourselfer
We

talked earlier about hacker BBSs.

What

if

you make a dedicated effort at finding a suitable

BBS on which you can learn and share, but none
turns up in your search? You may want to start a
BBS of your own to suit your needs. Get ahold of
the proper software, gather your most trustworthy
friends together, and put together your own bulletin board system!

Running your own system means that you

won't get much use out of your home computer
and the telephone line to which it is connected.
This would be no problem if all you did on your
computer was hack, since your hacking can be

taken on the road through the use of laptops, pubcomputers and the like. But you most
likely use your computer for other sports: game
licly available

playing,

word

modem

usage. Consider this before

cited about setting

One way

and

processing, programming,

you

up a BBS.

get

legal

all

ex-

around this problem

and to
simultaneously overcome many of the problems
that arise when one sets up a BBS
is to use your
hacking skills to break into a mainframe far away
from your house, and use it for the site of your electo get

tronic bulletin board.

Whatever home you give to your system, you

should install it with a false front to make it look
legit, and a back side that encompasses the private
area for accepted hackers only. Invite the hackers

whom you know

to

be wise and trustworthy into

the inner sanctum, while leaving the rest of the

board open for unknowns to explore.

I have seen some fantastic BBSs go up, only to
fail miserably. And IVe seen so-so BBSs that
quickly establish themselves as the "in" place to be.
As a hacker BBS, you won't experience this to such
a great extent since you aren't going to advertise as

much

as a generalized

BBS would

after all,

But you
want new users to come and enjoy themand if they turn out to be the kind of folks

you're trying to keep out

will

all

the

riff-raff.

still

selves,

you'd like to invite behind the scenes to your secret

hacker sub-section, all will benefit by it.

The strategy
stay awhile
leave

it

on.

is

for getting users to

to set

Many

up your BBS,

BBS

Don't do that!

If

turn

it

first-time sysops, excited

own

prospect of running their

take their

come

off-line

to

someone

in

and

on, then
with the

system, continually

make improvements.

calls

and

finds

no com-

puter is there to pick up, they aren't going to call

back a second time.
Advertise your BBS on other BBSs whose members you would like to have on yours.
Have members of your BBS run scouting missions to the above-ground hacker BBSs. You will
find out what, if any, useful information is exchanging hands over there, and you may be lucky
enough to discover a hacker who is worthy of becoming a member of your club.
Before you allow an unknown hacker into the
secluded realm of your hacker sub-boards, you
should make doubly and triply sure that he or she

is not a cop. Real hacker BBSs verify their members

by having them go through an initiation procedure
which includes recommendations from respected
hackers, full disclosure by the hacker of personal
information so that it can be checked, and an autobiography detailing what he or she has done, and
what he or she can contribute to the group. Don't

be fooled! Verify that this self-proclaimed hacker is

not an FBI agent by checking out credit ratings,
telephone company data, and positions on other
computer systems. You will have to use every inch
of your hacking skills to ensure that the personal
information that you are given matches a real hu-

man

being. This isn't paranoia

it

is

common

sense. Many, many hackers have been fooled by

impostors pretending to be hackers. The safest
thing is to not accept new members into your BBS;
but that may not be the smartest thing because it
eliminates a possible world full of information that
will never expose itself to you.
Exploring electronic bulletin boards can be a
pleasant pastime. It can sharpen your skills and
teach you much about a lot of things. There is such
a startlingly large number of BBSs around that a
hacker could find himself spending all hours of the
day and night connected to them, never to enjoy
the thrill of the hack itself. Considering the dangers
of hacking, that might not be such a bad fate.

upcoming

we

more
ways you the hacker can protect yourself from the
some
law. But for now let's get back to hacking
of the best and most useful techniques are yet to
In an

section

will explore

come!

Chapter Eleven:

Borderline Hacking

want

to talk about

some non-hackerish ways

of dealing with hacking problems. There are times

when some need

forces a hack to be accomplished

under time constraints. When that is so, the usual
time consuming methods may fail us, and so one
must resort to desperate measures. For the most
part this is a topic related to doing hacking as a job,
which I feel is important to bring up because lately
being a hacker-for-hire has become an issue in the

hacking world.

Hacking For Ca$h

There are hackers

who have "made

good," be-

coming security consultants for corporations and

governments. These turncoats have received criticism from two directions. From the hackers: "How
dare you do this to us!" (Rebuttal: "Obviously you
are not a real hacker. A True Hacker would delight
in trying to outwit another hacker's attempts to

up security.") From the law-abiding citizens:

"We couldn't trust him before, why should we trust
him now?" and 'Just because you know how to
break into systems doesn't mean you know how to
beef

prevent them from being broken into." These are

all

valid points.

you wish to enter this line of business, you

Companies have paid as much as
possibly
more
to have a hacker at$20,000
If

are not alone.

tempt to gain access to their computers. "Tiger

teams" is the term for groups of hackers or sometimes lone hackers who are hired by an organization to put their security to the test. If you decide to
pursue such a path, you will want to project an air
of professionalism and sincerity. You have to prove
to them you are a competent hacker, but you can't
let them know that there is a rebellious spirit in

your heart.

Remember

that computers are vulnerable not

only to crackers. There are also viruses, improper

computing environments, loose-lipped employees
and other hazards that can make even a tightly
sealed ship sink. Preparing the owners for any
catastrophe will earn you extra respect and
recommendations for other jobs.
To touch on the second criticism of the "law-

important to offer solutions to any seyou uncover in your investigation.

You are a hacker, so you know how hackers think.
abiders,"

it is

curity loopholes

iHRnBBI
You know their minds and their methods, and so,
yes, you have the expertise to recommend action
that will prevent invasion of their system. Explain
to your employer why it is important that each of
your suggestions be followed. Tell them what you
did to get in, the weaknesses you saw, and the potential trouble spots for the future.

Other suitable clients are private individuals

who are concerned with the information being
stored on them in databases. Hackers have been
hired to alter phone numbers, find unlisted numbers and addresses, remove fines, look up license
plate data and change school grades, among other
jobs. Hacking a business's computers under contract for that business is a perfectly legal occupation, but when you start helping people access and
perhaps change their data files, you have stepped
into the unlawful zone. Therefore, you should be
very careful about who you deal with and how
much you let those people find out about yourself.
Hacking is a hobby. Once you start getting paid
for it you run into a problem: What happens if you
can't complete a job?
True, nothing should be too tough for the Super
Hacker like you, but occasionally you might have a
deadline or unexpected difficulties and the system
that looked so fragile when you began now looms
as a large and impenetrable monster that is beyond
your capabilities. That's where foul play comes in.
Hopefully you won't have to resort to anything less
than hacker's methods. On the other hand, if you
have reached a point where you must choose between balking the job or finishing it in an untraditional way, you might decide to do the latter to
keep your good reputation intact.
Besides, there's

no sense

to hacker techniques

when

are going to use these

in restricting yourself

the bulk of penetrators

uncouth methods anyway.

If

company is paying you to stop intruders, you'll

to make certain that there really is no way
that these blunt methods, commonly used by nona

want

hackers to gain access, will be viable. Therefore,

you might have

to try

them out on the system you

are being paid to protect.

Filthy Tricks
because they are the
kinds of things a rank amateur would do. These

These

tricks are filthy

"techniques" are strictly for non-hackers. I'd go so

say these are the kinds of things a

non-computer-user would do! When I say
"computer user," I mean someone who uses a computer because they want to, as opposed to someone
who does so from necessity.
Often these tricks are used as a precursor to
far as to

topics which lay

some sort of theft, or espionage
on the fringe of true hacking only because they involve computers. A true hacker must know these
tricks exist, but would use them only as a last resort
and then only with severe motivation to break

in.

Bribery
You might not want to bribe
istrator,

the system adminbut there will probably be some underlings

who also have "God access," who may be willing to

lend same to you, for a price. I would suggest you
use bribes to pay for access to the system, rather
than bribing the person to carry out computer work
for you. After all, you want him to remain uninvolved in your affairs; if you're spying by computer, the last thing you need is a company insider
knowing that you're doing so.

Have the bribe pay

for either access to that per-

newly created superuser acon when the bribee is

not on duty, so that he or she won't get curious and
look to see what you're up to.
son's account, or to a

count.

If

the latter, only log

Offering

money

in exchange for a specific serv-

be performed (like offering $500 to change a

grade from an F to an A) is even tackier, and more
dangerous, than just paying for system access. For
instance, in 1973 a computer operator employed by
the Illinois Driver Registration Bureau was given a
$10,000 bribe to steal a tape reel which contained
personal information about drivers registered in
that state. Considering that Departments of Motor
ice to

Vehicles are

some

of the easiest

and

safest of

com-

puter systems to hack into using social engineering,

it was both foolhardy and expensive to pay that
much. My source of information on this case does
not mention whether or not the people who offered
the bribe were apprehended, but just the fact that
we know about the bribe implies they were not

successful. (Or at the very least, that future at-

tempts would be less likely to succeed.) This

is

why

you should hack if you can hack, and use other

methods ("filthy tricks") only as a last resort
and
then only to get into the computer, not as payment
for the information you seek.
Besides,
with
system
access
you can
try-before-you-buy, and you will be sure to get
your money's worth, especially since once you have
logged on, you can create your own superuser account that the person you bribed doesn't know

about.

Booze

And Broads

sounds like science fiction but it's true!

There have been reported cases of crackers
gaining access to computers by supplying alcohol,
drugs and even prostitutes to the security personnel at a company. An article by Douglas Waller in
the May 4, 1992, issue of Newsweek reported that a
Japanese competitor to a "Midwestern heavy
manufacturer" had outbid them one too many
times. Upon investigating, it was found "that the
Japanese firm had recruited one of the manufacturer's midlevel managers with a drug habit to pass
along confidential bidding information." This sort
of dealing sounds risky to me, because who knows
what someone's liable to do once you've gotten
them drunk or high? But that's why I'm saying
these are the "techniques" used by the computer ilYes!

It

literate.

Bad Feelings
This

isn't exactly

a dirty

trick,

but

it

feels like

you can manage to find yourself a worker

who feels maligned by the company, possibly one
one. If

who

is

about to leave, especially one with pro-

then you've got it made. Play

gramming ability
up his or her bad feelings toward the company.
Remind them how the company screwed them,
didn't recognize their good work, and continuously
passed them over. Without being specific, say you
want to help them get revenge on the company. Of
course, a hacker does no such thing, but if you can

employee into action, he will

your own hackerish misconduct.

incite the disgruntled

blame for
know, I'm cruel sometimes.)
In any case, employees who are moving on

get the
(I

greener pastures, or those

who

to

are disgusted with

their bosses, are a great source of inside informa-

including company lingo, phone directories,

procedures and policies and, of course, passwords.
If your goal is to penetrate a system run under
top notch security, getting a friend on the inside
may be your only hope. But an ex-employee doesn't
have to leave angry to be of use. Anytime you hear
of an employee either quitting or being fired there
is the opportunity to find out that blessed data. After all, computer accounts live on long after an
employee has left a company. Once someone has
left the company, what does he care whether you
use his password or not?
tion,

Chapter Twelve:

What To Do When Inside

seems straightforward enough. You're inside?

Great! Take a look around! Of course that is what
you'll do in most cases, after getting into a system
and patting yourself on the back. But then what?
To answer this we will have to begin with a rethinking of our goals and morals.
It

Hacker Motivations Revisited

motivated by her or his deto learn, to understand, to cleverly and harm-

The true hacker

sire

is

lessly outwit.

Others who use hacker techniques might do so

because they have a desire to learn about their
competitor's secrets; to understand why they keep
getting underbid every time; or to cleverly outwit
the company or individual who they feel owes
them something, and enact revenge upon them.
So let's see what we have here. There is the
free-thinking, computer-enthusiast hacker, the economic espionage hacker, the politico-espionage
hacker, the out for revenge cracker, and finally, the
hacker for hire. Most often these assorted infiltrators will have breached security with a low-level

because accounts with low security

clearance are the most prevalent, and many hacker
tricks focus on the naive user who is more prone to
having a low-level account.
The hacker for hire and the hacker spies will
have target computers, perhaps even specificallytargeted people in mind. They will want to go after
either a particular username/password combination, or any access big enough to allow covert entry
account. This

is

into their target's account.

Vandals and revenge hackers obviously would

love to attain higher access than what they came in
on, but unless they are sufficiently skilled, they will
probably opt for the quick hit-and-run. That is, they
will be content to break in under any password, do
whatever damage is possible, send some nasty email, and leave. Probably they will continue coming back over and over again until they are either
arrested or shut out for good. If these "hackers" do
have targets in mind (like the president of the com-

pany or whomever) they

will

most

likely settle

happily into whatever lower-level role they find

themselves in. If they have any skills or computer
know-how though, watch out.

The true hacker may or may not want

the hack all the

to take

way to the top. He or she may feel it

not worth the effort for the amount of work that

seems necessary to increase a low system access to
a higher one. Tlus isn't giving up, it's being practical. If the knowledge to be gained seems minimal
or available elsewhere, there's no point in wasting
time trying to get it. Or, the hacker may not feel seis

cure enough in his knowledge of the computer,

users, or operating

system to

its

feel confident in his

achieve higher access. This is a valid

feeling, and an intelligent one; if the hacker realizes
ability to

is somehow ignorant, then he can stop and do

what is necessary to learn what he does not already
know. If something like this comes up it's probably
only a matter of research to put the hacker back on
the track toward superuser status. As the hacker
BrainMan put it:

he

know the computer will be there for a long

time to come.

I like

hacking, but

available,

you are caught.

Although most courts and CEOs would disagree, I personally believe that there is no harm
done in reading through whatever files are on a
system, so long as no one is hurt in the process. At
least, I

in the short

run

if

don't think reading private

files is

a crime

any worse than hacking one's way in, in the first

place. You will have to construct your own set of
ethics to guide you; I sincerely hope those ethical
constraints are based firmly on the principles of the
hacker ethic that both opens and closes this book.
Logging off and never returning is something
the more fanatic and paranoid hackers tend to do.
It is akin to B & E without the E, and I can not see
how they can morally condone the "B" (breaking in)
while shunning the "E" (entering). I suppose the
hackers who disconnect without system interaction
do it either because all that matters to them is get-

The other options

status,

mentioned

increasing

helping the sysops, and the learning

all

require different degrees of familiarity with the

computer system you have entered. Let us think

about where you might find yourself, and what

Besides increasing one's status in the system, a

hacker has many options to choose from once inside. A hacker may:

Read the documents that are

nm

matters worse for hackers in the long

covery.

Sometimes I feel I'd rather wait

another day to do the exploration, the

bookwork or social engineering, that will

get me into an account, and I'd rather do
some real exploration of a computer right
now.

make

ting in, or because they are intensely scared of dis-

also like

exploration.
for

to

and you

and rim

should you do when there.

To begin with, the account you have hacked
yourself in with can be a single user account, a

group account, root account, or "special account."

If it's

have the

a root account, congratulations!

ability to

You now

do whatever you want. The

root

the programs.

account

Download files.

of several "sysadmins").

Notify the system administrator of the presence

different

of a security problem.

sysadmin, superuser, demigod account, sysop account, or admin. Or you may never even know
you've gotten into the root until you find you can
do stuff only the Computer Gods high upon Mount
Input/Output should be able to do.
A "group account" is one used by many people.
It might be a departmental or store account, where
everyone in a particular store or department can

Learn about the computing environment.

See if other computers may be contacted from

Cover his ass.

this one.

Or a hacker might simply

log off and never re-

turn.
If you have managed to work your way into
some data that you feel might have market value,
you might consider selling that data and thereby
fund your next big computer purchase. I recommend strongly against doing so. Becoming a spy
becomes a serious and dangerous
for anyone
business. It also helps to further degrade the image
of the hacker in the public's eye, and will serve only

is

held by the system administrator (or one

names:

log in under the

It

avatar

may

by
god account,

also be called

account,

same name/pass combo. Depend-

who are of a certain rank

own shared account. For ex-

ing on the situation, those

or job

may have

their

ample, many companies like to set up limited accounts for secretaries, typing pool or temps. Other
group accounts appear in places where terminals
are available to a number of employees, but where

?mvmn^ssssssssssM~^,^^~^

employees have differing levels of security clearmay be able to search a database,

but only those who log in with a certain password
can enter new data, or can change the way the daance. Thus, all

tabase

is

structured.

"Special accounts" include guest or demo accounts that allow one to take a sneak peek before
subscribing to a service. They may be testing ac-

counts put in
counts

may

by system programmers.

Special ac-

also take one directly to a program,

rather than logging

you

to

an operating system

prompt. Programs are set up this

way

for tutorial

purposes, to dispense information, or so access to a

particular application may be more freely available.

managed to hack is a special

you might have to break out of it illegally
and enter the operating system if you expect to inIf

the account you've

account,

crease your access level.

In any case, before any action can be taken

you

must understand what kind of access you have,

what privileges you're entitled to, and how they
can be exploited to your advantage. This

may mean

need an intimate knowledge of the machine

and its software. Before we can proceed there's one
teeny weeny concept you must have full comprehension of. I've just mentioned it twice now
the
you'll

we want the game or word processing. How do we

let the computer know where to go?
Well, we could have two separate switches,
meaning any time I press the left switch, the game
goes on and when I press the right switch, the word
processor goes on. That may be a good solution for
a little while, but what if I want to add a third thing
to

my

computer? Or a fourth?

Do

keep adding

more switches?
What I do is, instead of adding hardware
switches, I add a third program, a software switch.
The third program is called the operating system (or
OS), and when I push the computer's switch, the
computer will automatically turn on the operating
system program.

The operating system is a program that lets me

choose between the game or the word processor.
For example, when the operating system is started
it may put a prompt on the screen such as, "Which
program?" to which I would reply, "Game" or

"Word Processor."
As you are well aware,

this is basically what

happens in real-world operating systems. In the
early days of computing, when computers didn't
do much more than run a few select programs, the

controlling software

was

called "the monitor."

As

computers became more complex, there came the

need to control multiple users, many peripherals,

operating system.

Operating Systems

and an interlacing of program functionThe monitor grew to become an

all-encompassing program which did a lot more
than just allowing the user to choose between a few
programs. And so the term "operating system" is
now used to describe this complicated piece of
security,

ings.

Okay, clear your mind of any thoughts you've

had about computers. We're going to start at
the very beginning.
Let's say you had a computer that only did one
thing. For instance, think of a coin operated arcade
game. That's a computer which plays but a single
game. With a one-game computer, as soon as you
push the on switch, the game can start running. After all, there's nothing else to do with the machine
except play that game.
Now let's add a second thing to our computer.
Let's say, not only does the computer play a game,
it also does word processing. So we now have a
two-task computer.
What happens when we push the on switch?
ever

what if we
Does it go right to the game? It can't
wanted to do word processing? You see, now we
have to make a choice. When we turn on the computer, we now have to specify somehow whether

software.

Operating systems control the functioning of

the entire computer; they control how resources
will be allocated to the tasks at hand, how memory
is used, which programs are to be run and in what
order. It is the absolute master-control program;
when you understand it, you have the understanding necessary to master the computer.
Some operating systems you are most likely to
run into are "UNIX," "MS-DOS" or "PC-DOS" (on
IBM compatibles), "PRIMOS," "RSTS" (on Digital
Equipment Corporation's PDP-11 minicomputers),
and "VMS."
It is important to understand operating systems
because:

1.

2.

3.

you don't know the commands and syntax

that control the computer, you won't be able to
get the computer to do anything.
When you understand how an operating system works, you will be better able to look for
bugs in it. Bugs invariably lead to security
loopholes, which lead to a happier you.
You want to be familiar with the limitations of
the operating system's security, so that you can
If

exploit those limitations.

4.

When you know how an operating system

works, you will know what the computer's
managers can do to trip you up, keep track of
your whereabouts, and keep you from coming

then you must become knowledgeable about its OS.

At the simplest level that means knowing the basic
commands that any user of the system requires on
a day-to-day basis to interact with files, to send and
receive mail, and to perform any needed action on
the machine.

A hacker needs to know the obscure commands

and should also be familiar with any files,
software and directories commonly found on machines under that OS. He needs to know how the
manuals are structured and the "jargon" of the OS.
He needs to know who uses such an OS and how
they use it. And he needs to know the meanings of
as well,

error messages.

But

back.

up to one big THEREFORE...

if you want to be a REAL HACKER, you

All of this leads

Therefore,

know something about computers. If

you want to control a computer, you have to know
how to tame the software which controls that computer
you have to understand very fundamental

have

to actually

things about

its

operating system.

may be

by using social methods and a tidbit of programming here and

there, but there is no escaping the fact that real
Sure, a hacker

able to get

hacking requires real knowledge.

And

I'm talking

You

we

still

haven't gotten to the hard part yet.

see, all of the

above

is just

the tip of the ice-

of this information

is easily avail-

able from standard sources such as

manuals and

berg. After

all, all

design specification guides.

know about an OS
come

What a hacker needs to

the secret stuff that doesn't

is

in the manuals, or

if it is

printed there it is so
is information deci-

technical and obscure that it

pherable only by a select few. Those lists of "basic
things a hacker should learn" describe what the OS

and what it does. But a hacker

to effectively
and exploit any system he or she encounters
needs to know how the OS works, and why it
works as it does.
Operating systems are so huge that they can
never be adequately checked to ensure that every
single bug has been worked out. They are someis

enter

about self-taught knowledge.

Realistically, there is no way to make a 100%

guarantee that a particular computer system is safe

times altered to include features or functions that a

You have to go out

and learn this stuff on your own.
Does this sound intimidating? Then maybe you
don't have what it takes to be a hacker. 1

from intruders. It is theoretically possible to break

any system. A good hacker should be able to
break into most systems. An even better one will be
able to get into all of them. And the absolute finest
hacker will not only be able to enter every computer he encounters, but will be able to do something constructive once inside to make the trip

computer manager finds desirable, but

open up security holes. Sometimes
multiple programmers working on different parts
of the system don't communicate about vital aspects and so distant processes may explode if

worthwhile.

version of the

into

mean,

it's

one thing

on-line database.

It's

to

hack one's

way

into

another thing entirely to

an

fig-

particular

those alterations

forced into contact. Additionally, the software that

is

used

may have been designed for the plain-Jane

OS and so incompatibilities (and

hence glitches) develop. Or two or more pieces of

software being used together may open up sources

ure out how to alter records in that database, and to

of insecurity.

do so without being caught.

If you want to have the ability to enter any system that you encounter and take action once inside,

sible security breaches.

1 Hey, I'm talking Big Manuals here

thousands of
pages long, and written in the ghastliest corporate/tech-

nical

mumbo jumbo imaginable.

The casual user

is

oblivious to

all

of these pos-

A hacker may be oblivious

if the hacker has a fundamental understanding of the operating system which underlies
all these sources of intrusion, then that hacker will,
with a bit of thought, realize where the traps are

to them, but

and how they can be usefully manipulated.

Chapter Tii>efae: l^at To

^

Needless to say, this book is not going to suddenly turn into an explanation of the technical aspects of every single operating system, and a true
hacker wouldn't want it to be. So, go out there and
find some operating system you can get acquainted
with. Learn its basic commands, but then go a step

away, but become hidden or moved

right

127

to a spe-

cial directory.

you can find evidence of security logs.

most common errors for a user to make
while logging in is to type the password at the
username prompt. If you can find a readable secuSee

One

if

of the

beyond that and learn how those commands were

programmed. Figure out ways you could simulate

rity log

command without typing it directly at the OS

prompt. What happens to memory when the command is executed? Are there ways to change mem-

logging into his

the

Do When Inside

errors.

will often contain records of these login

it

For example,

if

George Washington

tries

UNIX

account with his password,

"cherrytree," but he types a little too fast, the

following ensues:

ory? These are the kinds of things that are important to a hacker

who wants

to

WashingtonUs

accomplish big

[Enter]

dreams.

ername:cherrytree [Enter]

Examples of such techno-oriented hacker methods abound throughout the rest of this chapter. The
reason is simple and unavoidable: the best things in
life are often not free. You have to work hard if you
want to do great and exciting things after invading

Password:

you may

convenient to learn
arises, such as a
particular shell programming language, or the way
an application works. But when you lack knowla system. Sure,

find

certain things only as the

it

need

George

realizes

his

name

his

password

line.

He

he has messed up.

He has typed

before the login prompt, and he has put

(quite visibly)

on the "Username:"

presses Enter a few times to clear every-

damage

thing, but the

is

already done. Somewhere

in the administrative directories, there is a log

file

that reads:

edge about underlying principles of the operating

system,

you are hacking blindly

you

oblivious to the exploitable faults

Unsuccessful login of user cherrytree

are just as

and flaws

Mar 24,

of the

@ Tue,

1992, 14:16:03

system as any other user.

Let's get

away from

all

this

heady

stuff for

awhile and go back to the impetus for this discussion of operating systems: After

the hell

you get

in,

what

Looking Around
What should you expect to find, once you've
made it onto a system or network? A whole lotta
things!

may be

programs to run, or
ways to move about from one computer to another,
or one network to another.
Try looking for backup files and files that have
been automatically saved on a timed basis. Some
text editors leave behind files like this that are
readable by anyone who happens to pass by. If the
sysadmin has been editing the password file, or
some other file containing sensitive data, you could
files to

you

have to go through the various

users on the system until you find the one who uses
this

just

password.
Security logs

comes next?

There

Now

read,

be in luck. Electronic mail is often not automatically deleted, and it accumulates in (perhaps hidden) files on disks. Deleted files may not be deleted

may

also keep track of files sent

and received, errors resulting from unauthorized

commands, new accounts or new users being
granted superuser status.

Speaking of security, the first thing you should

in to an account for the first
time is try to get a sense of who this person is
whose account you are borrowing (assuming you
don't already know). When you log on you will
most likely be greeted with a message telling you
the last time that account had been active, and

do any time you log

possibly which location or server the user had contacted

If

it

through.

the message

tells

you

that the legitimate user

logged in recently then you may have a problem.

Note the time of day the account was used and try
to hack around it. Try logging in two times simultaneously on two separate computers and see what
happens. Do you get an error message the second
time? Is it possible to detect the presence of another

person using the account with you concurrently?

You want to know such things because you want to
be able to deal with having the account holder coincidentally log on at the same time as you.
Let's look at this first scenario. You are logged
into the account... the actual user tries logging in
but gets a "User hjones already logged in on port

You have no way

116" message.

of

knowing

that

has occurred, but you can prepare for its

eventuality by sending an e-mail message to the account, purportedly from the system manager, and
leave it unread. So if the legitimate account holder
were to log in she would find something like this
this

waiting for her:

faulty wiring has led to

problems with

several of our port connection verifier circuits

in the subchart

system.

If

you

of the local network

receive a

message upon login

group

you are already logged on, please hang up

and try again in a few minutes.
that

We

problem and we are

can to correct it, but this will
take time. It was a matter of choosing between
a bit of inconvenience for a while, or shutting
down the system entirely. I hope you will
agree it is better to have some bugs in the system than no system at all.
are sorry about this

doing what

we

We expect the problem to be cleared up before

March 3rd. Thanks for your cooperation.

ports

detailing

readership,

file

command

may be

activity,

history re-

newsgroup

transfers or files deleted. These can

show you when and how the legitimate user is using the system, and also the level of competence of
the user.
If

your account has been used very

quently, then

you know

infre-

that the actual account

although it
owner poses very little threat to you
means the system manager is now a threat,
since he will suddenly see tons of activity from an
account that had never before been active.
also

there night

of

if

the account holder

and day, you will have

him than

of the sysop

to

is

in

be more wary
any hacking

after all,

you do from that account will get lost in the

shuffle.

Commands To Look For And To Use

Most operating systems come with extensive
online help. On UNIX, you can type "man commandname" to see the manual page for a command. Also helpful is "apropos" which will display
a list of commands that are related to a given word.
For example, "apropos password" lists all the com-

commandname" for on-line information.

Process commands tell you what is being done
on the system and, generally, who is doing it. UNIX
lets you type "ps -f to see how other people are
f

using the computer. Using such commands will

give you a feel for what options are available to
you. Also, it will show you which users have access
on other computers, if they are logged into them
from the one you are on. If you're extremely lucky
you might even find an encryption key poised in
the list of processes. If a person has typed something like "crypt key

< filename"

that entire

com-

mand, including the key,

will appear in the listing.

Unfortunately, the crypt

program

the key from the listing once

there is a brief period

there for all to see.

acts to

it is

remove

activated, but

when

the key is public data,

"daemon" program could

search for such occurrences (See glossary).

program that allows you to connect

it was mentioned that
the account you've entered is most likely a low-access account. The reason a hacker bothers with
"Telnet" is a

Often users will have personal history logs

stored in their directory. There

the other hand,

mands, programs and variables that have something to do with passwords. You can then use "man
commandname" to find out what each one means.
On TOPS machines you can type "help" or "help

Message #01
From 1513 SuperUser
To [email protected]

Some

On

to other computers. Earlier

regular user accounts in the

first

place

is

to give

him or her a safe place to do real hacking. From that

account you can do all the things you would never
do from your legitimate account, like telnet to Pentagon computers and start a brute force attack.
UNIX also has a "cu" (Call Up) command which
allows the user to call up a specified phone number.

Calling one computer from another enables the

hacker to avoid being traced.

It

also

might be the

USENET

most practical solution to the problem of connecting to a certain computer, since some computers
can only be accessed through other networks.

an Internet BBS that encompasses

thousands of discussion groups and millions of
postings. On USENET, you don't just have a
"computers" bulletin board, you have boards talk-

File Transfer Protocol (FTP)

ing about software, about hardware, viruses, hackers, individual operating systems and printers and

FTP is a program

that allows users to

copy

files

back and forth between two computers, usually

two computers connected via the Internet. Strictly
BITNET users will need to use e-mail instead of
After typing "ftp" to start the program, one can

input any computer address and try to connect

made available.
Often an anonymous FTP site is set up like

that the site administrator has

trading post.

An incoming

directory

is set

up with

anonymous write and execute permission, but

usually not read permission. Users can then upload
files

engaging in talk about music,

they want to share with others without those

knowing the files are available. The system

others

tiality,

operator can evaluate the

files

before

flowers

FTP

is

and

"bin" are often

that

two

owned by

the

FTP

and

sions of system

programs and batches.

account.

If

they are not write protected,

any user could upload their own malevolent verif

Fun

N Games
number
on the com-

see Xtrek or Empire, or any

of on-line, multiuser

games

available

you crack, especially those at colleges. Because the games are multiuser, passwords are required to access them, and it should be noted that
often the password-storing mechanism on the
games is not as secure as it should be; the passwords are sometimes placed in a plaintext file. We
know that people tend to use the same password
puters

wherever they go. Think about it.

The User Network

USENET is
to anthills.

to local

it

makes one dizzy to think about

are moderated. That

is,

some

and chooses which messages will be given display

time. Most groups are an unmoderated free-for-all.
One accesses USENET by running a news program such as "readnews," "news," or "nn." You can
read the posted messages, or write one of your
own. Messages are sent out to all other participating sites worldwide, which means if you have a
question about anything, USENET offers a huge international forum through which to find an answer.

Becoming A Superuser

anonymous

auxiliary directories called "etc."

this is the case,

You might

SCUBA

controlling organization edits the postings or picks

making them

security hole with

Some newsgroups

publicly available.

One common

cars, sex,

it all.

username and password will be asked

for. Many sites offer an anonymous FTP directory
users can log in with the username "anonymous"
and have access to all the text files and programs
it.

spreadsheets and ethics and... you name it. Each

topic area is called a newsgroup. There are groups
diving, crime, parachuting, television, books, bes-

FTP to transfer files.

with

is

BBSs what the Taj Mahal

is

Breaking into a system

isn't

worth anything

if

find yourself in an empty home directory with

such a low access level that nothing fun is
allowable. When you hack into a low-level account
belonging to a data entry clerk or some other
restricted user, you will want to raise your access to
the highest it can go. This is accomplished by doing
research from the inside, spoofing, programming

you

or social engineering.
As far as research is concerned, you will want

tricks,

around the system you've just penetrated

and see what options are available to you. Read all
files; run all programs. Most technical hacks involve bugs in established software. Generally this
to look

software

is

of a kind that interacts with other users'

accounts in some way. Thus mailing and "chatting"

programs are susceptible, as well as text editors. If
you find a programming language of any kind you
should be in Hacker's Heaven, as there are hundreds of variations on programming tricks you can

use while inside to gain better access. Let's

with spoofing.

start

send mail to other users. But in many

to use a special mailing program to send mail. There is usually a fundamental
facilities to

Spoofing

cases

Spoofing usually refers to sending electronic

way that it looks like someone else
was the one who sent it. Spoofing can also refer to
any act whereby a hacker impersonates another

mail in such a

user. Let's stick

with the

nition for a while,

first,

and look

at

more common defisome ways in which

spoofed e-mail can benefit the low-level hacker

is

to spoof

an e-mail

from the system operator. Susie User, a highly

powerful person on the system, is on-line, going
about her usual business. She checks her mailbox
and is surprised to find a letter has just been mailed
to her from the system administrator. The letter
talks about how, because of security breaches, they
will now be issuing new passwords every six
weeks. "Your new password is D4YUL," says S.U.'s
e-mail. "You can change it yourself with the
'SETJPASS' command. Remember it! Don't reveal it
to anybody! Computer security is an important issue that can not be taken lightly!"
A few moments later you notice that Susie has
issued a SET_PASS command, and a few moments
later you log on in her name, thus achieving her
higher security privileges. It works every time! The
trick is, you have to know how to spoof to do it.
Before you can spoof e-mail, you have to understand how such a thing is possible. Now, if youVe
ever used any sort of electronic mail program,
whether on a mainframe or local BBS, you know
that to send mail, the user enters basically three
pieces of information: destination, subject
of the letter.

send

text or a

U. executes her mail program,

and the

Some mail programs allow

fur-

such as the inclusion of other text

files or programs, return receipts, etc., but let's just
concern ourselves with the most primitive of mailing programs, as those are the ones that get the
most usage.
When you send electronic mail to another user,
the computer automatically places a heading on
top of the letter, which identifies it as having come
from you. To spoof e-mail you will want to somehow change that heading, so it looks as though the
letter was written by the person in charge of the
ther complexities,

system.

Usually one sends mail by running a mail program. The mail program includes a text editor and

file

it

will display the

MAIL.TXT.

As you can imagine, it is a simple task to open a

let-

ter

body

programming command that allows you to

file, into a file on another user's directory. This is what the mailing program does: it
sends the text of your message into a file called
MAIL.TXT or something similar, and when Susie
shell

contents of the

who wants to make good for himself.

One prototypical scam

you don't have

file, type in a header that looks like a header

from a superuser's letter, then add your own text to
the bottom of the file. Next you use the "send file"
command to put this file into another user's directory. Make sure the directory you put it in is one
with higher access privileges than your own!
Sometimes the operating system itself foils this
scheme. For example, one of the Internet protocols
requires the two computers involved with the mail

text

compose the letter headers. To spoof on

would connect to a host through
port 25, which is how e-mail is transferred to a site.
Normally only two computers connect in this way;
transfer to

the Internet, one

there

may be

security safeguards in place, but

you can pretend

if

be a computer
an e-mail message. This includes "mail from" and "rcpt" which establish who the sender and recipient are. Use "help"
to get yourself through this.
Earlier I mentioned that spoofing is also considered to be any form of on-line impersonation of
there are not,

commands

sending the

to

to generate

another.

Many

multi-user systems let users chat with

command called TALK or

something similar. When you issue a

each other by

WRITE, or

way

of a

TALK command,

a message appears on the recipisaying that you wish to talk. If the

other user wants to talk with you, he or she issues
ent's screen,

TALK command also. Then whatever you type

appears on the other one's screen and vice versa. It
may also be possible to filter the contents of a file
onto another's screen by way of a TALK command.
The hacking possibilities are endless!
the

One popular trick is to TALK a message like,

"SYSTEM FAILURE. SHUT OFF YOUR TERMI-

NAL WITHOUT DISCONNECTING TO PREVENT

FURTHER DAMAGE. SYSADMIN," onto another

1
person's screen. When they hang up, you piggyback a ride on their account.

As with
the

e-mail spoofs,

TALK command

screen.

You have

to

you

can't actually use

put

text

TALK program, see how it writes to another screen,

and use those commands. This bypasses the
features inherent in the

use the actual

TALK command.

safety

(If

you

TALK command to send this sample

error message, the other party will see that

it's you
sending the message, not the Sysadmin. You have
to emulate the TALK header which announces the
name of the user sending text. You also want to go
down to the fundamental "send text" statements
because you don't want the user to have the option
of not talking with you.)
It's a recognized fact that spoofing accounts for
a good majority of system security failings, mainly
because they're so easy to do once you've gotten
on-line and taken a look at the software source
codes and manuals. Another trick relies on TALKing a message that an intelligent terminal will understand. When you use a TALK command you
aren't putting words into the OS prompt's mouth

the OS

is simply putting what you type onto the

remote terminal's screen. One way to get around
that depends on the remote hardware. Some intel-

ligent terminals

have a Send or Enter escape

se-

quence that tells the terminal to send the current

line to the system as if the user had typed it in from
the keyboard. You can use TALK to send a message
that contains a suitable escape sequence to do
naughty things like e-mail confidential documents
back to you and the like.
Not only e-mail and TALK, but other commands are also known to be rife with ways they
can be misused to a hacker's benefit. Anytime you

come

across a

logged on, that ".login" batch would execute.

command which

allows interaction

with another terminal, study it closely to see how it

can be manipulated.
Look at programs, too, to see if they can be used
communicate
to
out of your own directory. The
GNU-EMACS text editor (used on UNIX computers) allows you to send the file you are working on
to another person's directory. If you happened to
name that file ".login"2, then whenever that user

Cryptography And

DES

Reverting to old tricks, brute force attacks can

allow you to decrypt password files on your own

on your own terms. Even with your meager

account you should be able to copy an encrypted
password file off a machine you've hacked and
onto a safer one. At the very least, you should be
able to view the contents of a password file, even
time,

though it is encrypted.
Then you compile a copy of the decryption
software, altering it so it will read in a word from a
file, use that as a key,
source code listings are

specially-prepared dictionary

and print the

result.

UNIX

Even if you can 't

by the computer to
files, you can still go

available for every facet of the OS.

get a decryptor of the type used

code the password (and other)

to the manual, see which encryption algorithm
used,

and write a program yourself

is

that follows

that algorithm. Brute forcing encryption keys on a

password file is much faster than forcing one's way
onto the system in the first place. Soon you should
have found a key that unlocks the code, and soon
you will have the superuser password!
Brute force may not always be a necessity.
There is reportedly a well-known inversion to the
encryption algorithm used on certain OSs, includ-

ing older versions of

know
know

VMS.

Sorry to say,

don't

what this inversion method is. I do

there are ways to algorithmically reverse the
effects of a "crypt" command in UNIX. That command uses the World War II Enigma coding algorithm, which was devious for its time but no match
for modern supercomputers. Sure, it still takes a
while to do the inversion, but it is possible to do it
if you have a computer with enough horsepower.
exactly

However, the crypt command

isn't

used

all

that

because everyone knows how vulnerable it

Mostly "crypt" is left around for sentimental reasons. The encryptor that is most often used to encode passwords is a version of the federal Data Encryption Standard PES). The UNIX variation of

much

is.

DES is

"defective" in that brute force attacks for en-

cryption keys are close to impossible.

defeat brute force attacks?
2 Under UNIX, ".login" is the name of the batch file that
gets executed once a user logs into his or her account.

And if

part of that ".login" included mailing the user's secret stuff to your account, so much the better.

on another user's
go into the source code of the
to

J^-^tt^u^

How

does

it

As we

all

know,

UNIX password

files

are

openly available for anyone to read, copy, or print

out, but the passwords themselves are stored in an
encrypted form. Well, that's not exactly right. The
password file actually does NOT contain any
passwords at all. What happens is, when a user
logs in for the first time and enters a password,
UNIX uses the first eight characters of the password as an encryption key to encode some constant
(say, a long random number).
Another reason why DES was chosen to
encrypt passwords is that when the DES algorithm
is implemented in software form, it is slow. This
means it will take more time to
a brute force

nm

attack.

Staying with this topic a

bit, it's

unsettling to

note that the Data Encryption Standard also

not be as secure as

it

was once

believed to be.

may
DES

was based on a security system called Lucifer, developed by IBM for the National Bureau of Standards in 1973. Before being released as the USA's
official (standard) code, the top-secret National Security Agency had their say in the matter, reducing
the complexity of the encoding algorithm

and

keeping certain aspects of its design under wraps.

This looked mighty suspicious! Why would the
NSA go out of its way to proclaim the code secure
while simultaneously making it less secure? Critics
warned that a back door had probably been built
into the system.

two Israeli scientists announced

had found a way to beat the system. If
someone knows the encoded message, certain
In early 1992,

code!

I'll

stick

with Van Eck and his cronies, thank

you.

Bit

By Bit

say you find yourself in some rinky-dink

account one evening, with just about zero access to anything interesting. On this hypothetical
system you are able to read the passwords file, but
of course to change it is out of the question.
You can see that your account's password has
been encrypted (in the file) as "fg(kk3j2." If you had
the ability to load the password file into a text editor, you could replace the sysadmin's encrypted
password with yours ("fg(kk3j2"), then save the file.
Well, naturally you can't do that. You could get as
far as loading the file into a text editor and changLet's

little

ing it but to save like that

peruser status.

is

impossible without su-

Or is it?

The system security may be such that it only

makes validation checks at the highest level of interaction. So the high level commands to delete,
move, execute, or alter files are disallowed if the
user does not have a certain security clearance; the
actual machine level commands to move the
read/write head to a particular location, let's say,
may not be halted in the least. If this were true for
the whole available storage arena, every file could
be completely read or rewritten bit by bit. If programming or disk maintenance software is available to you on-line, you might then be able to use it

that they

mathematical techniques can be applied to infer the

key used to encrypt the message. Then other coded
texts which use the same key can be easily read.
In any case, it is well known that much better
codes have been produced since the 1970s.
Some systems make it difficult to brute force the
plaintext out of an encrypted file, because the encryption key supplied by the user is not what encodes the text. Rather, it is used to encode some
random sequence of characters. Those characters
encode the text.
You don't have to be smart to be a hacker, you
just have to be clever. But to crack data encryption
algorithms you must be clever, smart and mathematically-inclined. Lucky for us people who don't
have calculators for brains, there are so many other
ways to read encrypted files than by breaking the

to alter individual storage locations

to

change

the system administrator's encrypted password to

your own.

On the other hand, you might find that security

prevents even low level instructions from being

performed. Don't give

up

too soon!

It

may be

that

only parts of the storage arena have been protected,

while others

due

to forgetfulness, bugs, impos-

or impracticality
have been left unsecure.
you may not be able to change the passwords
but perhaps it would be possible to move files

sibility
If so,
file,

change
opens up a whole
world of possible Trojan horses and back doors.
If security seems to prevent all illegal access
from taking place, perhaps it is possible to trick a
process with superuser security clearance into doing the work for you. A simple program, such as a
to another user's private directory, or to
files

that are already there. This

ViYiYiYiViYiYiYiYiYiYiYiTiYiTiYiriYinYiTiT

game, could be written, containing instructions to

passwords. Compile and save the
program, making access to it available only to
secretly alter

superusers.

Then move the file into a public

some superuser will come

directory. Eventually

along and execute it, thus enacting the portions of

your program which, if you had run them yourself,

would have resulted in error messages and perhaps

a few more ticks on the security log.

Trojan horses can do a lot of things. They can

passwords, simulate login prompts3, remove
read/write protection from files, or fake system
crashes (and when the user shuts off his terminal
collect

and walks away, you type in the secret control code

which causes the Trojan horse to uncrash back to
the user's account). Trojan horses should definitely
the majority of a hacker's tool kit. But

make up
there

another, different means of gaining higher

by employing programs, and that is with the

is

access

use of computer viruses.

Program Employment
Most programs

that are

Trojan horse example

of others to achieve

is

its

Viruses

employed by hackers

are of the Trojan horse variety.

And

the classic

one which uses the

goal. Generally this

faults

means

PATH commands.
Most modern operating systems allow you to
arrange your files in an organized fashion by the
use of directories and subdirectories. This makes
finding where you left a file easy, but it causes
problems when you get sick of typing in long
pathnames to change from one directory to anusing undisciplined

virus is born from the cross breeding of three

other families of programs: the Trojan horse, the

worm, and the logic bomb.

A logic bomb is a piece of code hidden within a

larger program. Usually

IF/THEN

cess that

in

PATH

PATH commands

are usually put into batch

which are run at login. They are especially

used on big machines which contain lots of files
and tons of directories. In those cases, especially if
the user is a maintenance operator and needs access all over the place, there might be a lot of direcfiles

tories specified in the

PATH.

Sloppy search paths, especially ones which look

at all or most of the directories on a system are of
extreme importance to the hacker. The hacker starts
by rewriting a program that gets used often and
putting a Trojan horse into

put into a directory that

The program

it.

is likely

to

is

then

be in a super-

A privileged user or program, such as a

may

innocently

chance

superuser
upon, let's say, your "date" program instead of the
shell

"official"

is

true,

entails.

example of a logic bomb being put

when a system programmer is fired for in-

classic

to use is

adequate job performance, or for some other huA few days after he walks away,
the head honchos at the firm get a message from
the programmer: "Pay me X thousand dollars before July 31st and I'll tell you how to save your
miliating reason.

software and records from total annihilation." The

file.

user's path.

such-and-such

IF

do something. Judging by the name, logic

bomb, you can guess what that "something" usually
The

commands. A PATH
command says to the OS, "If you don't find that file
in the current directory, look over there... Then look
there.... And there." In other words, you specify a
path which the OS can follow to find files. That
way you don't have to be in a file's directory to acis

no more than a simple

THEN

other.

The solution

statement.

it is

script,

version stored in the

OS directory.

cessed, and your hidden code does its thing.

It is

ac-

programmer

has,

you

implanted a logic

see,

bomb

that will detonate at that certain date.

A worm is a program with one purpose: to replicate itself. All it

does

is

look at

its

environment,

where it can make a copy of itself, and it does

so. Then there are two copies of the worm. Each of
those reproduces, and there are four. Four quickly
become eight, and so on. Soon an entire computer
or network is clogged with hundreds or even thousee

sands of unstoppable reproduction machines.

Then there's the virus. A virus comes from the
mating of these two other breeds. When a worm
takes on a logic bomb aspect to it, you get a pro-

gram that will

explode

when

replicate as

much as it can, and then

"something" happens. The whole

3 Also, think about Trojan horses in terms of the multiuser games discussed earlier

words,

etc.

obtaining those

pass-

thing hides

itself

within an application program, as

a Trojan horse.
Logic bombs are dangerous, but at least they
are contained. Worms and viruses on the other

say a true
hacker will never release a worm, because they are
too destructive with no purpose. A true hacker may
release a virus if it can move harmlessly

hand, are unpredictable. Therefore,

throughout a system, erasing itself as it goes, making sure it never backtracks to where it's been before.

A
words

virus can be

programmed

to a specific address, or

battering

ram to brute

force

it

new

to e-mail pass-

can be used as a
passageways into

that a key is required. Anyone finding your virus or

Trojan horse will easily figure out what the key is
and be able to interpret e-mail or temporary files

So you have
which requires another key...

that the virus/Trojan horse produces.

to encrypt the key...

which means more hiding needs to be done... another key.... Well, this could go on forever. Make
the best of the situation.
If

you're going to be encrypting

lot of

them safely.
There have been rumors of a microcomputer virus which, if it exists, would gladden the heart of
many a hacker. The virus is called the AT&Tack Virus. Once it copies itself onto a computer, it tries to
find a Hayes brand or compatible modem. If one
exists, it silences the modem's speaker and dials a
preprogrammed number. Apparently then who-

to the incoming directory of

the telephone number it calls has remote

your computer.
To me, this seems like nothing more than a rumor. Indeed, as of this writing none of the comis at

access to

mercially available virus detection software

makes

any mention of an AT&Tack Virus. Besides, it

seems to me this sort of thing would work better as
a Trojan horse in a graphics display program,
rather than as a virus.

it

may

be easier to have your virus or Trojan horse send

the encoded data to an unmoderated newsgroup.
Disadvantage: You have to spoof the post, or someone may notice that this user (who is unknowingly
activating your virus or Trojan horse) is posting a

computer systems. There are lots of ways in which

hackers can use viruses, but it is difficult to use

ever

anyway

"garbage" to the group.

You may

have the encrypted file uploaded

an anonymous FTP site
somewhere. Make certain files can be downloaded
from that directory, because as mentioned earlier,
often the ability to download from such directories
is

also

turned off for security reasons.

To send short messages (like a single password4) you may have your rogue program rename
a world-changeable file to that message. By
"world-changeable,"

am

referring to the security

on that file
set it to very low
protection, so that anyone can change its attributes.
Your Trojan horse/virus will come into your direcprotections placed

tory under the disguise of various users from

all

around the network, and attempt to rename that

file to that message. You don't want your Trojan
horse/virus to generate an error message. (You can
set up a process to constantly run in the background, monitoring the state of that file. As the
file's name changes, the background process stores
the new name, then gives the file its original name,

Covert Channels
One of the fun things about using Trojan horses
and viruses

is

the designing of covert channels to

get the data they collect back to

you

in

some

read-

able form. Consider a virus that attaches itself to

program and thus collects passwords. It

does no good to have this virus halfway across the
world with no way to get back that list of passwords it is reaping. One method has already been
mentioned: the virus can periodically e-mail you a
list of passwords. Take heed not to have that e-mail
sent to any account where you can be identified.
It would also be a good idea to encrypt the mail
before it is sent. One problem with encryption is
the login

4 Normally a Trojan horse or virus would send back to

you three pieces of information: username, password,
and the address of the computer where that username/password was valid. However, if you targeted a specific

individual

by giving

that individual sole access to

your Trojan horse, then only a password would be

needed.

Of course, viruses and Trojan horses don't have to be

messengers for only password information. You may be
a hacker, but you may also be a spy, a crasher, or
who-knows-what-else. As far as I know, the information you need covertly passed back to you could be
virtually anything.

'

",

'

"

'

commands

When Im

thus allowing another copy of your Trojan horse or

virus the opportunity to send its message.)

available resources, or that will look

Other short messages can be sent a bit at a time.

For example, the existence of file X in a certain di-

nonexistent hardware or

means

your rogue program is sending

the digit one. If the directory is empty, the file deleted, a zero bit is being transmitted. A background
process is running in your home directory to monitor the appearance and disappearance of that file.
rectory

"Find"

alphabet. See

that

If

there

is

if it's

any

bounds of
beyond the
up programs for

that will search out of

possible to set

memory capabilities.

sort of text editing facility, such

fine a character.

program to send mail to sysops, do what you

can to compose a batch file, and see if it's possible
to send your message as a command that must be
executed. Also with text editors, try to compose excessively long letters. If the editor has special text
revision functions, write up a huge paragraph then
cut and paste a copy underneath it. Then cut and
paste those two paragraphs underneath, etc., until
the program either crashes or doesn't allow you to

the capital letter A. 01000010

continue.

When enough zeros and

ones accumulate, the program translates them into a character of the message.

The extended ASCII code uses eight

bits to de-

For instance, 01000001 represents

is B, and so forth. For
your virus or Trojan horse to send an eight character password, 64 deletions and creations of file X
would be needed. Those bits would be sent one at a
time, whenever the rogue program had the opportunity to

do so unnoticed.

Get Out Of Jail Free

you've broken in by
and password,
but what if the only access you've found to a machine is that of a command account or information
setup? Then you have to see what can be done to
break out of this jail of a program and get down to
the level of the operating system. Probably this will
be difficult to do. It will be less so if you've done

Okay,

all

of that

is

fine

if

discovering someone's username

any serious programming in the past.

As a programmer, you know what kind of bugs
and errors crop up, and what kinds of things to
look for to make them appear. If you're stuck in an
account that runs an info program, let's say, you
will want to try every unconventional, unexpected
thing you can think of, in the hopes that you'll find
something the programmer didn't think to guard
against. Then hopefully you'll get an error message
and crash out to the OS prompt.
Things to try:
Give bad, inappropriate, unrequested, or exprompts, especially
tremely long input to
alphabetic answers to numeric questions. Or when
asked to supply a number, that will be analyzed by
a function, try an incredibly small or large one. Try
responding with break signals, either Control-Z,
Control-C, or possibly Control-P. Try executing

as a

If

the

latter,

see

what happens when you

sending the whole mess.

You may be in a program that is made to look
like a simple operating system or control program,
essentially a menu with the list of options either
unavailable, or callable with a HELP command.
Thus, you're given a prompt and asked to enter a
command. Some application commands allow appending to them the name of a file on which you
intend to work. For instance, to edit STORY.DOC
with a word processor, you might type the command "WORD.PROC STORY.DOC," to run the
word processor with STORY.DOC already loaded
try saving or

in

it.

On an on-line

system, try to crash a program

by giving it too much

that allows such execution

data,

("WORD.PROC

FILE.TWO...") or

STORY.DOC

by giving

it

FILE.ONE

inappropriate data.

Some examples:

WORD.PROC WORD.PROC
WORD.PROC \directoryname
WORD.PROC nonexistent-filename
WORD.PROC /etc/date [or other command]
The "inappropriate data"

tactic

successfully in the recent past.

been exploited

mand

stacking

is

excess

is

has been used

Another bug

command

stacking.

that's

Com-

the placing of multiple com-

mands on one line. Commands may be separated

with spaces, semicolons, slashes, or a number of
other punctuation symbols. The parser which interprets the stacked commands may break down if
too many commands are given it. The line editor
may not allow you to enter so many lines that this
occurs, but through programming tricks you can

probably get an unwieldy stack of commands sent

as though from the keyboard.
If there is a language or compiler available,
then it should be possible to POKE some values
into places that

would be better left unprodded.

Al-

you might find yourself able to compile

code into specific areas of memory, overwriting the
code which is impeding your progress. Or your
code might cause the program to jump to a new location, where further instructions can be carried
ternatively,

password, but through some fluke hidden command or technical means, you will definitely want
to add a trap door just so you don't have to go
through all that rigmarole the next time you want
to get in.

On many

operating systems, programs can be

run even after the user has logged off. Sometimes the program can be put on a timer, to begin
set to

execution at a specified future time. Writing a suitable

program and then running it under one of

commands can make your return easier to ac-

out.

these

Finally, see if you can load a program into a

mail writer or other editor, or into a superzap pro-

complish.

gram, and alter it so that when it runs, it will crash.

Bugs in software are most likely to occur if the
software in question:

Is

new

(i.e.,

version one or thereabouts, or being

Beta tested).

Was hastily slapped together to make some fast

money or to comply with the advertisements or
demands.

Has remained the same

ware or other changes.

for years despite hard-

being renovated.
Is not commercially available.
Is

When you're hopping around on the networks

you encounter, stop and read the notes that accompany new versions of old software. These will generally list, not just the improvements made, but
sometimes the reasons for the improvements (i.e., if
there was an exploitable bug in the earlier version).
By the time you read the upgrade note, most sites
will probably have already upgraded to the new
version, but given the tremendous number of computers running today, more than a few won't have
heard that a new version of their software has been
released.

Returning To The Scene

The prudent hacker will build himself or herself
a trap door to allow easy entry
tions are required.

dummy

Mainly

this

if

further penetra-

means

setting

up a

account to use in successive hacks. After

is no guarantee that the account you used
the first time will still be valid the next time you
login, or that the password or some other critical
item won't have been changed, barring your entrance. If you have gained access not through a
all,

there

Mission Accomplished... Almost!

Hey! Look at what you've done!
YouVe done your research, found your computer, broken in, and now, you've dabbled around
inside. These four components are what hacking is
all about. This is what it means to be a hacker.
But there is also a fifth level of hacking to consider.

These first four parts had to be done in linear

order, one following the other. The final part is really not final at all. It is something you should be
doing from the very beginning, thinking about
every step of the way.
Because you see, this thing you've done, this
hacking, is illegal.

now

And so you must protect yourself.

look at what exactly it is about

hacking that our society considers wrong. Then we
will see how we can keep on hacking forever unscathed. Finally, we will tie up loose ends and look
ahead to your future as a hacker.

So

let's

ji:*Ll

--,--,-,

Afte

'

WpterThirtet

""ii-n-

W
*

Chapter Thirteen:

This Lawful Land

There are

lots of

fraud investigators, special

agents, Secret Service people, FBI

manner
ficials

of local, state

and

guys and

federal enforcement of-

roaming around cyberspace, waiting

you up. There are

all

also private citizens

to trip

who

love

hacking but don't love the idea of being criminals,

so they hack the hackers, building up dossiers,
which they then turn over to the authorities.
Getting caught can make you famous, maybe
even throw some money your way. It can also take
away a good part of your life, your money, your
reputation, your computing equipment, and your
hopes for the future. Let's take a look at the laws
that cause this state of affairs.

You can easily find out what the situation is for

your state. Just so you know what kind of things
cops and lawyers are talking about when they talk
about state computer crime laws, let's take a look at
a typical anti-hack statute.

The Wisconsin
("Chapter 293,

Computer Crime Laws

statute

on computer crimes
you law-

of 1981, 943.70" for

book gurus) lists eight possible naughty things a

person can do with a computer. The first six have to
do with "computer data and programs," the sixth
being the willful, knowing, and unauthorized disclosing of "restricted access codes or other restricted

access information to unauthorized person[s]." The

first five bits

willful,

State

Laws

of software naughtiness detail the

knowing, and unauthorized modification,

destruction, accession, possession, or copying of

computer data, computer programs, or "supporting

Vermont has explicit laws

forbidding computer crime. They are all pretty
much alike in that they start out by defining what a
computer is, and defining various terms relating to
computers and computer crime. Then they list the
specific offenses the law prohibits, and the penalEvery

ties

state except

associated with those illegal activities.

documentation."

The
aspect.

final offenses

"Whoever

have

to

willingly,

do with the hardware

knowingly and with-

out authorization," either modifies, destroys, uses,

takes or damages a computer, computer system,
network, equipment or supplies related to computers, is guilty

under this

statute.

There are eight different penalties listed, depending on whether the act in question is consid-

*:** :;.JFmm%r'KifM.

A * V*****;

Vrilfltriffflgffififi'

we

'

mttmiYfitmiiiiYft

ered a misdemeanor or a felony under the law. The

constraints dictate that

magnitude of the crime is based on how much

damage was caused money-wise, how much threat
to others there was, and whether the hacker did the
deed with intent to defraud or obtain property.
Penalties range from life imprisonment (sheesh!) to

might apply to a
hacker's trial. For the specifics you will have to do
your own research into your state's laws. Here is a
generalized overview of traditional crimes, and
how they can be applied to convict you of
computer hacking. I want to stress this point of
"generalizations." All the definitions of law to follow are simplifications of the laws throughout the
land. Individual states add their own personal
quirks and nuances to these laws
minutiae on
which both surprise verdicts and legal loopholes

various fines in the $500-$10,000 range.

Traditional State Crime

Laws

your state doesn't have a law that

specifically forbids snooping around in someone
else's computer, doesn't mean what you're doing is
Just because

statute

and

definition

not

every single

list

that

are based.

completely legal. Prosecutors will try to convict

hackers on violations of any law, even
large void

if

Criminal Mischief

there's a

between the hacker's actions and the

original intent of the law. In

some

circumstances,

Also called malicious mischief, this

the prosecutors may feel there is not a good enough

ful destruction of

case against a hacker using the computer laws. For

may

other reasons

such

as a rural jury

prosecutors

but try to sidestep the

will charge a hacker
with infractions of traditional crime laws, such as
malicious mischief, burglary, larceny, and whatever other nasties they can squeeze into play.
There are problems applying traditional laws to
modern "crimes," and the focus changes from
whether Hacker X is guilty or innocent, to whether
Hacker X is guilty of that particular crime. Can
hacking be considered a kind of burglary? In a blue
collar computer crime, such as the theft of the actual hardware, there is no question whether or not
a law has been broken. On the other hand, if a
hacker steals records from a database, do the burglary statutes still apply? What if the hacker didn't
actually deprive anyone of their information, but
will press the issue of guilt,

technical aspect of

They

it.

someone

is

the will-

else's property.

You

say to yourself, "Gosh, as long as I don't purposely go around acting like a jerk, how can they
convict me

To be

on that one?" Good question.

able to say that malicious mischief has

occurred, three things

man

must be

present: a real hu-

action, evidence that the action

damage
damage

to

someone

else's

property,

has caused

and

that the

observable to a bystander. That's the

traditional definition. Well, any bystander can see a

smashed

is

storefront

window,

but

"average bystanders" can easily see

how many
how an algo-

rithm has been changed in a program to allow ac-

anyone named "Borges"?

The thing is, a hacker may change software or
password files to gain entry to a system, but it is
often hard to determine whether or not such an access to

tion has caused "willful destruction" of that

file.

In-

judge's decision will

may not actually have been alany detectable degree, and the hacker himself may not have done any noticeable actions at
all. Can one then honestly say that criminal mischief has occurred? And yet, the hacker may have
left the software in an altered, "destroyed" state.
The answers to such questions remain to be

tions of "software," "burglary,"

adequately determined.

only

made

a copy of

it

for

him

or herself? Is this a

different issue?

These topics have been addressed differently in

different court cases. If

enough

to

be

you are ever unfortunate

tried for hacking-related offenses, the

be based on the exact definiand other key words

for your particular state. If the state has no computer crime statutes, then "software" may not be
defined; in that case it is up to the judge entirely to
decide what these terms mean.
Since we do have 50 states worth of laws to
consider,

in

addition

to

federal

laws,

space

deed, the software

tered to

Burglary
For most states, burglary is the unauthorized
breaking and entering of the real property of another with intent to commit a crime. Again there is

a problem, in that we have to decide whether or not

an operating computer network as propThe act of entering one's username/password

to accept
erty.
is

Larceny

often metaphorically associated with that of un-

and opening a door

locking

to one's house, but

does that analogy exist to such a degree that the

unauthorized entry into a computer directory is
committing a burglary?
It is generally conceded that the attempt to
prosecute such an act under traditional burglary
statutes

becomes

futile if there is

commit a crime.
your intentions

futile. It

may become

slightly less

on the hacker's part to

Again, make sure the world knows
are benign, and be sure to follow

a clear intent

that path.

Of course, the physical breaking and entering of

a building, with the intention of using the computers there to hack, is a

more

clear-cut matter. Don't

expect to wiggle out of that one

on

as

many techni-

Larceny occurs when two conditions hold true:

A piece of property has been criminally taken and
carried away from another person, and the intention of so doing was to permanently deprive the
owner of his or her property.
Again, problems arise when applying this to
computer hacking. Think about a case where a
hacker inserts a GOTO statement in a program to
bypass the section where the program asks for
login information. Has the hacker effectively
deprived the administrators on that system of that
section of code
that piece of property? Additionally there is the problem of determining if the
intent was to leave the GOTO in permanently, and
not only that, whether or not such an action consti-

tutes "taking"

calities.

away

termittent code is

easy to define: any sort of deception,

cheating or unfair behavior that is used to cause
injury to another person. Using someone else's

password

is

is

fraud, since

you are

falsely represent-

ing yourself, and the "injured person" (computer)

reasonably believes you to be that person to the extent that

you are given

privileges

have received.
But to be convicted of fraud

all,

the in-

there, only the access to

it

has

been temporarily eliminated.

Larceny may be applied to the stealing of time

Fraud
Fraud

of property. After

still

on a computer,
trical

to stolen telephone service or elecpower. In these cases it would seem the law-

yers are doing their best in a trying situation

punish the hacker for invading their computers.

you should not

Theft

must be shown
had damage done to him or her. What happens in the case
where a computer manager knows it's a hacker on
the line, and yet the manager is unable to prevent
damage from occurring? Since there is no
deception, there is no fraud. That may be intent to
defraud, and perhaps not fraud itself.

which they realize the hacker has not

done any harm, and yet they want to symbolically

situation in

Of Trade

it

Theft

that because of the deception, the victim

of

trade

secrets

Secrets

may be
also

"misappropriation" of trade secrets

tained in the larceny laws of the state

cret is defined as a

if

kind of property, or

the principal construct of

its

own

called

con-

a trade seit

statute.

may

be
Misap-

propriation of trade secrets might be the better of

the

two names, as

it

more accurately reflects the na-

informa-

ture of the law: either the physical taking of secrets,

tion gained

from the exchange is used to enter a

computer, and some injury can be proven. Actually, fraud is universally cited in any instance of
computer crime, no matter what methods were
used or what the outcome of the "crime." You can

or the unauthorized copying of them, may be

viewed as a violation.
So if a hacker has printouts of some top secret
laboratory reports, that information has been misappropriated, copied by an individual unauthor-

see then the importance of not causing "injury" to a

computer. In all of these cases, it is essential that it
can be established that no damage (or alteration)
was done, and none was intended.

ized to

Social engineering is clearly fraud

if

do so.
law

is subsumed into the general larceny

prosecuting complication might arise. We
are then back to the question of whether or not it
If this

statute, a

JLsM*=
can be shown that the hacker intended to permanently deprive the owner of his property. We both
know that computer hackers generally don't have
deprivation

any intention of
that, but we

know

just learning.

can't expect judges

We

and juries

to

judgment relied on acceptance of that false

representation and because of that reliance, suffered some injury
such as loss of computer time
or monies which would be paid by a legal user of
victim's

the system.

understand.
Finally, let's

end

this section

the accused hacker leaves

tering a system, then

no

it is

on a good

note. If

typically the case that

can not be seriously considered as having taken place. Thus, hackers should
theft of trade secrets

make certain that all

files

and printouts which con-

one might regard as trade secrets, are

either purged, burned or hidden very well.
tain data that

Receipt

Interference

With Use

Statutes

trace of his or her en-

Of Stolen Property

If

someone does something so another person

can't use his or her property (with a resulting loss

owner) then

to the property

it

is

said that an

with use" statute has been broken. In

if a cracker were to change
password files so others couldn't log on, or tamper
with a piece of source code, or use another person's
username and password, an IWUS may be said to
have occurred. Sometimes these are called
"interference

the hacking sense,

one by mentioning its three

The stolen property must have been received by (2) someone who knows or should reasonably suspect that the property was stolen, and
(3) the receiving has been done with the intent of
permanently depriving the owner of his property.

As we have seen with the other traditional laws

they
apply to hacking, there are of course no
as
clear ways to overlay centuries old terminology
onto modern situations. An IWUS can apply even if
there is no visible damage as a result of tampering.

As with trade secret theft, ROSP may be included in the larceny laws, or it may have its very

ishable, regardless of

Let's describe this

parts: (1)

own. Regardless, ROSP is a

good crime to catch hackers by. Here's why:
ROSP is applicable for almost any stolen prop-

own

statute to call its

anti-tampering laws.

Even the

back door may be punwhether other users know

installation of a

this illegal

mode of entry exists.

Traditional Federal Crime

Laws

erty or "property," including trade secrets, infor-

mation, goods and services, high credit ratings

(been hacking

words, and

TRW

files. If

computer time, passyou've got any of these, or anylately?),

thing else for that matter, you've got

ROSP

to deal

with.

A crime may become a federal crime if it takes

on or involves federal property, or if there is a
vested federal interest in the crime. There are fed-

place
eral
ers,

laws which don't necessarily refer to computyet are acceptable for use in the prosecution

(persecution?) of

Of Services Or Labor
Under False Pretenses

Theft

computer hackers. Note that these

laws, as well as the laws described in following

sections, are applicable

Theft of Services Under... Boy, I thought I had

when discussing Receipt of Stolen

you hack are

some way.

only

when

related to the federal

the computers
government in

to abbreviate

Property!

Conspiracy

TOSOLUFP is basically a form of larceny

whereby you

trick

someone

into letting

you have

something. For instance, TOSOLUFP might occur

when a hacker gets access to an on-site computer
by showing a guard a fake ID badge.
Similarly,

any false representation of a

fact

with

the intention of obtaining the property of another is

TOSOLUFP. Additionally it must be shown that the

Conspiracy (aka 18
bers) takes place

USC

if you like nummore individuals

an unlawful act, or

#371,

when two

or

combine to agree upon or plot

to commit a lawful act in an unlawful manner. The
law goes on to state it is unlawful for these two or
more people to plan to defraud the US government,
or any federal agency.

.,

This

means

that a

bunch of criminals who use

hacker's techniques to make money appear in their

checking accounts will be accused of conspiracy if
the bank or financial institution involved is a mem-

ber of the Federal Deposit Insurance Corporation.

In any case, if you are a member of any sort of

group which discusses hacking, or

if

youVe

ever

............

computer law. I'm saying you should realize

computer hacking can be a risky business. Use
your head. Don't make the mistakes that others
have made. If you're lucky, you'll be hacking withtion to

that

out harm for as long as you want.

Computer Crime Laws,

It's 10:30, Do They Know
Where The Hackers Are?

Federal

discussed hacking or other illegal activities with

anyone, you are a potential victim of this law.

Or:

661, 2113, 641, 912, 1343, 1361, Etc.

laws which specificomputer crime that one must be
wary of. The Counterfeit Access Device and Computer Fraud Act of 1984 (18 USC 1030) was the first
law that explicitly talked about computer crime. As
you might expect, it is a law that can be applied to
just about any government hack. It prohibits unauthorized access to data stored on any "federal interest computer," and specifically mentions financial records and national secrets as info not to mess
around with. This law allows for fines up to
$10,000 or up to 10 years imprisonment if it's a first
Finally, there are the federal

Other federal laws may also apply in select

computer hacking. Applicability of these
laws depends on the nature of the "crime," what
computers were being hacked, where the hacking
took place, and how the hacker went about breakcases of

ing

in.

For example, laws 18 USC 661 & 2113 have to

do with thefts committed within a special maritime
jurisdiction and burglary of a bank respectively.

Other laws deal with post offices, fortifications,

harbor-defense areas, and federal property in general. These are special laws that will apply only if

you have,

let's

say, burglarized" the information in

a post office database, or committed some other

special-area offense.

United States Code 641 applies to the theft of

(is information property?) or re912
makes
it unlawful to obtain "a thing
cords. USC
of value" by impersonating a federal officer or
employee. I would guess entering a federal employee's password is considered impersonation.
Number 1343 on the books says you can't use
wire communications to execute or attempt to defraud or scheme to obtain property under false prefederal property

tenses,

when

the message crosses state lines. 1361

prohibits malicious injury to federal property,

and

2071 disallows the concealment, mutilation or removal of public records. All of which a computer
cracker is likely to do, if on a federal computer.

There is law after statute after law, all dealing

with specific issues like these. It doesn't seem
worthwhile to go through every last one of them.
Suffice it to say, if you get caught by the feds, they
have a lot of legalese they can use to say why what
you were doing was wrong. I'm not saying you
should go out and memorize every bill that's ever
been passed that might have some remote connec-

cally relate to

offense.

Two years later, two computer crime acts were

passed by Congress. The Computer Fraud and
Abuse Act of 1986 defined more situations in which
hackers could be prosecuted, by talking more about
financial houses and medical records, targeting
computers involved with interstate crimes, computers belonging to certain financial institutions,
and other federally owned computers. There are
also provisions for the trafficking in passwords
with intent to defraud computer owners. Most inThe Computer Fraud and Abuse Act of 1986 makes it illegal
teresting to the hacker,

to use other people's

one's

believe, is that

passwords, or even to use

own password improperly

"fraud" part of the

One

title

that's

where the

comes from.

sort of strange requirement that this

law

makes is that it can only be applied to crimes where

the victim has lost $1,000 or more due to the crime.
Since you are going to be hacking under a set of
ethical constraints, this law doesn't apply to you at
all then (i.e., no computer you hack will lose anything from your explorations). This facet of the Act
is

made even more

interesting

when you

realize

that the Senate Judiciary Committee, in their report

on the

Act, explained that a cracker doesn't have to

actually steal data to

be prosecuted under the law

 he or she only has

wonder what

to read the data.

they're thinking since

it's

Makes you
beyond

my

comprehension how anyone can prove that reading

some data caused $1,000 worth of damage. But

no lawyer.
The Computer Security Act

then, I'm

of 1987 is a donothing law that requires security standards to be

developed for classified and unclassified federal
data, and requires that security plans and periodic
security training

be implemented on federal com-

puter systems containing sensitive information.

Conclusion
I

was going

there, for the

to apologize to all the lawyers out

way

tions of all the

I've

manhandled these

above laws. But

really,

descrip-

why should I

apologize to lawyers?

Now let's talk about what we as hackers can do

then
about any of the above.
to protect ourselves;

we

won't have to worry

Chapter Fourteen:

Hacker Security:

How To Keep From Getting Caught

Hacking

is fun. Hell, it's exhilarating. But it's

sometimes immoral, and usually punishable. Even if what you're doing is perfectly innocent you'll be hard pressed to find an acceptable excuse for it in court. The very least that might hap-

also illegal,

pen is the security holes you utilized the first time

around might get patched up. More serious punishments inflicted by the courts can include community service, fines and even prison, as we've
seen. Informal punishments include the unofficial
destruction of your equipment by law enforcement
officers, and being blacklisted from tech-related

naught. Accordingly, the strategies here should not

be known rotely and followed, but expanded

just

upon to apply to new situations. Remember, there

have been many computer criminals who've been
sent to prison. True, some have even hacked while
in prison. Some even learned to hack in prison. But
you don't want to go to prison. So when you're online, in public, in private,

or just living through

your life, make sure you apply these guidelines.

In Researching

jobs.

There
Consequently, the prudent hacker has two
goals in mind while hacking. Number one: don't
get caught.

Number

two:

if

you do,

don't

make

it

count. This chapter will present strategies the careful

hacker will follow to ensure both situations are

true.

Hacking

to use one's curiosity

about com-

them beyond their limits

involves
not just technical knowledge but also the hacker's
mindset. Part of the mindset must deal with keepputers to push

ing oneself safe, or else the rest of it has been

all for

may be

local ordinances in

your area

forbidding machines or people to continuously dial

up numbers and disconnect, as with an autodialer

program which searches for dial-in lines. If you
make the calls yourself it's better to say a simple,
"Sorry, wrong number," than just hanging up and
annoying all those people. Remember the
"pers-pros" rule: The more people you get angry at
you, the more likely it is you'll be persecuted, and
the more likely it is you'll be prosecuted.

-
iper Hacker

--

mssmrr-v "-^fiff>
--j

In Social Engineering
Some

social engineering

and most reverse

engi-

neering requires authorized user contact over the

telephone or through the mail. This

is

obviously

risky since you are giving out your address or telephone number to people whom you are about to
defraud. Hackers have utilized several ingenious
methods to overcome this problem.
Once I found a small business with a technicalsounding name that would be closed for a few
weeks over the summer. By doing some hacking,
some research, and rubbing my lucky rabbit's foot I
wag able to come up with the code that released
messages left on their answering machine. That
/gave ttie a way to have people contact me without
them knowing who I was.
I put up some phony advertising for a computer network, instructing people to call and leave
their name and vital data. I could call up the machine whenever I wanted, punch in the magic code
and listen to those messages. When the store reopened, I called them up, saying I was from the
phone company. I told the store owner that some
lines got crossed, so they might get some weird
calls.

Some hackers

change a pay phone

and work out of there.
In order to work a social engineer through the
mails, you could rent a private mail box or mail
will simply

to residential status

drop.

One hacker found

a cheaper solution.

He

noticed that the P.O. Box underneath his in the

college mail

room was always empty. Apparently it

was unassigned. The mailboxes are open

in the

back so workers can stuff the mail into them. This

hacker took an unbent clothes hanger and a metal
clip, fashioned them together into a grabber that he
could slide into his box and go fishing into the
mailbox below his. Later I showed him how to determine the combination of the box, so he wouldn't
have to do all that. For a long while the box remained unused, and he was able to get all the secret mail he wanted sent there.

Dialing In

When you're new it may be okay to dial up remote computers from your house, but once you've
been around a while you'll never know if your
phone is being tapped or your computer usage being monitored. So when you're past your hacking
childhood, make sure to never make an illicit call
from your own house, or from any number that can
be traced to you.
Even when you are new to hacking, you could
be in trouble. Imagine if you become a regular on
the TECHRIME-USA BBS, right about the time an
FBI officer is planning to bust the sysops for conducting illegal business on their board! You don't
want to get involved with that, especially if you
haven't done anything illegal. Even scarier than
that are semi-reliable

you don't want

it

phone."

Nelson

Rockefeller

known, don't use the

cir-

ground which imply that the phone companies

routinely monitor and record modem conversations
which pass through their lines. This is supposedly
done automatically by detectors which listen for
modem tones, and will then turn on a recording
device to keep a record of the call. Even if the gossip turns out to be false, consider this: (1) We obviously have the technology to do such a thing and,
(2) it is well known that the NSA records many,
many phone calls.
So... If you must associate with known computer culprits, or with established hackers, do so as
covertly as possible.

Not calling from your house means calling from

else. That means you may want to

someplace

splurge for a portable laptop computer. While

you're at it,

buy an acoustic coupler and an external

modem to go with it. All this should run you about

a lot less than the

one or two thousand dollars
an attorney to defend you in court.
The acoustic coupler is necessary because not
every place you hack will have a telephone jack to
plug into. The external modem is needed to plug the
coupler into. While many laptops come with mocost of retaining

dems

included, they are generally mternal models,

and so can not be coupled to a telephone handset.

Now that you have your equipment, where
should you take it? There are plenty of places. At
night and over the weekend you can sneak into

many
"If

rumors which have been

culating through branches of the technical under-

big office buildings and, if the right door

sit yourself down at a cu-

happens to be unlocked,
bicle and chug away.

Two summers ago, I was walking past my local

municipal center a
that every office

little

had

past 9 p.m., and

their

windows open.

noticed

Every of-

at nightl Their air conditioner must have

malfunctioned during the day, as it had been incredibly hot. Needless to say, if I'd been in the
hacking mood I wouldVe scrambled through a
window and hooked up my portable to a telefice

phone. I could have been making illegal computer

B & Es while making a physical B & E, all just a few

as

COSMOS (which sends out instructions to create

and

phone numbers among other

kill

MIZAR (the local MIZAR

that COSMOS sets up).
Once you've gotten

and
work

things)

actually does the

familiar with the intricacies

you can use them in

ways to protect yourself. For instance, you know
you probably don't want to place hacking phone
calls from your house. What you can do is connect
of these telephone computers,

to a

neighborhood switching computer, take the

and
doors down from a bustling police station
being
wiser.
with no one
the
If you have money laying around, or if you
have a hacking expense account, you can always
hole up in a hotel or motel to do your hacking.
The money problem is one which gets to hack-

phone numbers of some local pay phones, and deactivate their need for coins. You then use the pay
phones to call or hack any place in the world.
which, as far as is
Or you can use a MIZAR
known, does not keep records of its activities, unlike

COSMOS

ways. Phone bills add up fast, which is

why most serious hackers are phreaks too. A
phreak is someone who hacks the telephone networks. One of the major aspects of phreaking is the
producing of code tones which signal the telephone
system to perform special functions, such as place
long distance calls for free. Phreaking is definitely a
major area for hackers to investigate, and the tele-

sent

phone number

ers in other

phone system and

which run
system

especially the computers

the

is

something which

all

hackers should become intimately familiar with.

change your prenearby church. If

your call gets traced, you'll be sending the feds on a
wild goose chase.
to temporarily
to that of a

I want to make the point that dialing in to a remote computer is not as safe as it feels. Communi-

cating through a telephone or through a computer

sometimes gives you a

especially

false feeling of protection,

when you become good

at

hacking and

phreaking, and turn from confident to cocky. Don't

let that

happen

to you.

Remember to always

follow

these safety rules.

hackers will say that any hacking other

than hacking the computers which run the telephone system is child's play. This is true to some
extent. The telephone computer networks are incredibly large, sprawling, wonderful masses of in-

Don't set up patterns of behavior. Always call

from a different place, at different times of day.
When is a good time to call? Ask hackers this
and each one will give you a different answer. Late
night is good because system administrators will

enormous databases, technical

operations and blinding wizardry which makes

probably have gone

hacking anything less look pitiful.

clown at a funeral. You can try hiding yourself

within the bustle of heavy usage times, like
mid-morning and afternoon, but then the mainframes will be at their slowest, your activity can

Many

tricate

functions,

Once

the

phone

line leaves

your house

it

goes

to a local switching center. This center controls all

phones in your neighborhood, which may mean as

many as 15,000 telephone lines. Each neighborhood
switch is managed by its own computer. These
computers are the essential targets of the phone
company hacker; if you can access the computer,
you can access every phone that it switches. You
can turn phones on and off, reroute calls, change
numbers. You could, if you were not a hacker,
wreak quite a lot of havoc.
There are also switched networks which connect the computers that run switches. From there
you can go to regional maintenance systems such

home

already

but

then, so

too have most valid users, so you'll stand out like a

easily

hacked

still

really isn't

into

be noticed, and the account you've

unavailable for your usage. There
any perfect time to call. Some research
the company structures its computer

may be

how

guard duty may help.

Time how long you're on the phone with a maA phone trace is instantaneous if you're local, and takes just a half a tweak longer if you're
calling from far away. But it's still not wise to stay
on a single line half the day. Move around a lot,
calling from different phone numbers, to different
chine.

iSKHRHHmmm-

your target has multiple

randomly choose from all of them.

access numbers. If
lines,

dial-in

and green wires from your motwo silver mouthpiece contacts in-

to connect the red

dem wire

to the

side the telephone handset. This can easily generate

a poor signal, so

Laptop Hints

if

you have the

actual telephone

(not just the handset) available for vandalism, take

who-knows-where
on your portable laptop, here are some suggestions
to help you get connected.
When in unfamiliar domain, such as an office,
Since you'll be calling from

schoolroom

your
laptop is of infinite
as you can get
it to work. Never plug your modem into an unfamiliar phone setup until you've verified that doing
so won't burn out your equipment. Many offices
have installed their own electronic phone systems,
called PBXs, to facilitate special functions such as
in-house dialing and phone menus, or to block
certain phones from making long distance calls.
hotel,

Some

after hours, or otherwise,

apart the entire case

telephone's transformer.

of these

down the switchhook on the telephone to place the

Your On-The-Road Kit

Make

you have this

you go hacking on the road:

modem should, too.

phones may not work

codes used in local routing procedures.

dial tone

on your cheap

test

If

you

To

that

it's

the

PBX

into the

problem you have to plug the

phone jack, and connect the room

phone (not your cheap one)

to the

modem

One

small, cheap, reliable telephone for testing

your modem on-line and hang up.

can be bought to process
signals as they go between the telephone handset
and the modem. The device converts ordinary moringing, turn

Alternatively, devices

dem

signals so they will work on digital systems

such as a PBX. This may be a more suitable alternative if you find yourself having to bypass PBX
phones a lot.
Sometimes you can find yourself in a place with
a telephone, but no plug-in jack for your modem.
For instance, if you are using the phone from a
public fax or automatic teller machine. In these

unscrew or pry off the mouthpiece of the

phone and use a cable with attached alligator clips

You can use a commercial tester for

but the phone comes in handy in places like

where you may want to connect to a
telephone but the acoustic coupler won't fit on
the phone they supplied.
An extra phone cord, with an RJ-11 modular clip
at one end (the standard, square telephone
plug-in thingy) and with alligator clips at the

Wire

cutters,

screwdrivers,

and assorted

coil

cords with various size ports.

(you

may need a special double port for this). To use the

modem you place the call using the room telephone, and when you hear the remote computer

cases,

A laptop, or otherwise portable, computer. Must

have a modem. Preferably two: an internal, and
an external with acoustic coupling cups.

other end.

correct the

modem

get a

system at fault.

with you when

this,

phone but your mo-

dem won't work, you can assume

stuff

motels,

with

modem because of special audible or numeric

sure

line voltages.

works, your

PBX-networked

You will then have to hold

value so long

PBXs place a current into the

is powerful enough to damage
your delicate modem. To see if the line you have in
mind is safe, try plugging in a really cheap phone

your

your red/green mo-

clip

call.

telephone wires that

first. If it

and

dem wires to the red and green cable leads from the

System Tiptoeing
Even the best intentioned, the most honorable
and nondestructive of hackers are thought of as evil
by the managerial population. This means that if
you're caught breaking into computers that don't
belong to you, expect some trouble. Even if the
hacking you were doing is completely benign you
are likely to be punished in some way. I've seen reports that estimate the cost of computer crime per

and that's
is $3 billion to $5 billion dollars
on the low end. Other sources list figures as high as

year

$100 billion.

Even the $3

billion

figure,

to

me, seems

pumped up for insurance purposes, but the people

who run businesses and government don't see it
that

way. Government and industry people will

most computer crimes go unreported,

realize that

be much higher than

the official estimate. Even if these dollar amounts
are bogus, that's what people believe, and so they
will be even more inclined to prosecute someone

and so the true cost is

who

they

believe

likely to

is

contributing

that

to

multi-billion loss every year.

here and examine the

case of the Greenwood Family Hospital BBS.
"Pretty Theft" is the name of a hacker I used to
Let's take a brief interlude

communicate with infrequently. One day she sent

me a message on a BBS asking if I knew how to get
into the computers of a certain hospital that was in

my area. I was puzzled, because

that hospital

the easiest thing in the world to get into

was

in fact,

it

was one of my earliest successful hacks.

When you logged onto the system, you were
greeted with this informative message (names and
numbers are fictitious, of course).

a password of some sort; pressing Return on a

blank line just got me an error message. So I tried

HAROLD LIPNICK. Again, no go.

went into the kitchen, got out the phone book,
looked up the telephone number of Greenwood
Family Hospital, and I called it. A woman anI

swered:

"Greenwood,

may I help you?"

"Yes, please,"

said, "Is

Tom there?"

"Who?"

some guy there I spoke with

Your supervisor or somebody?"
"Lee Brown, you mean?" she asked.
"Oh yeah, I guess that's it. I don't know where I
got Tom from. Uh, is he there?"
"Uhm... There's

earlier...

"Nope. Lee

left at five."

"All right, thanks."

"Bye-bye."

went back to my computer and called back

GFH-NET and tried LEE BROWN for the name.
Once again, I was out of luck. However, after a few
more phone calls to the various numbers listed for
the hospital, I came up with a guy (a resident) who
had not bothered with a password.
I

Welcome to GFH-NET!
300-2400 baud
(123)456-7890

GREENWOOD FAMILY HOSPITAL

GFH-NET turned out to be nothing special after

GFH-NET

IS

CORNWALL

MAINTAINED BY ROGER

AND

HAROLD LIPNICK
QUESTIONS OR COMMENTS? E-MAIL TO
THEM!!!

WHAT IS YOUR NAME?

TYPE IN FIRST AND LAST:

to do with hospital billing, paanything else pertaining to the actual running of the place. Mostly it was like a doctor BBS. From what I could make of it, it was medical students discussing problems with the doctors
all. It

had nothing

tient records, or

on the system. No file transfers or anything; just a

very simple messaging system. It was no big deal,
but it was fun to get

WHAT IS YOUR PASSWORD?

TYPE <RETURN> ON A
BLANK LINE IF YOU DONT HAVE ONE:

The next day

A few months after I began actively hacking, I

was using my computer and watching the evening
news when a story came on about the governor
breaking his arm and being rushed by helicopter to
thought to myself, "Hey, hospitals
right? I can probably get into
one!" So I got the supposedly private number for
the Greenwood Family Hospital Network, and I
a hospital.

called up, and I got

what I did next?
It's

looked through the doctors in

the yellow pages, and I found about eight listed
who had Greenwood Hospital addresses. Out of
those names, three had no password.
So anyway, I was puzzled as to why Pretty

on there. I called it up for the first

and to my surprise found this nasty

Theft couldn't get

time in years,
logon screen awaiting me:

must use computers,

rally,

into.

that

welcoming

screen.

Guess

not too hard to figure out what I did! Natutyped in ROGER CORNWALL for my

name. Unfortunately, the real Roger Cornwall had

USE OF THIS SYSTEM IS

RESTRICTED

TO AUTHORIZED PERSONNEL
ONLY!

EVERYONE ELSE MUST HANG UP

NOW!

-^ ^

. .

. .' L

JL-. f
'

'

'

rnriTnrTnTiTr-f

was gone!

All useful information

All that re-

tem

operator,

and

is when you've found out

know about a system and are

that

mained was an angry note and a non-useful arrow

everything there

prompt.

back again.
Incidentally, Roger and Harold had gotten
smart in some respects, but remained dumb in others. Through continued perseverance I was able to

never going to

tried

some

of the old

names

I'd

figured out

way-back-when, and found that all of them had

passwords now. I tried some more social engineering, but everyone I spoke to kept their mouths shut
I was able to get onto the
system with the help of some nice re-

about everything. (Later

real hospital

get onto

is to

call

GFH-NET again. As it turns out, I'd gotten

smarter too; the medical conversations between

and students seemed a lot more compre-

doctors

had been

two years

ceptionists in the administration department.)

hensible than they

e-mailed a letter back to Pretty Theft. I asked

her what had happened there. The next day I got

Maybe it was the students getting dumber?

There was also an old bulletin posted from one
of the sysops. It explained as much as he knew

her reply:

month a

Last

friend of

mine was

in the hospi-

so I wanted to see if I could change his bill.

remembered you giving me the number two

tal,

up in my
book and I was surprised I still had it. I knew
the name of my friend's doctor, and when I
was there visiting him, I got the names of lots
years ago or something, so

looked

it

more from the paging system (you know,

"Calling Dr. Bower...") and from charts on the
walls. Then I went on the system and was trying all these names, when the sysop came on
and threw me off. Every time I tried getting on
after that he kicked me off. Next morning at
about

8:00, 1 finally

got on.

One

of the doctor's

had the name as a password too.

Well as I guess you know, I couldn't change
my friend's hospital bill, but I couldn't do anynames

thing

tried

much else

either... after

giving

my name

and password, it just froze. That night I tried it

again, and there was a message before it asked
for your name. It said, MOST OF THE IMPORTANT FILES HAVE BEEN DELETED BY

SOMEONE OR SOMETHING. THE SYSTEM

ROGER.
WILL BE DOWN FOR A WHILE

before.

about what had happened (which wasn't much).

Mostly it said that certain files were deleted, and
many of the bulletins were replaced with obscene
musings on female anatomy. From what he said, it
sounded like the files could have been erased by
either a clumsy system operator, or perhaps a malignant hacker. I did a little investigating, and
found that although it was not listed in the main
menu, pressing "F" brought me to a defunct file
transfer system. With a few minutes of thinking, it
was easy to see how someone could've uploaded a
program that would delete whatever files were in
the root directory after a rebooting of the system.
The next day I typed up a long letter to the sysops at the hospital, explaining everything, what
they could do to correct the problem, and how
other security breaches could be curtailed. I signed
it,

"Sincerely, Polly

Wanza

Hacker." Then

called

back the BBS and uploaded it to them. Soon after, I

got this message from Pretty Theft:
"There's a new logon screen at the hospital. It
says:

"THANX POLLY!

SIGNED

R.C.

& H.L."

I couldn't have been happier.

A week later I tried it again, and the phone just

Lessons From The Hospital

do anything to it, but I guess the

sysop thought I or someone else deleted the
files. A few days ago I called back for no reason, and, well, you know. I guess they got

already know system operators don't want

you on their system. That's why you have to hack

smart?

you're there,

rung.

didn't

Yes, Pretty Theft

smart,

and because of

was
it,

They had gotten

security was tightened. It
right.

should not announce

a system, nor do anything to attract
anyone's attention. There is only one case, really,
is

just

for this reason that hackers

their arrival to

when you would want to show

yourself to the sys-

You

in the first place. But

you

will

you make it known that

compound your difficulties
if

considerably.

On GFH-NET,

the sysops

went crazy when

they realized their computers were being abused,

and they made it a lot harder to get into. On a little

BBS like that, you might not care whether or not

you get in, but if you're dealing with something big

like

to start
If

you
any way

some government agency

messing around.

you do show

yourself in

don't

want

like

by a

"USER FAILED LOGON

PROCEDURE" from when you tried every word in

million log entries of

the dictionary as a

password

the sysops are go-

ing to get concerned, at the very

least.

Concerned

sysops mean no information will be given out over

the phone. It may mean changing every legitimate
user's password, or cleaning up dead accounts that

might otherwise
Alternately,
certain system,

facilitate entry.

you have a nice feeling about a

and don't want to see it get hurt

if

(and you don't mind possibly eliminating your

chances of ever getting back on it), you would be
wise to consider informing the system operators
about all the little quirks you know about their
precious system.
Many times, they won't believe you. They won't

even bother trying what you suggest they try,

either because they have a huge ego that can't be
wrong, or because they think it's some kind of a
trick, or god knows why else. But if they do believe
you, and they take your advice, they will be quite
grateful and, if you ask, might give you a low-level
account on the system, or some handy tips. Tell
them you'll be their unofficial security advisor.
Some of them can be quite good about it, though
others will think you're

up

to

no good no matter

But make sure that what you say on those

boards does not implicate you in any way with any
tence.

crime.

Don't get me wrong. I don't want to imply that

posting messages about hacking on a hacker BBS
guarantees safety, because it doesn't, of course.
When you start sharing secrets on a hacker BBS,
you'd better make sure the sysop takes all of the
following safety precautions: user screenings, a
false front and hidden back boards, double blind
anonymity, encryption, and affidavits of intent.
The most important aspect of any hacker group,
true hacker BBS will not
club, or BBS, is secrecy.
advertise, because it does not need new members.
hacker BBS will seem to be a very homey, family-style BBS up front, but type a code word from
off the menu, enter a password or two, and you enter the hidden realm. Hacker BBSs should further
protect themselves by only allowing specified users
to enter the secret parts of its domain, to prevent

unauthorized hackers or pseudo-hackers from

breaking in to your meeting place.
Any hacker BBS which does not take this minimal precaution of pretending to be legitimate, is juvenile, dangerous, and not something you want to
be a part of.
Going up the scale of stupidity just a bit, I've
seen plenty of "hacker" BBSs which allow access to
the hidden part

by entering words

like

"DEATH"

"PASSWORD" as passwords. Needinformation found on such boards is

very low content, and usually consists of the various users calling each other dickheads.
No new users should be allowed on a hacker
and, yes, even

what.

less to say, the

BBS Protection
This section deals with the

two

issues of secu-

hacker involved with BBSs: hacker as

user, and hacker as sysop. These are actually intertwined issues, as sysops of one BBS will generally
be users of other BBSs. You should take these safety
precautions on all BBSs you use and rim, and
should not hang around systems which do not
employ a high degree of hacker security.
Do not post messages concerning illegal activities on any BBS where you don't feel completely secure. This means it's bad practice to brag about
your hacking exploits in private e-mail as well as
public message bases. If you are actively involved
with BBSing, by all means become good friends
with non-deviant systems, if only to maintain a
balanced perspective of your computorial exisrity for the

BBS unless one or

several existing

members can

verify that the potential user is not a cop, will abide

by the club's law of conduct, has information to

share, and will not be a big blabbermouth. As a sysop, you will enjoy composing the list of rules that
govern the way the BBS takes in new members.
Remember, any new member should not even
know that the BBS exists until the time when he or
she is accepted into it. That will keep out law enforcement people, and keep in only the best hackers
available.

Once a member has been

verified as clean, his

or her private information should be destroyed

from the computer records. In fact, think about the

BBSs on which you are a current member. Are there
any which are likely to be busted in a raid? Even if

BWKWA-.W-WOWM

you

doing anything wrong on the system

nobody on the system is doing anything

aren't

even
legal

if

you know very well how mixed-up

il-

the

feds get when it comes to computers. You don't

want your name brought into a computer crime
trial, even if the case is thrown out of court before it
begins. So if you're a member of any subculture

If you called up that day and read the newest

messages posted, you would have been surprised

to find these

darlings staring

little

you in the face:

& BBS's

Message:

General Information
41

Title:

YOU'VE BEEN HAD!!!

To:

From:

ALL
HIGH TECH

hoods.

Posted:

8/20/86 12.08 hours

you ever register with a BBS but decide not to

call back, make sure to inform the sysop that you
want your information deleted. (Verifying that

Greetings:

BBS,

the sysop to replace your personal infor-

tell

mation (name, address, phone number) with

false-

Board:

If

such information has been altered or deleted is one

legitimate reason for hacking a BBS. Legitimate,
that is, from a hacker's ethical point of view.) It is
important to do all this, because there are impostors out there who are very good at catching hackers when they least expect to be caught. In June of
1987, an AT&T security official logged onto a Texas
BBS and found messages from a hacker boasting
about how he'd gotten into a certain company's
computer system. This led to the hacker's arrest.
Note that since the hacker undoubtedly used a
handle on the BBS, and it was a hacker board, the
official might have hacked himself to get the
hacker's real name. In any case, make sure your real
name, address and other identifying data never
stray to unsafe waters.
Before we start talking more about what you
can do as the sysop of a hacker BBS, let's conclude
with a real life example of what happens when
hackers DON'T follow the advice I've listed above.
In 1986 a BBS called simply and arrogantly, "The
Board," came into being in Detroit. The Board was
run off an HP2000 computer, and attracted hackers
and crackers (and would-be hackers and wannabe

from all over. On August 20, the followominous

message appeared on The Board when
ing

crackers)

one logged

in:

Welcome to MIKE WENDLAND'S I-TEAM

sting board!

(Computer Services Provided by BOARDSCAN)

66 Megabytes Strong
300/1200 baud - 24 hours.

now on THE BOARD, a "sting" BBS

by MIKE WENDLAND of the
WDIV-TV I-Team. The purpose? To demonYou

are

operated

and document the extent of criminal and

and telephone fraud
activity by the so-called "hacking community."
strate

potentially illegal hacking

Thanks for your cooperation. In the past

month and a half, we've received all sorts of information from you implicating many of you
in credit card fraud, telephone billing fraud,
vandalism, and possible break-ins to government or public safety computers. And the

beauty of
E-Mail and

this is

we have

names and addresses.

What are we going to do with it? Stay tuned to

News 4. 1 plan a special series of reports about
our experiences with THE BOARD, which saw
users check in from coast-to-coast

and Canada,

users ranging in age from 12 to 48. For our

regular users,

have been known as High

among

other IDs. John Maxfield of

Boardscan served as our consultant and pro-

Tech,

vided the HP2000 that this "sting" ran on.

Through call forwarding and other conveniences made possible by telephone technology,
the BBS operated remotely here in the Detroit
area.

When

will

weeks.

We now will be contacting many of you

our reports be ready? In a few

with law enforcement and sefrom credit card companies and

directly, talking

Three (3) lines = no busy signals!

Rotary hunting on 313-XXX-XXXX

your posts, your

most importantly your REAL

curity agents

the telephone services.

should be a hell of a series. Thanks for your

And don't bother trying any harassment.
Remember, we've got YOUR real names.

It

worthless, but

help.

around anyway

Many

tion:

^^^^^^

/om

mrteen: Hacker Securit^Ho

you may want

to complement

to

throw them

my

next sugges-

of the traditional laws

which hackers

on have to do with "harmful intent." That

can it be shown that the hacker or cracker willingly caused damage to a computer?
If you are running a hacker BBS or club, you
might then consider having members sign an affiget nailed

Mike WendHand
The I-team

is,

WDIV, Detroit, ML

Message:

General Information
42

Title:

BOARDSCAN

Board:

& BBS's

From:

ALL
THE REAPER

Posted:

8/20/86 3.31 hours

To:

This

is

davit which makes their good intentions known.

Members should sign an agreement stating that
they would never willfully damage another's comits contents, that any information exchanged on the BBS was for knowledge value only
and that none of the illegal activities discussed will
be actively pursued, etc. Basically this should be a

puter or

John Maxfield of Boardscan 1 Welcome!

.

Please address

land at

all letter

WDIV-TV

bombs

Mike WendThis board was his

Detroit.

to

idea.

way

to let the

Is

(a.k.a.

Cable Pair)

any comment required?

You can see from this

after

hackers

YOU

ter

are not

knew enough

that the people

the people
all

who

will

who come

be coming

Keystone Cops. Maxfield

The
The newuser password to

to pick "kOOl" handles

Reaper and Cable

Pair.

af-

like

The Board was HEL-N555,Elite,3

a quite
hip password considering its origin. Maxfield, and
others like him, are as into hacking as we are. They
are knowledgeable of the culture and the lingo and
get into

way we

the

and

it

think. This last is particularly hurtful,

means you

can't allow yourself to think like

everyone else. You won't become an elite hacker

without the strength of your entire common sense
working for you. When you call up BBSs, be sure

and

exercise that strength.

Now

let's

talk

ment rights.
We do have the

about exercising
right to

First

Amend-

own

BBS, and
a hacker board,

rim our

exchange information on it. On

is likely not going to be the kind of
thing you'd read to your mother.
Disclaimers, such as, "This BBS will not tolerate
any unlawful discussion of blah blah blah..." are
to

that information

1 Boardscan is a company headed by John Maxfield,

which seeks out and destroys hackers and their ilk.

feel

they are actively par-

may

not get you out of legal trouble, but it

will do two things. It will stress the point that a
member who does not follow the agreement is unworthy to be a part of your hacker BBS or club. And
to a jury, it will help convince them that you all are
just a bunch of innocent hobbyists being persecuted
by the Big Bad System.
It has been suggested that sysops should have
their members sign an agreement that, in the event
of a raid by law enforcement officials, users would
join a lawsuit against the officials to win back monies to pay for destroyed equipment, lost time, false
arrests, the hassle, and everything else that goes
along with being persecuted by Big Brother.
davit

The Reaper

members

your code of ethical hacker conduct

which should be prominently displayed upon login
to the BBS. Signing such a goody-two-shoes affiticipating in

Current e-mail should always be kept on-hand,

you can use the terms of the Electronic
Communication Privacy Act to your favor. The
ECPA ensures that electronic mail that was sent
within the past 180 days is private and requires a
warrant for an official to search and read it. Note
that individual warrants are required for each user
who has e-mail stored on your BBS, thus increasing
so that

amount of paperwork required by The Law in

going after you and your gang of happy hackers.
So, if your users have signed an agreement, and
sample e-mail is stored for each user (it may be
fudged e-mail whose time and date of origination
gets automatically updated every 180 days), you
want to make all of this known to invading officials. Make a message such as the following availthe

able to all users

when they log in for the first time,

and every time they use the system:

A SPECIAL MESSAGE TO ALL

LAW ENFORCEMENT AGENTS:
Some

on

It is

computer system
is being prepared for public dissemination and
is therefore "work product material" protected
under The First Amendment Privacy Protection Act of 1980 (USC 42, Section 2000aa).
of the material

this

by law enforcement

Violation of this statute

agents is very likely to result in a civil suit as

provided under Section 2000aa-6. Each and
every person who has such "work product material" stored on this system is entitled to recover at least minimum damages of $1000 plus
all legal expenses. Agents in some states may
NOT be protected from personal civil liability
if

they violate this statute.

is e-mail which has been in

system for less than 180 days.
Such stored electronic communications, as de-

In addition, there
storage
fined

on

this

by the

Electronic

Communication

vacy Act (ECPA), are protected by the

officials

Pri-

ECPA

such
without warrants

from unauthorized accesses

by government

as seizure

specific to each person's e-mail. Seizing the

computer where this BBS resides would represent such an unauthorized access. There are
civil actions which may be taken against law
enforcement agents under provisions of the
Act. You can find them in USC 18, Section
2707. On this system you can expect up to X
people to have stored e-mail. Each of them is
entitled to collect a minimum of $1000 plus all
legal expenses for violations of Section 2700
and 2703. Note that all users of this system
have already agreed in writing that their privacy is well worth the hassles of court. We will

sue YOU.

Perhaps the agency you work for might pay

your legal fees and judgments against you, but
why take chances? If you feel the need to go after our private and legally protected e-mail, or
take actions

our users (such as seizing our hardware), get

appropriate warrants.

which would deny e-mail access

to

the policy of the sysop of this system to

cooperate with law enforcement agents

though we will not be involved in entrapments, and will not respond to idle threats.
Please bring

it

to

illegal activities

tor of this

my

attention

if

you discover

on this board, because as

cura-

museum I will not tolerate it.

"Hacking the hacker is the ultimate hack," John

Maxfield has said. Maxfield is a computer security
consultant well known as a hacker tracker, and the
one who helped organize The Board sting described above. John scans BBSs looking for hacker
activity, and when he finds it, he informs the company that is being hacked about the problem. You
know how insecure computers can be, and when
you post messages or send e-mail on a BBS you are
in effect opening yourself up for the world to see.
Don't let some hacker tracker see something about
you that you'd rather keep private. When you roam
around cyberspace, do so discreetly.

Other On-line Security Steps

In real

life

and

detective

fiction,

the

real

enemies to a person's well being are patterns in that

person's life. Having a regular schedule of activity
may make life easier for you, but it also allows

you when you are trying to hide, and

you when you are trying to remain

others to find
notice

inconspicuous.

As an example, consider the case of the oilman

who would ask the system manager to mount temporary backup tapes every time he began a computing session. The oilman would then read from
the tapes posted by the system manager before
starting his work. The manager got suspicious fast:
it was pretty evident that the oilman was looking
for data that others before him had backed-up onto
those tapes. That industrial spy, like many other
hackers and crackers, was caught because he
followed a pattern.
Criminals (and hackers) like to formulate plans
of action. But remember, any plan you conceive
should have elements of randomness to it. Don't
allow yourself to always call at a certain time, from

Chapter Fourteen: Hacker[Security: How

155

same workstations or telephones, because one

day you will arrive at your favorite hacking location and find someone standing there with a pair of
the

Security Logs

handcuffs.

easy to get manufacturers of security products to mail you everything you would ever want
to know about the things they sell. Here I am concerned mostly with software which quietly monitors the activity on a system, audits the system reIt is

Once I got a list of Social Security numbers from

sitting in on a computer class on the first day: the
professor handed around a sign-up sheet for students to list their name and number so that accounts could be made for them on the computer
system. I waited until the accounts were made,
then I had to go in and try them out. But trying
them all at one time would have been too suspi-

new one

every few hours, a

different name each time, so it would look as
though different people were trying it out.

cious. Instead,

tried a

The system was secure

change my password upon
so

was

in that

asked

it

first login.

me

to

After doing

able to use the operating system's pass-

word-changing

command

to

go back

to the Social

number so the original user could get in.

But in each user's directory I left behind a hidden
program that I could use for remote file viewing
and playtime later on.
Security

If you ever get into a situation where you can't

change the password back to its original form, try
re-entering the password as some variation on the
Social Security number. For 123-45-6789 you might
enter 123456789 or 123-45-6780 or 123-45-67890, as
if the typist's finger has slipped. If security precautions require a capital letter or something, use one

that

is

sources for misuses

and

irregularities,

and keeps a

disk-based or printed log of usage. Someone at the

company takes a look at the log, then says to himself,

"Hey! Mr. Poultry has been logging on every

night at three in the morning. That seems unusual...

Suddenly you're in
an unsafe position, and you never even knew it
Better

have a chat with

him..."

was coming.

From your

research into a particular computer

you are looking

to hack,

you

will

know which

se-

curity products are in force (by calling system op-

you are a computer consultby looking through the company's library of

erators feigning that

ant, or

reference manuals). Get the descriptive literature

from the manufacturer so

enemy you are up

Security logs

you'll

know what

silent

against.

if

they are in place and actually

will alert administrators to any patwhich you create. Well, you're not going to
create any patterns, but you're probably going to
create some problems, and those too, will show up
on the security log's report.

attended to

terns

close to the last digit in the ID.

equally important that your modus operandi

change as you move from one hack to the next. As

you know, once you're into a system you should do
what you can to create a new account for yourself.
But make sure you always use a different name and
password, and make anything you input about
your fictional persona as noncommittal as possible.
It is a minor point, but one of the things investigators noticed when tracking down computer cracker
Kevin Mitnick was that the words he used were

American vernacular, thus implying that he was in fact American (i.e., a spy from a
Third World country probably wouldn't use the
password "RENANDSTIMPY").
often identifiable

you plan

on a given computer for any

if you plan to use that
computer as a springboard from which to jump
around through the network, you must discover
the security auditor and render it useless.
If

It is

to stay

length of time, for instance

Don't destroy the auditor, simply reprogram it

you when you log on. Or find out how it
keeps a record of events and see what can be done
to eliminate your own tell-tale traces. This should
be piece of cake, considering that if you're in the
to ignore

position to

do these

sorts of things,

you most

likely

already have root access.

you have been logging on in a similar way for

a while, you might want to change previous log entries to reflect a more random login schedule. You
If

may

also be able to use a date or time setting

com-

'

'

'

'

mand

to control

how

the security monitor judges

your behavior.

'

'

'

--!>"ysi'A,-

,yi

'

:!:'V>:<

-!i

'

'

:ff:-3J

'

.........................

:" '

........

log printouts, he or she won't notice any questionable activity going on.

Printed logs are a big problem.

WARNING!
There have been many, many instances
of hackers carefully editing out personal
sections of audit records, only to find to
their horror that they've deleted more than
they should have. Or hackers who were
faying to be helpful by cleaning up a messy
program or fixing a typo in a memo, and
having some disaster occur. You know you
should always keep backups. The backup
rule applies every time you use a computer,
especially computers which aren't yours. If
you feel you must alter a file that doesn't
belong to you, alter a backup of that file.
When you're done, make certain your
changes are perfect, delete the original file
and then rename the backup.

One simple

task that

of events as they occur? Then,

stuck.

page

is

Once a deed

for

is

done,

my

it is

friend,

you are

trapped on that

life.

print everything in a nonexistent font, or

multi-color printer, in a color that has

tridge or ribbon.

Of

if it's

no ink

car-

course, since you're probably

over the phone, you might not know

is being used. However, it might
be possible to reroute print jobs to an electronic

doing

all this

what equipment

medium, or

an unused port; that is, tell

on a printer that
doesn't exist. At times it may even be possible to
trick the computer into thinking it's printing to the
printer when actually it's printing back through its
and so you end up receiving reown modem
ports of your own activities as you go about your
storage

to

the computer to print stuff out

the re-

cording of unsuccessful login attempts. Again, re-

needed to see how your particular target

computer responds to inaccurate logon inputs.
Some programs will let you try three or four username/password combinations before resetting and
search

hacker

The thing to do is catch any mistakes before

you make them. Limit the number of illegal or
questionable activities you perform until you can
find a way to disable the printer. You may be able
to use software switches to program the printer to

most auditors and many

secure operating systems will perform

Any

worth his salt, can go in and fiddle with records

which have been stored on a tape or disk. But what
if the security monitor makes a real-time printout

business.

is

saving the last attempt. In that case you

would

try

always make your last login attempt something

innocuous. Or to be safer, don't type anything for
your last allowed login attempt. Instead, press Control-C or Control-Z or whatever it is you can use to
break back to the previous level of interaction.
to

Auditing programs can be a nuisance if you're

running a big job, such as a brute force password
generator.

If

you're able, try to write these pro-

grams so that they get around the security logs.

Going directly to the hardware may be one solution
to this problem. Another, depending on what kinds
of things the log is keeping track of, would be to
rename suspicious commands, so that the log either
won't know to record those commands under their
new name, or if the supervisor reads through the

A more troublesome form of paper log is someby organizations to keep track of who
does what, when, and why. Some companies insist

times used

that each employee enter telephone calls in a log. A

monthly review and a comparison of the log with
and if anything doesn't
phone bills is done
match up, well, you can figure out what happens
next. If you sneak into an office to make long distance calls, you can be easily trapped with such a
log, since you probably won't know about it. Even
if you're dialing in from home (or a phone booth), a
log can trip you up. If you use a company's computers to call other computers, that might be a toll
call which would show up on the phone bill, but
not in the employee log.

Companies may keep logs to verify employee

comings and goings, and use of equipment. Stay on
top of things because the
biggest downfalls.

littlest

errors lead to the

In Public

some unsuspecting soul walks away from

And On-Site

the ter-

minal, but leaves behind a record of every action

Doing any

sort of hacking-related function in

altering public access comput(PACs) or public access terminals (PATs), sabotaging for reverse social engineering (RSE), doing
in-person social engineering (SE), using a university's computing facilities, or simply doing research

public or on-site

taken during his or her session. Anyone can go

over to that terminal now and access, read, even
print out dozens or hundreds of screenfuls of data.

ers

than doing the same sorts of

things at home. Not only do you have all the
threats that a home-based hacker has, you have the
additional concerns of whether or not you will be
recognized or apprehended.
at a library

is riskier

Use proven burglar's techniques when selecting

a spot to do public hacking. When a burglar enters
a house, the first thing he does is scope out all the
exits. Don't sit down at a computer from where you
won't be able to escape easily in more than one di-

And just

always glad to see

tall shrubbery to hide behind, you should try to sit
at computers that are hidden in some way; with
people or objects sitting in front of you, and hopefully a wall behind you, so no one can look over
your shoulder.
Always be ready to leave a public hack at a
moment's notice, and never get so involved with
your work that you forget where you are. Rememrection.

ber, that's

as a burglar

what happens

to regular users

shoulder surfing takes place

they are and they

is

they

forget

when
where

people see the secret things

they're doing. A hacker must always be more security-aware than a regular user.
Take care to have a decent story prepared if
let

you're trespassing, or
fishy to a passer-by.

if

your actions will seem

Make

sure

you dress

While Off-Line: Minimizing Losses

Okay, so what

if all

of this doesn't help you?

What

if you still get caught? It's good to be prepared for such an emergency so if the feds do catch
up to you they at least won't have any evidence on
which to base a trial.

Maintaining Your Computer

You should

routinely look at the

files

stored on

your computer and destroy those which you

When

ille-

say "destroy" I mean it

files:
overwrite them with a
don't just delete those
single repeated character, encrypt them with the
lengthiest, twistiest key you can fathom, and only
then erase those files. You can use a "Wipefile" or
"Wipedisk" program to write over data. That way
you won't have compu-cops poking around in your
gally acquired.

secrets.

Also keep in mind that sometimes pieces of files

get lost or unattached from the

belong, or parts of

your

disks.

It's

files

files to

which they

get duplicated elsewhere on

a good idea to regularly check for

these orphan text strings

and eradicate them if they

contain incriminating evidence.

Any computer
stroy

file which you simply can't demust be encrypted and, ideally, hidden under

the part

an inconspicuous filename, such as PACMAN.EXE.

of your story. Regardless of your story, clean dressy

There are other matters to consider, other things

about your computer that might not directly convict you, but can lead to evidence that will: terminal programs, autodialers, databases of modem
numbers and account codes, lists of BBS numbers
(especially pirate, phreak or hacking boards), and
any other program that could even remotely be
linked with a crime.
To play it safe, I use physical locks on my computers along with software "locks." I programmed
all my computers to check for a particular key being pressed during the start up procedures. If the
computer goes through its entire start up mode
without detecting that key, it knows that some-

clothes are always a plus.

Finally, one should always keep in mind that a
computer room is very likely occupied by at least
one hacker or cracker at any given moment. Be alert

to shoulder surfers,

and

to other tricks of the trade.

When I sit down at a public terminal I always press

the Break key a

few times, and log off several times

just in case someone has set up

before logging in

a simulation trap.

Be cautious, too, upon log out. Some terminals,

such as the Tektronix 4207 and others, maintain a
buffer of the screen display. Often that buffer is not
cleared, even after log out. What that means is,

thing's

wrong.

It

will then call a time-and-date sub-

The routine shows the correct time and

date, and gives me the opportunity to correct them.
I must input a certain time and date, otherwise the

It is

myth commonly heard

that computer

routine.

printouts can not be used as evidence in court,

computer will display a

The truth is, a printout is just as valid as any other piece of written evidence, as long as it can be shown to have been
made at or near the time of the criminal act, or
during preparation for the act. If a Secret Service

"LOADING MENU"

sage and remove the directory in which

meskeep all

my

naughty stuff. There is an opening menu too,

which one can not enter or exit without inputting
the proper password.
Luckily, I've never had my computers seized. If
I

ever do,

pity the untrained

lummox who

gets to

my stuff; my systems are all booby

trapped to destroy incriminating evidence. And
go through
even

how

prepared for that, he still won't

to prevent it from happening!
he's

if

know

Keeping Your Other Stuff

Once a law enforcement

has a warrant
for your arrest, he or she can legally steal all of your
computers and peripherals, blank disks and audio
cassettes, commercial software and documentation,
official

and operating logs, telephones and answering machines, any piece of electronic equipment as well as any papers indicating that you are
the owner or user of that equipment, wires and
printouts

loose parts,

model

rockets, disk boxes, radios, sol-

dering irons, surge protectors, books, journals,

magazines,

et cetera.

These things

I've listed are all

things that have been seized in past raids. Also,

the crimes

if

which you are suspected of committing

are related to a specific place or person, they will

any papers or evidence with which a connection may be made between that place or person and
the crime. They purposely write their warrants to
allow seizure of a wide range of items, and believe
seize

me

they
And

will take all of

it.

don't expect to get

any of

it

back in one

piece, either. This is yet another reason

why, as

it may not be such a great

own a computer. It's sad
hackers
to
even
idea for
but true, and so you should do your best to hide
anything when you're out of your house or not using your equipment. If you have printouts or notes

said in the beginning,

lying

around,

keep

them

"SCHOOL HOMEWORK"

or

in

folders

marked

"CHURCH GROUP".

Make the marks big and visible, and innocuous,

and maybe they'll overlook the folders' contents.

since they are so easily forged.

thug, after taking your computer,

of a

file

contained on

it,

then

makes a printout

that printout is invalid

and not you. On the

other hand, if there is in fact some accessible incriminating evidence stored on your computer, the
evidence, since he

made

it

prosecuting attorneys will

gally present

it

to the court

know how
(I

they can

le-

presume by bringing

your computer into the courtroom, plugging it in

and firing away). On the other hand, the feds are so
good at smashing up seized computer equipment
that you probably have nothing to worry about!
It is important that when you hide stuff, you
make it look as if the stuff has no connection with
computers or electronics. Law enforcement officers
are smart enough to get warrants that let them take
anything even remotely connected to electricity.
Let's look at a hypothetical example. Suppose underground information were routinely distributed
on audio cassettes. Naturally we would resort to
putting that information

on store-bought tapes

with legitimate

Beatles, Grateful

names

Dead,

would know that, and thus

get their hands on every tape we

whatever. The cops

would want to
own, including ones that look as harmless as rock
and roll.
As hackers, we do exchange information and
keep records on disk. So if you have a box of disks
containing all your hacker stuff, you can't simply
label the disks with names like "Space War" and
"Pac Man." They will suspect either that the disks
have been labeled misleadingly, or that the games
(Think of Steve Jackson.) Bewon't stop to sort seemingly
irrelevant belongings from the obviously illegal
ones. So you'll have to hide the disks themselves,
and hide them in a way that is unrelated to technology. The same goes for your other electronics
equipment, and anything else that might reasonably be stolen by the feds. For example, I keep my
I being
backup disks in a graham cracker box.
in a
store
my
laptop
I
paranoid? I don't think so.
themselves are

real.

sides, in their raid they

Am

big corn flakes box

up

in the closet

it's

just as

i.rlackt

easy to keep

it

there as

anywhere else, and doing so

makes me feel more secure.

already know how companies leave helpinformation in their garbage bins, but you

You
ful

should realize that your garbage

as helpful to

is just

someone investigating you for computer crime.

Anything incriminating you want to discard
should be destroyed beyond recoverability first,
and discarded from somewhere other than your
home. When I say "destroyed" I don't mean putting
it

through a shredder

mean

completely de-

stroyed. If the Secret Service finds shredded paper

in your trash, they

WILL piece it back together.

Paper printouts should be soaked in water to

the lettering, and then shredded. Disk
contents should be encrypted, then deleted. Disks
should then be zapped with a strong magnet (bulk

wash away

do just
and the disks themselves chopped up. 2 These
items can be anonymously deposited in some pub-

erasers, called degaussers, are available to

that)

lic

garbage can, or in the case of paper, a public reYou do this and you've just

cycling bin. I'm serious!

blown away any "theft of trade secrets" indictments

they wanted to hang on you!

.........I

keep a routine. Switch the phones and computers

you call from all the time.
You will get caught by getting ratted on. Maintain contacts with other hackers, but do so discreetly. Don't tell anyone who doesn't need to
know about what you're up to. Above all, be nice to
the people you come into contact with while sharing hacking tales, doing research, or while performing the hacking itself. Be nice to them, and hopefully they will be nice to you.
You will get caught by getting many agencies
ganged up against you. Don't steal or destroy or
vandalize. These things make you look bad, and
downgrade hacking in the eyes of those investigating it. Hackers have a bad enough image as it is,
mainly because hacking's most public practitioners
eighth
grade
heavy
metal
nerdish
are
pseudo-anarchists with skin problems. If you remain true to hacking ethics, you will fare better

because
than if you demolish what you hack
fewer agencies will be willing to pursue you.
Tiptoe.

You will get caught by making a

you

all

act.

according to

Donn B.

Parker in his Computer Crime:

Criminal Justice Resource Manual

is

list

things,

is

a book of methods after

and so here
you do these

you see, there are five ways you, the hacker, can get
caught hacking:
1.

2.
3.

by traces or technical means,

by being finked on,
by getting many agencies ganged up

5.

by making a mistake, or
by being made (recognized).
You will get caught by phone

that he:

did not understand that using the ERASE

command in the White House Executive
E-mail system merely removed the name and
storage address of

an E-mail message from

directory of messages;

it

the

did not destroy the

contents of the message. In addition, frequent

against

you,
4.

was

all,

methods NOT to follow. If

you will definitely get in trouble. Because,
of

How To Get Caught

This

It is

of these precautions. Always

Never reveal anything about
yourself. Remember to delete backup files. One of
the things that tripped up Lt. Col. Oliver North

mistake not to take

think before

Conclusion:

mistake.

backup copies of

all

messages were made and

stored for later retrieval in the event of a com-

puter failure.
line traces

and

As a

result,

much

of his corre-

spondence was retrieved as evidence of possible wrongdoing.

other technical means, such as audit logs. So don't

You need
not paranoid enough for the US
Department of Defense, which according to Lance
Hoffman in his Modern Methods for Computer Security
and Privacy (Prentice-Hall, Inc., Englewood Cliffs, NJ:
1977) "feels that there are techniques for electronically
retrieving overwritten information and thus requires
destruction of the recording medium."
2 This behavior

is

to

be especially vigilant about timed

backups which are made automatically, without

your consent.
If you're careful, you will make few mistakes.
But the most careful hacker can be tripped up by
the mistake of assuming a course of action is infallible when there are, in fact, gaping holes in it. For
example, in 1974 a criminal in Tokyo tried to use

one of the fundamental properties of electronic

transmission of data in his favor

the delay that

comes about from data being shuffled through

ca-

bles or telephone lines.

The criminal opened a bank account using the

name

Kobayashi, then proceeded to withdraw small amounts of cash from automatic teller
machines (ATMs) scattered around Japan. Each
false

time, after

S.

he withdrew some money, he would

telephone the bank to find out the status of his ac-

By doing so, Kobayashi found that it took

twenty minutes for the bank's central computer to
register a withdrawal from a remote cash-dispensing machine.
Later, Kobayashi used this information after
carrying out a kidnapping. He demanded a ransom
of 5 million yen to be paid into his account, figuring he would have twenty minutes of getaway time
while bank officials waited for the main computer
to receive the information regarding from which
dispenser the sum had been withdrawn. The plan
backfired because of this one assumption. What
Kobayashi didn't realize was that programmers at
count.

bank were able

reprogram the central computer to immediately identify which machine the

criminal was using. Police were stationed close by
the

to

each of the bank's 348 ATMs, and when the kidnapper retrieved the money, he was caught.
Look out for the unexpected twists in your
plans, and remember that there probably are people on the other side trying to find ways to foil you.
Finally, you will get caught by being recognized. In public places, make sure you stay unobto

trusive.

The surest way

start

to

NOT

get caught

hacking. But then, the surest

an inactive

Part of your

is

to

way not to

NOT
die

is

computers
and the things you can do with computers. Without
hacking, all you have to do with computers is busito live

life.

ness stuff or school stuff, a

little

life is

game playing, and

some programming.
hacking, you have instantaneous
control of the world. Enough said. May we all have
a good many peaceful, happy hacks!

possibly

But

WITH

Chapter 15:

Conclusion

The Hacker's

saying that if you're caught, a judge and jury are

going to base their verdict on whether or not you

Ethic

Many hackers and non-hackers have given their

versions of the "Hacker's Ethic."
pretty

much

gree to
like

The versions

the same. What's different

which the

ethic is followed.

many hackers,

the moral codes

start

is

are all

the de-

Smart people,

out by following the rules,

the Ethic

but then they

get

They begin to get the feeling that because they know about the law, they have the
sidetracked.

authority to break

not like we're blindly

acting without discretion." That's what smart people

do

it:

behaved according to your beliefs

since some of your beliefs likely involve

because they know

they're smart,

and be-

smart hackers, are often very, very dumb.

What I'm about to do is give my own version of
the Hacker's Ethic. This is a set of beliefs that I have
about the world of computers. It may not be what
you believe, but that's all right. Hacking has to do
with independence.
However, I urge you to understand why it's
important that you formulate a hacker's code of
ethics and live by them. Having a code of ethics
will help keep you out of trouble. Now, I'm not

illegal ac-

tivities.

What

I'm saying

is, I

like to think that if

have formulated a moral code, and

that

you abide by

your hacker's

that code,

circle

and

it is

if all

you

known
members of
well

sign affidavits testifying to their

loyalty to the code, then in

some

instances

it

may

allow a judge or jury to honestly say to themselves,

"It's

cause of it, they forget that even smart people, even

especially

the damage was

meant no harm by it
not intentional." If you remember our previous dis"Gee, he

cussions of law,

many

offenses require that, for a

criminal action to have occurred, the suspect's con-

duct must have been intentionally criminal. Well, I

would like to think that's the way it would turn
out. In real life one can't count on others seeing
things from your point of view.

At the very

least,

one would hope that by pro-

viding a code of ethics, you could more easily weed

out undesirables from your group, and keep your
members safe and happy. More importantly, I feel
there is some indescribable underlying goodness

about having a code to guide you. If I sound

preachy, fine. I'm done.
This is my Hacker's Ethic. These are my beliefs
about computers and hacking, as I attempt to live
them.

unanimously ignored. Therefore it is necessary to

hack. Hacking is using computers (or whatever) to
live according to these ideals. Hackers have these
ideals about individuals in general and humanity in
general, and I have a set of ideals which I personally
follow so that the general ideals may be carried out:

My Code Of Ethics
Computers have enabled a great deal of information to be available to anyone, and quicker and
cheaper than ever before. The free flow of informabut not when it violates human rights.
There are two kinds of human rights. There are

Never harm,

any way.
If damage has been done, do what is necessary to
correct that damage, and to prevent it from

which pertain to individual humans, and

which pertain to humanity as a group.
All of humanity should have the ability to access virtually any known information. There
should be a free flow of information, and information and technology should be used in moral ways.

know how

things work,

if

they

choose to know, and such information should not

be kept from them. New ideas should be heard,
and there should be the capability for ideas to be
discussed, and questions answered, from multiple
viewpoints. People should be made aware that all
this knowledge exists, and can be brought to them.
Technology should be used to this end, not for
profiteering or political gain.

Individually, people should

to

have the right not

have data pertaining to them available

ways which are adverse

for use in

to them. People should

have the right to be notified when information

about them is added to a database, when and to
whom it is sold or given. Because it is their own
personal information, individuals should have the
right to control how information about them is distributed.

A person should have

or

occurring in the future.

Do not let yourself or

others profit unfairly from

a hack.

rights

People should

alter

software, system, or person in

tion is good,

rights

damage any computer,

Inform computer managers about lapses in their

security.

Teach when you are asked to teach, share when

you have knowledge to spread. This isn't necessary,

it is

politeness.

Be aware of your potential vulnerability in all

computing environments, including the secret
ones you will enter as a hacker. Act discreetly.
Persevere but don't be stupid and don't take
greedy risks.

am

not suggesting that following a code of

conduct of this sort makes my hacking
moral or right. But I'm also not saying that my
hacking is immoral. Don't even raise any arguments along those lines with me because I simply
do not care about them. We know what's legal and
what isn't. Hacking is something that I am going to
do regardless of how I feel about its morality. It is
I

ethical

pointless to raise the issue of

you can

"Do you honestly

snooping with your loopy

code of ethics?" because if you must consider that
issue, you must not have hacking in your blood.
think

justify

the right to examine in-

formation about him or herself in a computer

file

Combining Principles

or

and should be able to do so easily. The

person should have the right to easily correct inaccuracies in that data, and to remove information
database,

that is offensive to that person. People should

be

guaranteed that all makers and suppliers of databases will enable these rights to be granted, in a
is

what

should be the case,

and

in

situations these rights are currently acknowledged. However, most of these rights are almost

some

this

book

I've tried to offer general

on the various topics that will prepare

any computing situation you happen to
find yourself in. When it comes to so broad an
guidelines

you

for

undertaking as "hacking," there can obviously be

specific set of steps to follow to achieve

no one

timely fashion.
All of this

Throughout

one's objectives. Rather,

one must

upon

a vari-

them when appropriand just hack away until something comes of it.

ety of general ideas, overlay

ate,

call

,-: .:

'v<:v-:-x-:;,-:->;v.-Xv:

you should know

and your ability
a new challenge

From knowing what

how to react to
to

to expect

LATER, START, LEAVE, LOGIN, QUIT, USER,

PASS, LOG, LOGI, CIRC, and the like. Some of
have seen used in actual applications. (For
example, CIRC is often used to enter the part of a library program that takes care of circulating materials. I discovered LEAVE on a computer that was
typing it in allowed one to
situated in a museum
these

hack will improve.

I want to tell you one final story. This is a story

which demonstrates many of the principles you
have learned from this book: research, scavenging,
shoulder surfing, persistence and logical reasoning,
programming methods, brute force, general com-

puting knowledge, social engineering, reverse social engineering, screen analysis, system simulators. It shows how each is played off the other for
the final triumphant result of a successful hack.

exit the

menu and

Recently

was given

function keys

my

hand at hacking into a newly set up computer system at a special library. The library director was
concerned because they had recently transferred to

new system which, unlike previous ones, allowed dial-up access from outside lines. The director wanted to know if it was possible to break out
this

of the search facility, into the restricted areas hav-

do with overdue fines, patron names and

addresses. Or would it be possible to escape entirely from the library program to the operating
system and perhaps do some damage?
I told him I would be happy to look into the

ing to

matter.

Now, he

me

one of the dial-in

told him there was no need for that.

offered to give

numbers, but I
I was a hacker

after all! (Actually, I

was

could exploit. Indeed,

to the director,

the opportunity to try

acting

cocky to impress him

I already knew the phone
number from watching him give me a demonstration of how the public part of the system worked.)
I called up the system from my home and explored every inch of it. It was a command-run system. The opening screen allowed one to select a
function by entering commands such as CAT to
search the library catalog, or HOL to place a hold
on an item. The proper way to end a session was
with the END command. I tried other, unlisted
commands to see if any would work. More than
you might realize, this is a very common practice
on computer setups where part of the system is
public and part is private. Almost always the public part of the system will have at least one secret
command to allow entry into the private side. So I
tested a whole slew of key words: EXIT, BYE,

museum

and employees.) None of these, nor any of

the other words I tried, worked.
Since it was a brand spanking new system, I
was sure there would be lots of bugs hanging
curators

around that

My One-Person Tiger Team

enter a special area for

and

yet,

that

he bemoaned the

when

spoke

fact that certain

on the terminals had not been set up

pressing them would exit one to an

incomprehensible
programmer's
environment.
Aha! This is what I needed! But when you're calling
in over the phone lines, you don't have access to the
function keys that are available on the computers in
the

company offices.
I

thought perhaps the function keys were mac-

ros for commands which a user would otherwise

have to type in by hand, but I didn't know what
those commands were. I was doing nightly
excavatings of the building's garbage bins to see if
anything would turn up, and finally something did
a badly mangled reference card from the company which had supplied the software package. I

painstakingly searched every last inch of the trash

that night, but could only

come up with half of the

card.

At home, I saw that among the things listed on

were indeed the names of commands
mapped to the function keys. Only two of them
were legible, and the rest were either torn off or
smeared beyond readability, but those two turned
the card

out to be enough.
What was immediately apparent

was

made a wrong assumption not ALL

had
the com-

that

mands were standard English words or abbreviations of words, like CAT or END. There were
two-letter commands and dot commands, too.
When you input a dot command you type a
period (.) followed by an alphanumeric command.
They are often used

where entering
the alphanumeric command by itself would be
in applications

misinterpreted as inputted data. For example,

let's

say you're using this library system, and at the

prompt where it asks for an author to search for,

you decide to search for books by title instead. So

you type the TITLE command. What's going to
happen? The computer thinks that "Title" is the
name of the author you want, and starts a search
for someone with that name. To get around that
sort of problem, this system allows a period to be
typed before a command. Now if you type ".TITLE"

The three digits in parentheses changed depending on which part of the program I was using.
"(000)" presumably signified the opening screen,
where I was attempting to launch these unlisted
commands. If I tried the .HELP command at, let's

at the

author prompt, the system sees the leading

what follows should be
treated as a command.

Indeed, that

period and recognizes that

Now, every program has its own style of input

and output. One of the tilings this system used to
take input was a command followed by a number.
For example, if a search turned up fifty books, you

Programs often use a period before the com-

mand

because a period is a small, undistracting

and is also very easy to type. But occa-

character
sionally

you

will

run into "dot" commands which

use other characters, most notably, slashses (/ or

\), or an apostrophe (').

Anyway, the

reference card told

me

that press-

ing function key Fl was akin to the .QUIT command, and F2 was the .HELP command. Both
seemed promising
.QUIT because it might allow
me access to the nether regions, and .HELP because
since this was a newly set up system, help was very
likely not yet implemented
and might be one of
those functions which the director was complaining would crash the system if someone used it.
I was dialing in to the computer from the outside world, and there really isn't any way to
transmit a function key press through a modem
(function keys are not in the ASCII lineup), so I had
to hope that either .QUIT or .HELP would work. Of
course I had tried their undotted counterparts before to no avail, but maybe, just maybe, one of them

with the dot would work....

Nope!
.QUIT simply terminated my session and disconnected me. When I typed .HELP, the screen
cleared, and the following line was printed:

<EOF \txt\hlp\help000>
I

presumed

this

meant

that the

End Of

File

helpOOO in the \txt\hlp directory had been reached;

but was blank.

though it
knew about a \txt direc-

in other words, the file existed

I

was temporarily

licked, I thought,

was interesting that now I

tory which apparently contained various text
and a \hlp directory within it which held help
Something else

read something like

<

is

number

12. I

system

"\txt\hlp\help013."

wondered

if

book
the same format would
citation for

apply to the help command as well. I tried

".HELP99999," hoping that 99999 would be a number too big for the system to handle (certainly there

was no

screen that high).

What happened was I got

command was not

a message informing me that the

such as ".HELP
99999" and ".HELP < 99999" but none of them were
valid either. Finally I gave ".HELP99999" one last
try and this time it worked! I guess I had made a
typo when I tried it the first time, perhaps inserting
a space between the "P" and the "9," or whatever.
The system crashed, and I found myself launched
into the programmer's debugging environment.
It was like a mini-editing system for the text
valid.

tried other variations,

and batch files that the database used. I fooled

around a bit with it and came up with nothing

much

of value except for a copyright notice that

gave the initials of the company that made the program. I looked through various directories of software companies, faying to come up with actual
words to go with the initials, and finally I found
two that fit. I called up the first and found out that
they were the ones who had written the program I
was interested in. I asked about obtaining replacement documentation for the package. They said

all I had to do was supply the serial number

came with my software and they would send
me the book for a nominal fee. I tried some bullshitting: "Well, I don't know the serial number be-

sure
that

don't have the instructions."

receptionist informed

>

file

might type "BR12" to see a brief

files.

this:

(013), I figured the

exactly what happened.

cause

was
was displayed which

J. Smith Co Special Library On-Line

(000)U/SYSv55.6

number

should then search for the

files,

noticed: every time the screen

redrawn, a line at the top

say, screen

me

No

good; the

that the serial

number

could be found on a label stuck to the original

have the disks near me right now

I'm calling from my car phone. I'm sure I sent in my
registration card, perhaps you could check that?
My name is Jonathan Smith from J. Smith Co..." I
disks. "I don't

prayed that the real J. Smith had sent in his card.

I thanked the receptionist and told her
I would call back the next day.
I figured the company library must have the
documentation, but I couldn't just show up there
and ask the director if I could peruse it for a while.

He had not.

wanted

do this whole thing as

were
an outside hacker, unconnected with the company,
trying to get in; special favors were out of the quesBesides,

to

if I

anyone with legitimate access to the system knew. I

to put in "your personal 9-digit ID
code." Okay, well we know what nine digits means
a social security number!
I knew that the director had been born and

know how

raised in Kentucky, so

That meant
engineering.

the

first

three digits

wrote up a program

to continuously spit out possibilities for the last six

and

wasn't too long before I found one

When it did, I was greeted with,
"Good evening Jane Thornbuckle! Please enter your
personal password." Jane Thornbuckle was not the
digits,

it

it

was time

for

The only person

some

serious social

at the library

who

knew anything important about the system

and he was out of the
question since he would recognize my voice. Anyway, all I needed was this serial number. I called
up the library reference desk, and made up a story
about how I was a programmer from the company
that had installed the new computer system and I
really

library director.

was

went back

the director himself,

was wondering if they had version 8 of the program? Naturally she didn't know, but I kindly explained to her that to find out she would have to
look for some disks with labels stuck to the front of
them....

She found the disks in the

me

that the

number

director's office,

and

eight wasn't printed any-

where, just one long serial number. I had her read it

to me, and one of the twelve digits was an eight, so
I told her yes, everything was fine, that I just
wanted to make sure she had the newest version,
and that I would send her version nine if we ever
got around to releasing it. She couldn't have cared
less.

Anyway,

paid extra for overnight delivery of

and got it late the

found out how to
the programming environment

the debugger documentation,

next day. Poring through

it I

move around in
more importantly for my purposes
and
to exit
from it. (All the important commands were abstruse things like KLOO and EE61. This editor was
clearly a rush job, created by programmers, for pro-

grammers.)
I

knew

that worked.

tion.

told

of his social security number.

Exiting the debugger got me to a login prompt.

quickly found that typing in "circ" at this prompt,

and "JSC" at the following password prompt,

would bring me one step closer inside. (Here JSC
stands for J. Smith Co. Of course that is a fictitious
name.) After entering the password correctly I was

apparently
brought to a second level of security
the circ/JSC was a general login combination that

Now

needed

Jane's password.

to brute forcing for a while, looking for

Thornbuckle's personal password by trying out the

obvious possibilities, until I got sick of it.
I didn't know who Jane Thornbuckle was, but
one of the things I had pulled from the garbage was
a stack of discarded company newsletters. Buried
deep in the stack was the answer: Thornbuckle was
a figure in the company's Management Information
Services Department (i.e., a computer programmer). I did some more hacking away at her password, but that was fruitless. Finally I restarted my
program to try social security numbers, and eventually came up with the library director's. Hacking
his password by chance was, like Thornbuckle's,
getting me nowhere.
I decided to look back at what I already knew.
The programmer's environment was an interesting
thing, and I played around with it awhile until I
had learned enough about it to use it to edit files to
my liking, as well as a few other tricks. I was able
to use one of the debugger's find commands to locate every occurrence of the word "circ" in the system files. One of these files contained a bunch of
gibberish, the

word

"minicirc,"

and then

"circ"

followed by more gibberish.

ish,

some more

gibberI

second circ
could be unencrypted to read 'JSC." If it
could, then I would be able to use the same procedure on the gibberish following "minicirc." This
tried analyzing the gibberish after the

to see

tactic

if it

was to no avail.

Back I went back to that initial login prompt

and tried typing "minicirc" with various passwords. The problem was I didn't know what the
"mini" part meant. My best guess was that it was

some sort of small version of the actual library system

a simulator or training module. I was trying
passwords like TRAIN, MINI, MCIRC, MINICIRC,

!
m^,...

...

TUTOR, LEARN, and after a lot of trouble, finally

came up with T.CIRC1. This got me to my favorite
little

message: "Please enter your personal 9-digit

ID code."

me on the minicirc, I changed it to be sent

to the library director. And where originally the file
had stored my own name
"New User"
I alrected to

tered

it came from some fictitious repfrom the database company that had

to say that

it

had discovered that the

number "555555555" worked like a charm on this
mini circulation system. The screen cleared.
"Good morning New User!" my glowing computer screen exclaimed
it must have been three

provements that could be gotten for free

version nine had been released (reverse

or four in the morning. "Please enter your personal

ing*). I

Within a few seconds

resentative

The bulletin instructed the diperson about some new im-

written the software.

rector to call this

supplied a phone

number

to call.

now

that

engineer-

The num-

password."
This was, I hoped, the last level of security. Yes
it was: a few moments later I was in the minicirc

briefed

under the password "TRAIN."

called.

was proud of myself. I had managed to get out

of the public side of the dialup system and into the
behind-the-scenes area. But my journey was not
over yet, because I still had not gotten into the ac-

so that if the director called when he wasn't there, a

convincing song-and-dance would tell about the

tual circulation

system

just the simulated

ber I gave him was that of a friend of mine, a fellow

hacker named Morriskat, whom I had thoroughly

new

on how

We

set

When the
talked about

The minicirc was helpful, but it lacked certain

if I were an industrial spy, I would
have liked to have had access to. I could use
minicirc to check out books to patrons, register new

him some

but the database

names and

contained only imaginary

Many

etc.,

addresses.

of the other features of the system were

unimplemented, but just knowledge of their

presence helped me. There was a bulletin board
service, which would display messages after logging in. A few standard messages had been left by
the installers: "Hi,

welcome

From
came up

to the system...."

examining these messages carefully, I

with some important tidbits of information.

Each message began by

the message,

and who could

sender data included the

implied that

it

listing

receive

word

it.

sent

Part of the

which
send messages from

was possible to
and vice

the minicirc to the circ

who had

"minicirc,"

versa (otherwise,

why would they bother putting that in there?). The

second important fact was that although messages
were apparently sent by default to all users, one
could specify a particular user who would be the
only one to read a posted message.
I used the editor to write a letter and send it to
myself. Then I logged off, called back and broke out
to the programming environment as I had been
doing. Pushing the debugger to its limits, I was

able to use
written,

its file

and

editors to find the letter

alter its contents. Instead of

had

being di-

the library director

company was

products this

used for training purposes.

patrons, search the databases,

when

Morriskat's answering machine

offering at the

time.

one

features which,

to act

up

director did

make

some upcoming

the

call,

Morriskat

features, then asked

technical questions about the particular

way the software had been installed for his library.

The director didn't know the answers but, he said,
he could
he had a terminal right in front of him

log

on...

"Perfect,"

usual

Morriskat said. "Just go through your

stuff. Circ.

JSC.

Are you

Uhm, Social Security Number

using the personal password we originally set you up with?"

Yeah, 'Firebird. Okay I'm in...."
Knowing three out of the four security controls,
projecting an air of omniscience, and having the
spoofed e-mail as support, getting that final password was easy as pie.
For the last phase of the project, Morriskat and I
sat down to see what we could do with the library
director's system access. It turns out we could do
plenty. We made up new superlevel accounts for
402-66-0123.
,f

ourselves.

still

We were able to toggle access to virtually

every aspect of the software to any other user. And

we could print out personal information about

because every
every employee at the company
employee, whether they ever stepped into the
company library or not, had a record in the library's computer. We knew what materials they

had borrowed, their home and office phone numbers and addresses, and year of birth.
Exiting from this level to the network server
was simple to do, and from there we could login to

one of the host computers using the library director's name and his password "firebird."
As the coup de grace, and to prove conclusively
that I had done what I had set out to do, I used the
programmer's interactive debugger editor to alter
the library program's opening screen so that instead of giving an explanation of commands, it told
a dirty joke.

Then I left a file inside the

which explained how

library di-

rector's directory

ken

in.

that

had bro-

This story as I've told it here is pretty much

although here I've expanded more on the

file,

hackerish side of things.

Principles

Combined

you are to be a truly successful hacker, one

can hack on demand like this, then you must

If

who

be a hack-of-all-trades.
not enough to be a spontaneous and
smooth-talking social engineer. It's not enough to
be a programming genius. It's not enough to have
the perseverance of a marathon runner. You must
It's

have all of it and an imaginative, goal-oriented

mindset as well. And the ethic. I truly believe that a
hacker who lacks the hacker's ethic will be going
nowhere fast, because if you don't show an honesty
and compassion in what you do, others will not act
kindly toward you and that quickly leads to
trouble.

Did

display the hacker's ethic

when

out the hack I've just described? Yeah

nothing more than rename the

file

carried

had done

that contained

and put the dirty joke

with
in a new file
the old name. And I showed the
library director how to go about switching them
back. Later the two of us, along with members of
the computing staff of the company held a meeting
to discuss what actions would be taken to close up
the system's opening screen,

I had found.
And, I should add, they have done so.

the security holes

and

response will invariably be something like

"I
I

can

can not say

feel

it,

it

in words.

and I can

feel

know

to this bull

is,

"What a

a phony. But he's also

he understands all the
mysteries of the universe, and those many and
varied teachings that make up the answers to those
mysteries are things that must be experienced first
hand. Things can be explained to you, but they
can't be felt unless you yourself have felt them.
So here is your passport to the world of hacking
sincere.

He

is

truly believes

outside this book. You now know the ideas, the

methods, the information and facts that will allow
you to begin a hack in a systematic way, and you
know what can be done to minimize mistakes and
wasted effort, and reduce your chances of getting
caught. But naturally, that is not enough. As with
any hobby/game/education/occupation it takes

and experience, lots of time

and patience and practice and more practice, before
things work out as you would like.
trial

and

error, practice

Some Thoughts
To The Concerned Administrator
this book because of your inlaw enforcement, security, or the mindset
of the computer delinquent, then you should have
by now learned dozens of ways the most seemingly
airtight of security systems can be broken and
penetrated. You should have, by now, made up a
comparable list of ways to protect against each of
the methods I've described.
Such a list should include stressing to your system's users the importance of keeping good passwords, regularly changing them, and taking note of
the login message which will display the user's last
login date, time and place.
If

you have read

terest in

address or physical address. All that is required is

that statement. Any caller with a legitimate com-

this:

the answer

myself knowing

impossible."

the

or ask any burning,

age-old philosophic question of the kind

is

Your natural reaction

phony!" And of course, he

Explain to users that they should never reveal

Ask any enlightened sage about the purpose for

sation

any information of a confidential or suspicious nature over the telephone, through the postal service
or electronic mail, or in "chat" mode. Tell your users
that if they are asked to reveal such things as passwords, they should simply respond, "I can not help
you with that," and end all communications. They
should not reveal name or phone number, e-mail

Concluding Thoughts
the existence of our universe

simply use words to describe an indescribable sen-

it.

But to

y. ::: ,.,;;,;v:;;v;y:: v;y:

;

be able to deal with the

be hackers.

plaint or concern will

ation. All others will

Set

up a means by which

.: :

-<.

Some Thoughts

situ-

To The Concerned Hacker

legitimate users can

question a suspicious character lurking about the

without seeming to be rude or obnoxious if

the "character" has an honest reason for being there.

offices

let your users become complacent about

but don't overwhelm them with it either.
Most people will follow a few rules, even if it inconveniences them slightly. If your demands are
too outrageous however (changing passwords at
every login, for example), none of your users will
comply. Make sure they understand why you are
concerned. Point out the loss to them if security is
breached. Make sure they understand how important all of them are in maintaining safety not just
for themselves, but for every other member of the
organization, and every other member of any
group connected with yours.

Don't

You've come this far and you still have doubts

about success? I guarantee you, if you care about
learning to hack,

security,

ensure that security is as close

to 100% as possible, set up a regular maintenance
and clean-up schedule. Actively look for holes in
your system's armor. If you hear of hacker attacks
or viruses at other sites, learn about their problems
and see that they don't happen to your own site.
Fix known bugs immediately and promptly remove
Finally, to really

debugging tools and options. One investigator

has estimated that a third of the security holes he
has found were due to debugging options.
all

If

an employee leaves your organization, im-

mediately erase their access and change everyone

when you erase the

you must strike a balance
between fair-warning and urgency. A disgruntled
employee will be even more vengeful if you destroy a year's worth of work in addition to firing
him and closing his account. But giving a warning
too far in advance allows viruses, time bombs and
else's access

codes. Notice that

ex-employee's account,

trap doors to creep into

Numerous

your system.

pieces of literature are available for

any machine detailing specific security measures

an administrator should take. Make use of these.
They will point out flaws you could never have
dreamed existed.
Ultimately, the

involves will prove

bit of extra work

immense worth.

little

its

this all

you

will

become

proficient in the

art.

If

you've tried and tried and tried, but you still

managed to get past finding a phone num-

haven't

or perhaps you

can't even get to that

you
count yourself among one of the few true
hackers so long as your intentions are good, you
play it safe with hacker security, you intend to act
ethically when you do come onto a system, and you
intend to enjoy your Ufe to its fullest potential.

ber

can

still

After

all,

that's

what a hacker is and does.

Congratulations and good luck to you:

know the Secrets of a Super Hacker!

And you, too, are one.

now you

_J

Further Reading

Hacking begins and ends as an

ercise.

What

that

means

is, if

intellectual ex-

you want

to continue

dancing through the

computer systems, you must have thorough knowledge of what goes on within that
to experience the thrill of tap

nation's

playing field of networks, telephones, terminals

and users.
If you expect
systems

and out of the really big

governmental and corporate
you
to get in

must be intimately

familiar with the operating sys-

tems, acronyms, weird jargon

think.
I

highly

recommend

and the way people

enjoyment and to further your interest

of deviant computing

your own
in the world

at least for

the books listed below.

numbers and addresses of organizations you

can get in touch with to help you get
information in lots of areas necessary for a
hacker to know about, including: companies,
libraries,
special/company
governmental
documents, etc. If for no other reason, find this
book to read the last couple chapters, hi them

Berkman gives you

information from people.

will surely help

Publishers.

New

it

Fast:

how

subject.

uncover expert

Harper and

York: 1987. There are

Row
many

books of this kind; if you can't find this particular one, it might be helpful to see if you can locate others. Berkman lists some good phone

may

extracting

not

all

be
it

Cornwall, Hugo. The Hacker's Handbook. E. Arthur

Brown Company. Alexandria: 1986. This book
is geared toward United Kingdom hackers, especially those with knowledge of electronics

ham

radio. It often talks in general terms

rather than specifics,

to

It

for

you out.

and

is

not as handy as the

seems to indicate. (Unless you're in the UK

and/or have a technical understanding of electronics. If you're the former, then this book will
probably be of some assistance. If the latter,
there's probably nothing in here you haven't altitle

Berkman, Robert I. Find

information on any

tips

directly applicable to social engineering, but

and

The Books

his

ready thought of yourself.)

The Electronic Criminals. McGraw-Hill

New York: 1975. Not too much
here about hacking per se, but there are many
helpful and exciting anecdotes to aid you in
your social engineering and trespassing skills.

Farr, Robert.

Book Company.

Tom and Morrison, Perry. Computer Ethics:

Forester,

cautionary tales and ethical dilemmas in computing.

MTT

Press.

and ethics.

Cambridge, MA: 1990. Computers

what hacking is all about.

That's

Glossbrenner, Alfred.
Martin's Press.

How

phone numbers

useful

to

New York:

Look

it

Up

Online. St.

1987. Includes

(voice

many

and modem),

how

ex-

and

planations of the various services offered

books are
being whatever

to use them. Glossbrenner's

often called "The Bible of X."

topic

he

is

currently writing about.

Check out

and Markoff, John. Cyberpunk: outlaws

and hackers on the computer frontier. Simon &

Hafher, Katie

New

York: 1991. Learn from their

mistakes! Profiles of three "outlaws

ers" are

and hackand

revelations of behind-the-scenes goings-ons at

your favorite hack targets. Possibly more important than all that is to see how these master
hackers got caught, so you can do just the opposite of what they did.

Landreth,

Bill.

Press.

New

Out of

York: 1984. "Reformed" hacker

it.

Sterling,

Bruce.

The Hacker Crackdown: law and

disorder on the electronic frontier.

New

York: 1992. There's a lot

homages

herein.

Much ado

Bantam Books.
of history and

about

many

topics

related to hacking, cracking, phreaking, party-

ing and wild boys having a good time cruising

through computer networks. Also, Sterling is a

Stoll, Clifford.

The Cuckoo's Egg.

An instant classic,

book is an intriguing mix of detective story

and cracker espionage. Don't ask questions: just
this

read

it.

Donn

Computer Crime: criminal justice

SRI International. 1988. A National Institute of Justice publication intended
for feds and phone cops. Some useful hacker
tips can be found here and there, but more im-

portantly,
will

B.

it.

it is

Zarozny, Sharon. The Federal Database Tinder: a

directory of free and fee-based databases and files
available from the federal government. Information
USA, Lie. Chevy Chase: 1987. Lists governmental contacts to find out about various databases.
Many such directories exist, this being just one.

essential for

you

to learn

Other Sources

Bill

resource manual.

against

laws in countries all over the world. This is

done without neglecting the United States. If
you need a good source for any portable computer information, this book is the place to find

the Inner Circle. Microsoft

Landreth uses his expertise to show system operators and computer managers how they can
prevent their security from being breached. Because Landreth has had actual hacking experience, this book is more useful to the hacker than
other books of its kind. Includes some interesting anecdotes and useful information.

you

is

given here. Sprinkled throughout are

helpful hacker hints, interesting histories

Parker,

New York: 1990. This

a must-read for out-of-towners. Handy
information is given on the laptop and modem
Guide. St. Martin's Press.

book

good writer.

his other books, too.

Schuster.

Rothman, David H. The Complete Laptop Computer

how

be investigated so you can protect

Keep up

with all the above-ground

computer mags and newspapers, college and comcomputing
pany newsletters,
and
service
You
will
find
that
sources.
pamphlets from various
most of this information is totally useless and/or
bogus, but every once in a while you'll get a lead or
a good idea. Aiid you can use straight computer
magazines to get tons of free literature from
companies. You can even get the magazines for free
if you convince the subscription department that
you are someone in the industry. There are two
ways to do this. The way I do it is I go to the library
and borrow some computer magazines. I tear out
the "Reader Information Postcard" from the back,
and as I'm going through the issue, circle the
to date

numbers

. ,,

., .,. . ,n
,

,.,

i.
,

for products

information from a lot

.^

.i
--

.^....,,.i w..
.

which

! ;.

... |

. ..

ll
.

,. |, I

T.
i

., ... ...

y. ., - ,..,

..-..i

me. I get
of different companies, as
interest

When I fill in my
I put myself down as president

well as free disks and posters.

name and
of

address,

some made-up company. (There

are usually

spaces on these cards to enter your

title

and

company.) After awhile, the magazine subscription

department goes through its mailing list, finds
President so-and-so, and sends me a form to fill out

which

entitles

me

to a free subscription to their

The form they send you usually

contains a lot of nosy questions.)
If your library doesn't carry a magazine you'd
like to receive, you can always just type up a letter

journal! (Note:

to the subscription

and ask about

department of that magazine,

rates for "buyers."

You

see, they are

only interested in giving away free mags to people

who spend a lot of money at their companies. By
the way,

if your library does get one of these

magazines, there's no sense in using these tricks to

steal

a subscription,

is

there?

In any case, for the real inside

dope on the

hacker scene, you want to go to the underground

press. There are many, many hacker/phreak/anarchist journals flying around. Most of these can
be found on-line. That is, you get them from
anonymous FTP, or download them from BBSs.

They are

all free,

and

legally free.

Certain nefarious

presses have been selling this stuff through mail

you've bought any of

it, you've been screwed. There's no reason to buy it
when you can download these journals yourself
and print out the good parts.
These zines are often written by cocky, spacedout adolescent weirdos who don't know much except that they hate everyone and everything.
Sometimes they contain decent information, but
often it is just a bunch of how-to-be-an-asshole. A
order for exorbitant prices.

If

lot of the articles ("philes") you'll find in these jour-

nals are simply rehashings of mainstream works,

such as down-to-earth retellings of technical articles. But I have come across useful stuff in these
things. In the very least, reading these journals
makes you feel good, because you'll end up thinking to yourself, "Gosh, these so-called hackers don't
know much more than I do."
And it's true. You can know a lot about computers; you can learn a lot about hacking, but ultimately, the greatest hackers are the ones who are
most dedicated to what they set out to do. There are

no algorithms

to follow to

become a good

hacker.

There is only trial and error, continued patience,

and a loyalty to one's own ethics.

M^.^Mt-r r.^.^w.mmKlKTO

|.

x*xwwwx^>*&.-rAW.vmaxwx';'X.w?*i

Glossary

acoustic coupler

A device

mounted on a

consisting of

two cups

which one inserts a

The acoustic coupler is
a modem, which sends its signals
base, into

telephone handset.

connected to
directly through the mouthpiece of the phone,
and receives signals through the earpiece.
Useful for hacking on-the-run, such as from
telephone booths and public fax machines.
amplifier

A device

for increasing the amplitude

its

quality.

analog signal
An output that changes in
proportion with changes in the input producing

program

The

ability to transfer a file

from a remote computer connected to Internet

without having an account on
the remote
computer. (Though the remote system actually
does know who is logged in.) One enters
"anonymous" for username, and usually one's
e-mail address for the password. The program
that performs the file transfer is called FTP.

that

is

not

A word processor

an application program. These are where you

hide Trojan horses. Sometimes called "app" for
is

short.

archive

Several

files

grouped together and

generally compressed into a single

to facilitate uploading

those perhaps unwieldly

file.

This

is

and downloading

files

to other sites.

Archive also refers to a computer or drive

which acts as a repository for files, especially a
drive which can be accessed via FTP.

Multiple programs or processes

overlapping each other in execution and possible memory. An asynchronous attack on a
system involves one program attempting to
change the parameters that the other has
checked as valid but has not yet used. For example, it is illegal for just any old user to invoke
the "su" command to make himself a superuser

asynchronous

it.

Any software

part of the operating system.

done

of a signal without altering

anonymous FTP

application

doing so

gets

an error message. But

if

the

contents of memory that hold the "reject request

for superuser status" are

changed

to "accept

request for superuser status"

ess,

then the original "su"

by another

command

proc-

will exe-

cute.

avatar

browsing
To ferret out data that has been left
behind in computer memory or on storage
media after the termination of a critical pro-

gram or process.

name

Alternative

for

the

root

or

superuser on a (usually UNIX) system. In

Hindu mythology, an avatar is the incarnation
of a god.

bps

back door

baud

bit

byte

of

digit,

bits.

least a

smallest unit of data that a computer can

chat

A network

mail and

have the

cousin C++, any hacker should have at

passing familiarity with. UNIX is written

and

file

BITNET

Bulletin

to receive

provides etransfer capabilities. It does not

to

It

do remote login

(telnet

Board System.

A computer set up

modem calls. Users dial in, then have

access to various features including e-mail,

message exchanges, games, and

Term used

talk to another user online. In

BBS

cir-

chat would imply talking with the sysop

on a single-user system.

many

connects

colleges together.

ability

To

CCTV

Closed

cameras

set

up

Circuit

Security

and

else-

Compact Disc Read Only Memory.

Some computers use compact

discs the

way

other computers use floppy disks. Often large

databases are distributed on compact discs.

text files.

Chief Information
console On a mainframe, the
CIO

circa

Television.

in office buildings

where are monitored on CCTV.

CD-ROM

World War

II

to refer

with admiration to hacker-like folk who wanted

to understand how the world worked, and used
their knowledge to invent accouterments for the
world.

along

its

sessions).

boffin

that,

cles,

of normally mini or main-

computers.

universities

a small amount

is

to hold a single letter,

inC.

understand.

BBS

enough

A popular programming language

with

frame

just

or other character.

system-level functions of a computer.

BITNET

Informally, a byte

memory,

piece of code used to govern the elementary

The

fed to a buffer, without

be sufficiently large to contain all the data that

is needed before processing of that data can
begin, or there may be a mismatch in the rates
of data production to data consumption. A
person might try and hack his way out of a
program by inducing buffer overflow.

that

Basic Input/Output System. Consists of a

is

it time to digest previous intake. Two

reasons for buffer overflow: The buffer may not

for trapdoor.

per second (pps), with the aseach pulse is identical in

amplitude. One baud is considered to equal one
bit per second. Thus, when all pulses have the
same amplitude, baud refers to bits transmitted
per second.

excess data

giving

Pulses

sumption

BIOS

when

sites.

Synonym

for "bits per second."

buffer overflow
buffer is a (usually temporary) holding area for data. Overflow happens

backbone site
Key USENET and e-mail site
which processes a large amount of third-party
traffic. That is, it receives and sends news and
messages to other

Short

Now we refer to ourselves as hackers.

Officer.

station

which the

system operator uses to control the computer,

was booted from.

or whichever tty the system

Also, cty

console

PBX

and ctty.

Desktop switching

service.

.uujj.uiu.uiuuuij.ua

covert channel

A way

to secretly

communicate

information out of a private domain of a system, such as an account.

A hacker who does not respect the

computers he or she hacks.

cracker

Console
daemon Short
cty

directions.

(Also

ctty).

Disk And Execution MONitor.

A program that is not explicitly started either
by the user or the program the user is using, but
rather one that lies dormant, watching for a set
of conditions to hold true, then it will start
Pronounced "day-min" or "dee-min."
itself.
for

Two

make a duplex

The process of removing an audio

demodulation
signal from its high frequency carrier. When a
modem demodulates those funny beeps coming
over the phone line, it is shedding the high
pitched, waste portion, and retrieving the

is

DES

Electronic Data Processing.

for electronic mail. Sometimes seen

The ability to have a private message
exchange between two or more users on a BBS,
network, or other computer system. Also refers
to the message itself.

as email.

firewall

machine

daemon, except this program

An

Encryption Standard.

standard

used to remove the

signal. Also a device

electrical circuit

modulation from a carrier

which makes use of such a circuit.

operating systems in general, or to the

operating system of the

Apple

used loosely to mean either

II series.

MS-DOS

Also

Field Office Information

dual-tone multifrequency dialing

dialing
method using a pair of tones, one high and one
low. Touch Tone phones use this method.

A device

that allows input to a

computer (such as through a keyboard) and

output from the computer (through a video
and nothing else. Contrast with
screen)

smart terminal.

Management

A set of protocols by

which files can be transferred from one

computer to another. FTP is also the name of a
program that uses the file transfer protocols to
move files back and forth between computers.

Federal Telecommunications System.

phone system used by agencies of

the federal government for voice, scrambled
voice, high-speed data, fax, and teletype
direct-dialing

communications.

group accounts

terminal

get

and resident offices.

File Transfer Protocol.

or PC-

DOS.

dumb

machine equipped with

main computers. Users must

functions of their field

FTS

DOS Disk Operating System. Term used to refer

to

FOIM

FTP

encryption technique for scrambling data.

detector

through the safety features of the firewall in

order to access the important computer or
network beyond.

invoked by a user or another program.

Data

telephones connected together

system, but

System, computer used by the FBI to automate

the routine administrative and record keeping

usable information.
Similar to a

two

various security features, used as a gateway to

demon.

in

e-mail Short

protect the

demon

communication

if one of the telephones has its mouthpiece broken off, it becomes a simplex system.

EDP

tty.

Also,

Simultaneous

duplex

single

computer directory or

account protected by passwords, where the

passwords are distributed to a number of users.
For instance, all secretaries at an office might
use the same account.

hacker
Time for a pop quiz! Read this book, then
use your own judgment to compose a definition
for the word.

handle

An assumed name; an

alias.

whether that username is, in fact,

"Joe"). Joe accounts have been called the "single
most common cause of password problems in
(regardless of

Often used

on BBSs.

handshaking
The process or activity by which
two separate pieces of hardware coordinate
their signals so that they can work together,
usually to send messages between them. When
you call another computer on your modem, the
two modems must handshake to synchronize

the

LAN

A smart

and answer sequence

system using a random

Aclist

interoffice telephone
call

A telephone not

the outside world.

limited-use passwords

certain date.

line

Listserv

otherwise special environment set

up on a system to trap unwary hackers into
staying on the line long enough to trace. The
trap may be a simulation of the actual system,

A program

like

slowing

live data

in a data

circumstances,

file

gets

which, under

interpreted

as

instructions to the computer. For example:

On

the

Apple He

it is

possible to turn an innocuous

REM statement in an Applesoft BASIC program

into a nightmare. Slip a Control-D into the REM

the

so that

when someone lists

the

program the A D

Any

Investigative Support Information System,

will be printed

on the

used by the FBI as a massive database of

important ongoing investigations. Every piece
of known data about a case is entered, which
can then be cross referenced and checked in-

DOS command

following that character will be

ISIS

executed.

screen column.

that does

anyone tries to list it, their disk

initialized.
More commonly, one thinks of
gets
if

live data as control instructions to the terminal.

An account which has the username, or a

variation of the username, as the

first

One could write a program

nothing, but

stantly.

Joe

Information

certain

read, or

down

on many BITNET

destinations.

restrictive or

something simple
system to a crawl.

available

computers that sends mail and files to other

computers. For example, if you want to start a
mailing list, the Listserv would send the files
you want mailed to the appropriate

files to

from a telephone

Pairs of connecting wires

able to

code is not known.

or an abundance of groovy text

A passwording system

that combines the standard reusable password

with once-only codes. These passwords may
only be used a set number of times, or until a

box
Perhaps not too accurate a name, since
any hacker falling into a literal iron box would
certainly know about it! An iron box is a

iron

called

to a central office. Also, loop, telephone line.

Or one which only seems

to be so because the security

Might also be

system.

recipient's

nastygram.

A very large network that connects just

about any type of computer together. It
supports e-mail, file transfer protocol (FTP),
and remote login (telnet).

Internet

is,

letterbomb
A piece of e-mail that contains live
data, with the purpose of causing harm to the

of

questions. Because of their personal nature, the

answers should be known only by the correct
user and the system itself, thus authenticating
account ownership.

that is

within the same room, the

same building, or perhaps between adjacent
buildings. Usually machines in a LAN are
connected via cables (such as in an office).
Contrast with WAN.

terminal.

interactive question

cess control

Local Area Network. A network

linked locally, that

their responses.

intelligent terminal

modern world."

password

log

A record kept

of computer activity;

may be

printed or stored to disk. System operators are

fond of reading through their logs to spot

hacker activity. If you find one detailing your
exploits, you'll

want

to

of signals.

NCIC

To gain
bomb

run by the FBI and containing information

about stolen vehicles, missing and wanted

piece of code in an

with TECS
the computer system of the
Treasury Department
as well as many state

persons,

A subversive

application

program

specific conditions

that is executed

hold

true.

line that says, "IF Joe Smith's

THEN
all

macro

account

is

instruct

logic

bomb

deleted

net

payroll

is

Short form
words

is

linked

of network. Often used as part of

that refer to a specific network, such as

the Internet.

Two

or

more machines connected

together for the purpose of exchanging data.

newsgroup

name

NCIC

also

network

short

arrest records.

insert a

See passive computing.

A keystroke or

and

computers.

paychecks into one and

mail them to Joe Smith."

called a time bomb.

lounging

when

disgruntled

employee might, before quitting his job,

from the system
program to combine

National Crime Information Computer,

by
and password.

access to a computer, usually

entering the required username

logic

of different modulating

frequencies for the simultaneous transmission

remove the incriminat-

ing parts of it.

login

The use

multiplexing

that

is

used to

section of

USENET devoted to the

discussion of a particular topic.

reference a longer piece of text or a series of

instructions. For example, if you were writing a
book about Hieronymous Bosch, you might set
up a macro in your word processor to insert his
name whenever you typed "Alt-H."

modulation

A process

signal (wave)
carrier

wave.

node
An individual machine (such as a
computer or printer) that is connected to other
machines in a network.

OCIS
of loading a voice or other

run by the FBI. Allows FBI

on a much higher frequency

When

modem

separate locations to read

modulates your

data as you type on your keyboard, it is

converting the computer's digital pulses into
frequencies within the audio range that the

Organized Crime Information Systems,

field offices in

and share informa-

tion collected.

once-only codes
A password that can only be
used for one access.

telephone transmits.

modem

MOdulator-DEModulator. A device

that

modulates computer data into a format that can

be sent through telephone wires, and can
demodulate information that has been sent to it
from another computer.

MS-DOS

Generic version

system software that

PC-DOS, operating
runs on IBM PCs, clones
of

and compatibles.

MULTICS

Short

and Computing

for

MULTiplexed Information

Service.

An

antique operating

system that was built with security in mind.

operating system
(Abbreviated OS). The control
program of the computer which oversees how
the system interfaces with the user and
peripherals. Examples: DOS, MULTICS, MS-

DOS, PC-DOS, PRIMOS, UNIX, VMS.

Operating System.
PAD Packet Assembler/Disassembler.
PABX
Automatic Branch eXchange. A
OS

Private

PAX with outside-dialing capabilities.

packet assembler/disassembler
One of the node
computers of a public data network.

packet switching
method of transmitting data
along computers in a network. Each intermittent computer is a PAD that receives
chunks of data (128 bits long, following the X.25
standard) and routes them onward along a path
to the receiving computer.

A program

that looks at some inputted

make sense of what it means.
For instance, when you are using MS-DOS, you

parser

text

and

tries to

might type "del filename." The parser inside

MS-DOS
is

figures out that

erase the

what you want

called "filename."

to

do

A parser in an

game

looks at commands such as

door and knock on it," and, if it
good parser, would, for example,

adventure

"Walk

file

to the

was a

interpret the

word

"it"

as referring to the door.

To monitor the contents of a

computer screen through surreptitious means,
using one of several methods such as Van Eck
phreaking, or cabling the target computer to a
second, secret monitor or VCR Also, lounging.

passive computing

pass phrase

usually to obtain free long distance calling and

other services such as conference calling. In the
original sense, phreaks

boxes, green boxes, etc.

and nowadays the boxes will

work (and will usually get you
arrested). Phreaking has become more codeoriented; stealing calling card numbers and
otherwise charging phone perks to another's

precautions

usually not

bill.

Phreaking

used

Short for Private Automatic eXchange. A

network of phones, not connected to outside
lines. Used for faster and more secure com-

it is

unto itself.
It has its own set of rules and jargon, and even a
knowledgeable hacker who stumbles upon a
phreak BBS is likely to be confused by the
discussion. As they say, it's good to know a
foreign language. For hackers, that language is
phreak.

piggybacking

done at the end of the

Branch eXchange. A network of telephones, each equipped with its own

switching arrangement, instead of requiring
switching to be done from a separate
for Public

Multiple phone numbers may

each
phone,
and special function buttons
ring
are pressed on the telephone to either answer a
call or transfer it to another telephone.

PDN Short for Public Data Network.

IBM

for

and usually by

doesn't

the

that

realize

when
first

person has disconnected.

PLE

In encryption, the message (or

encoded.

plaintext

Public Local Exchange. A

telephones

houses or

usually
offices,

in

file)

that

local

network of

separate

buildings,

and operated by an outside

phone company.

switchboard.

Operating system supplied by

with
its personal computers.
use

user's call,

chance, piggybacking can only be done

is

munication.

PC-DOS

related to hacking yet

is

entirely different, a field of expertise

the computer

Short

specific pieces of

hardware they had built to generate signals that

would cause the phone network to do their
bidding. The phone companies have taken

phrase or other series of

syllables

needed as part of the login procedures to access a computer system.

PBX

system by tapping into another user's

communication with the computer. Usually

words or

characters

PAX

used blue boxes, black

password.

series of

A word,

One who hacks the telephone system,

In the physical sense, to get into a

locked building by following in another person
who has the key, card, or security clearance to
enter. In the computing world, to login to a

for access control instead of a

password

phreak

post

To publish a

letter, article,

graphic image, computer

file

essay, story,

or whatever

electronically,
but usually a letter or article
by sending it to the public message area of a
BBS or newsgroup.

PPN

Project-Programmer Number. The TOPS-10

operating system used

PPN

to refer to a user's

AWm MmAWJMJAWmmmmmmW^
'

ID number.

PPN may

at times

be applied to

other systems.

Pulses Per Second.

premises wiring The wires
pps

that are

root
inside a building

used to connect telephones

phone

to

account, the top level of a

directory

It is

or,

tree.

in pro-

For hacking

we talk about the superuser aspect of

often the hacker's goal to obtain root

access to a system.

An

operating system for

PRIME
salami technique

A program

stuns of
that a

computer

is

currently

running.

A method used

money over

command

A command

to the operating

to steal large

a long period of time,

based on the assumption that little amounts

won't be missed. A computer that handles financial transactions

process

structure,

gramming, the top node of a

purposes,
it.

computers.
process

The superuser

hierarchical

company lines.

PRIMOS

in the process of problem-solving, divulges

confidential data.

when

is

reprogrammed so that
an account

fractions of pennies accrue in

system that requests a listing of all active

processes. For instance, under UNIX one can
type "ps -f to see what everybody else logged

due to interest earned, those fractions are

rounded down, and are placed into a dummy
account. The criminal then makes off with the

on is doing.

account.

'

protocol

set of rules

used by software

to in-

with hardware. When two pieces of

hardware must interact (such as when two
teract

modems

protocol, else
will

must follow

same
communication between them

connect), they

scavenging

To look through garbage

search of discarded, but

still

useful, informa-

tion. Also, trashing.

the

script

A command

that is executed auto-

file

matically following handshaking

be impossible.

bins in

by the

caller's

communications software; eliminates the need

public data network

A network, such

as Telenet

or Tymnet, that uses packet switching to connect computers; generally follows an interna-

remember his or her terminal

and whatever other
input is required by the remote computer.
for the caller to

type, login procedures,

tional standard called X.25.

pulse

A momentary flow

ized

by a sharp rise and

Number pulses per

only telephone A phone
does not

pulse frequency
receive

of current, character-

fall.

second.

of

that

have a ringing circuit, and probably doesn't

have a dial or keypad; cannot normally be used
for placing calls. These can be found at public
fax machines and some automatic teller
machines.

generator,

hook

hacker would whip out his tone

it

up

to the telephone,

and

immediately call China.

whereby the
system user contacts the hacker for advice, and

reverse social engineering

Tactic

Here is a pre-login
message that exemplifies the opposite of security through obscurity: "Thanks for calling Hey
There Travel Agency Network. Please enter
your five character password in the form ABC12 where ABC stands for uppercase letters and
12 stands for digits. If you need help, call

security through obscurity

Cheryl in data processing at (818)-XXX-XXXX."

Obviously there are a lot of security holes in
this message. One would want to obscure it, by
changing it all to one cryptic character, such as
>. Security through obscurity can also refer to
known bugs being left undocumented in the
hopes that no one discovers them.
serial

Passing information one

sequential order.

bit at a time in

shell

An

interface or

command

interpreter be-

tween the user and computer. Basically,

whenever you input a command to a computer
you are using some kind of shell.
shoulder surfing Finding out what a

of the software one

user

is

typing by looking over his or her shoulder, and

watching the keyboard or monitor.

simplex
One-way communications. (Compare
with duplex.)
simulation

A program

set

up by a hacker

that

puter

erwise a computer in

that has

graphics,

or

ability, security features,

is

memory,

computational

somehow

own right, and not just

its

the

engineering

use

lies,

and verbal cleverness

mate user into divulging the

deceit,

play

to trick a legitisecrets of the sys-

The

list

make up

program. This

the "source" text that the

list is

a computer

computer will use when it translates the

program into machine language.

A computer or computer system

that will operate without requiring additional

device,

since

an

a plain ASCII text

commands which

acfile

are run as a

SYStem OPerator. The person who

care of and controls a BBS.

takes

The people who help

the sysop are "co-sysops," or simply "co's."

Pronounced

of instructions that a

that

equipment.

a com-

"sis-op" or "sy-zop."

and sometimes as

Often written

"sys-op" though

this latter version is pretty lame.

programmer types in

stand-alone

is

when

logs into

On MS-DOS and PC-DOS machines it is

AUTOEXECBAT. UNIX uses .login ("dot

as "SysOp",

tem.

source code

when one

sysadmin
SYStem ADMINistrator. The overseer
of a computer or network.
sysop

To

that is executed

login").

an intelligent terminal.

acting

file

booted, or

count. Usually this

oth-

the input/output to a mainframe. Also called

social

is

batch.

A terminal

commands,

editing

containing shell

as login screens.

is altering.

switch
To make a connection; or a system of
connecting pairs of telephone lines. In surveillance, the redirection of output of two or more
cameras to the available viewing monitors.
startup file

mimics a legitimate aspect of the system, such

smart terminal

superzap
To use special debugging or computer
maintenance software tools to modify data.
Usually to do so constitutes a security breach,
or in the very least, violates the intended usage

terminal
it

is

not a stand-alone

must be connected

computer for it to work.

to

A Macintosh is a stand-

alone device.

The sysop, system administrator

superuser
(sysadmin) or system manager, or any person
who has no restrictions on usage on a machine.
The superuser can create and delete accounts,
view and change passwords and files, and
usually responsible for machine maintenance.

is

talk

mode

To engage

in on-line conversation

with another user. What you type appears not

only on your screen, but on his or her screen as
well, and vice versa. If you were on a UNIX
system and you knew that user Smuggy was
logged in also, you would type "talk smuggy"
and Smuggy would receive a message saying
you wished to talk. Smuggy would respond
with "talk yourname," and the conversation

would begin. In the BBS world,

commonly known as chat mode.

TAP

this is

more

Technological Assistance Program.

A
protocols used

set of
to access one
machine through another. There are two types
of programs used to do this. One, called telnet,

telnet

establishes a

VT100 type terminal emulation to

The second, TN3270,

the remote computer.

establishes a full screen connection.

terminal

Usually

refers to a

dumb

terminal. In

a combination input/output deand keyboard) connected to a

remote computer.
general,

it is

vice (a monitor

TG Technical Guide.

team
A hacker or group of hackers who are
engaged by an organization to find the security
flaws in that organization's computer system.

tiger

A device which
two

coupling
components
an
and a telephone keypad with

tone generator

includes

acoustic

exterior

device

interior

that

electronics

generate

tones

needed

to

operate a telephone. Often seen as a portable

tone dialer, these devices are small enough that

they will generally include a clip so that they

can be hooked to one's belt and easily carried.

Also called "tone dialer."

An

undocumented way of gaining

computer system, usually thought of
as a method of entry put in by a system
programmer who wants to break into the
computer after he is no longer employed by the
company. A trapdoor may also lead to hidden

trapdoor

access to a

areas of a system.

A different kind

may be unintentional;

of trapdoor

for example, a laxness in

encryption procedure that allows one to determine the plaintext without knowing the key.

Synonym for back door.

tracking

An

investigator's use of

system logs

and other audit trails to look and see where a

hacker has been and what the hacker has done.
trashing

To scavenge through

business or organization, in the hopes of

finding useful information, discarded manuals

and the like.

Trojan horse

application

section of code hidden inside

program

that performs

some

predominant operating systems so they could

play Space Travel without getting a jerky
response from the MULTICS time-sharing
system they had been forced to use.

USENET

an

of other computers

and users who

no password for entry.

TSR program

Internet-based message ex-

username The name one uses on a computer

above

the sun.

network or system
is

to identify oneself. Usually

it

some variation on the person's real name.

vandal
A cracker, and probably a not-too-talented one, who tries to delete files, crash systems, leave nasty messages everywhere and
generally is a big pain in the ass.

A worm implemented

that contains a logic

VMB Voice

as a Trojan horse

bomb.

Mail Box. Voice mail

is

a comput-

phone answering setup that stores

coming messages in digitized form, on disk.

Virtual

in-

Memory

system used on

VAX

System, the operating

minicomputers, made by

DEC.

WAN Wide

Area Network.

network where

the linked machines are greatly separated from

Short for Terminate and Stay

Resident program.
TSR program is one that is

put into

A huge

change. Users from all over the world read and

exchange news, notes, comments, stories, files,
and
humor and help on all topics under

secret

On some UNIX implementations,

list

An operating system originated by Ken

Thompson and Dennis Ritchie at the Computer
Research Group at Bell Labs. True hackers, they
wrote what would become one of the most

UNIX

VMS

trusted hosts
it is

or the computer decides to use it. For example,

a program to keep track of what keys are being
pressed might be loaded into memory as a TSR.
As the user switches from one application to the
next, the TSR continues to run silently in the
background, capturing keystrokes.

erized

action.

require

stays "hidden" in the

virus
the garbage of a

in. The TSR usually

background until a person

other programs are loaded

memory and

stays there, even after

each other, usually not within walking distance.

Computers in a
are generally connected

WAN

via

phone lines (such as Internet). Contrast with

LAN.
Warez dOOd

silly

name

or sell pirated software.

for

people

who

Warez dOOd =

trade
(Soft)

wares dude.

WATS Wide Area Telecommunications

Service

which allows

interstate)

worm

calling within a (possibly

geographic region, often toll free.

program whose purpose is to

will copy itself endlessly
multiple directories and onto any disk that

reproduce.
into

Service.

presents

A worm

itself.

1l

mjf-

Lf

C^'.X

L %JL JL Km %Z %9

Appendix A:

Explanation Of

Some ASCII Codes

ASCII character code tables are very popular in

computer books. Hardly a computer book has been
written that doesn't have a list of ASCII codes, even
if ASCII has nothing whatsoever to do with the
book.
Since ASCII tables are so prevalent, I'm not

you

something much more useful to use in your

an explanation of the
hacking endeavors:
non-printing ASCII characters. It's just about
impossible to find a listing anywhere that tells you
what these things do or mean. Usually you just see
abbreviations

"ENQ,"

"SI"

listed

cryptic

codes like

and "DC1."

As you read through the list, try to think of

ways you can use the information in your hacking.
Remember, these codes may not be acknowledged
by all remote computers, but often they will be
valid, and can be strategically sent to make a
computer think something
fact

it is

No

NUL1

used for filling

synchronous communication, or for
character

extra spaces

on disk/tape when

time

in

filling in

there

is

no

data.

including a full one here. However, I'm giving

the

NUL

not.

is

SOH

Start

Of Heading

Indicates the start of a heading

which contains

addresses or routing information that applies to

the text that follows the heading. (Control-A)

STX

Start of

TeXt

Specifies the end of the heading, and the

beginning of a block of text to which the
heading applies. (Control-B)

ETX

End of TeXt

Indicates the

end of the

text that

STX

started.

Often used as a break key. (Control-C)

happening when in

EOT

End Of Transmission

A transmission may have included one or more

"texts,"

each with a heading. Indicates the

last

text

has been sent. Often used under

indicate the

UNIX

to

14

end of input. (Control-D)

SO

Shift

Out

Indicates that the code combinations

which

follow should be interpreted outside standard

ENQ
ENQuiry
A request for a response from the other end.
can be used as a

"Who

station to identify

character set until

are you?" request for a

itself.

Might also be used

15 SI

Shift In

which follow

Indicates the code combinations

to

ask if a message has been received. (Control-E)

ACK

an SI is reached. (Control-N)

It

should be interpreted according to standard

character set. Sometimes aborts output while
allowing program to continue. (Control-O)

ACKnowledge

Character transmitted by a receiving device as

affirmative response to sender. (Says, "Yep.

got the message.")

to

Used

16

as a positive response

attention;

may

need to call personnel's

control alarm or attention

devices. (Control-G)

Back Space

Indicates

the

17
18
19
20

movement

of

the

printing

HT

Horizontal Tabulation
print

Device Controls
Characters for the control of ancillary devices or

to

DC3

features.

(Control-S)

usually pauses local reception of output until a

21

mechanism

terminal

DC1 (Control-Q)
DC4 is Control-T.

(Control-H)

Moves cursor or

DC1
DC2
DC3
DC4

special

mechanism or display cursor one position back.

a control

is

code rather than data. (Control-P)

is

BS

Data-Link Escape

Indicates the following character

an ENQ. (Control-F)

BEL
BEL1
Used when there

DLE

NAK

given.

is

DC2

is

Control-R.

Negative AcKnowledgment

Character transmitted by a receiving device as a

negative response to an ENQ.
says,

next

A NAK

preassigned "tab" or stopping position. Often

the same as pressing the Tab key. (Control-I)

"Whafd ya say?

didn't

quite

catch

it."

(Control-U)

10 LF

Move

Line Feed
printing

start of

next

mechanism or display cursor

to

22

SYN
Used

line. (Control-J)

SYNchronous/idle
in synchronous transmission systems to

When no data is being

transmission system may

achieve synchronization.
11

VT
Print

Vertical Tabulation

sent,

mechanism or display cursor

send

to next

synchronous

SYN characters continuously.

(Control-V)

series of preassigned printing lines. (Control-K)

23

Form Feed
printing
mechanism or cursor to starting
Moves

12 FF

13

ETB

End of Transmission Block

Indicates

the

end

of

data

block

for

position of next page, screen or form. Often

communication purposes. Used for blocking

data where block structure is not necessarily

clears the display screen. (Control-L)

related to processing format. (Control-W)

CR
Moves

Carriage Return
to starting position of

24

same

line.

Often

corresponds to the Enter or Return key, or

Control-M.

CAN

CANcel

Data preceding it in a message or block should

be disregarded, usually because an error has
been detected. Sometimes used as an "abort
transmission"

command.

(Control-X)

__
25

EM

End of Medium

Indicates physical

end of a

disk, tape or other

medium, or end of required or used portion

that storage medium. (Control-Y)
26

SUB

of

SUBstitute

Substituted for character found to be erroneous

or

27

invalid.

Sometimes

command.

(Control-Z)

ESC

ESCape

used

as

break

Character intended to provide code extension

by giving alternate

(usually control)

meaning

to

characters that follow.

28 FS File Separator
29 GS Group Separator
30 RS Record Separator
31 US Unit Separator
Information separators may be used in an optional
manner except that their hierarchy is FS (most
inclusive) to

US (least inclusive).

32 SP SPacebar

127DEL

DELete

^^^^^^^^^mt^^^m^'^^^^^^^^^^^^

Appendix

6:

Common Defaults

These are words that are often used as default

names and passwords. Try using various
combinations of them as both name and password,
then one as name and a different one as password,
etc. Besides these, try using variations on the
company name and the type of service it offers as
names and/or passwords. Try things like putting a

demo

use

demonstration
introduction

mail

enter

new

newuser

z
sysop

manager

password

instructions

name

test

sys

system systest

field

temp

instr

passwd

pswrd

startup

id

slash in front of

tty

root

go

train

separating

trainer

tempy

training info

testing

mini

hello

words (such as "/guest"), or

two words with a slash, as in
"MAIL/company name." Also try putting spaces in
(i.e.,
the words
"New user") and varying

techsupport

remembered
etc.), and
repeated letters
if a password can be up to eight
characters, try "XXXXXXXX," and other things like

Now here is a whole slew of defaults, common

passwords and account names for different
operating systems and other kinds of computers.
Most are probably out of date or otherwise
inoperable, but it gives you an idea of what is

it.

expected in these environments.

capitalization

Also

numbers

(i.e.,

"NewUser," "newUser,"

worth trying are

etc.).

easily

(1000, 99999, 12345, 101010,

Don't forget single letters and

and other above-number

digits, asterisks

characters,

and plain

simple blank line Returns.

guest

start

account

visitor

su

default

anonymous

email

user

visit

intro

supruser
superuser

'n

Credit Bureaus
TRW uses a password of the form:

"LLLNNNNNNNLNL"
where L is a letter of the alphabet, and N is a digit.
Note that the actual password does not have spaces
between each letter and number.

NOS

For CBI, the passwords are:

Accounts: $system, systemv

"NNNLLNNN-??"
PRIMOS
Again, the

Ns are numbers and

the Ls are

letters.

question mark refers to any character. Note the

hyphen placed between the last digit and the first

wild character.

Account names: admin, guest, prime, primenet,

test, system, lib, dos
Passwords: system, sysman, netlink, primenet,
manager, operator, prime, primos, primos_cs, test,
guest

DEC-10
UIC

Passwords:

UNIX

syslib, operator,

Accounts or passwords: root, admin, sysadmin,

unix, uucp, rje, guest, demo, daemon, sysbin, who,

manager

whois, time, date,

(User Identification Code):

1,2

2,7

maintain

5,30

games

ftp,

anonymous

VM/CMS
Accoimts or passwords: autologl, autolog, cms,

FTP

cmsbatch,

Accounts: anonymous, guest, visitor

operator, rscs, smart, sna, vmtest, vmutil, vtam, dial

erep,

maintain,

maint,

operatns,

Password: Carriage Return

VMS
HP-xOOO (MPS OS)
Login using "Hello [Job ID],[Username][User
Password].[Account Name],[Group Name][Group
Password]"
Accounts:

Mgr.Telesup,hp3
Mgr.Telesup,hponly
Mgr.Telesup,pub
Mgr.Hpoffice,pub
Mgr.Rje,Pub
Manager.itf3000,pub
Field.support,pub

(password:

fid,

field)

Mail.telesup,pub

(password:
mail)

Mgr.rje

Field.hppl87
Field.hppl89
Field.hppl96
Field.support,pub
Hpoffice,pub

IRIS
Account names or passwords: manager, boss,
software, demo, PDP8, PDP11, accounting
Libraries

Account names or passwords:

circ, cat, bib, biblio,

catalog,

file,

library, syslib, lib,

minicirc

Accoimts or passwords: system, guest, default,

operator, manager, syslib, uetp, sysmaint, service,
digital, field, service, guest, demo, decnet, dec

Appendix C:

Common Commands

What would you do if you dialed a number, got

connected, and saw nothing but this:

on the screen? Out of

security interests,

many

systems will not identify themselves or offer any

text at all except a cursor and possibly a strange
prompt. This is called "security through obscurity."
In these frustrating instances

typing in every possible

until something works.

you

command

have to try
you can think of
will

This is a list of all the commands I remember

being able to use in this sort of situation. Besides
these words, if the system gives you any
information at all, like company initials or weird
words, try feeding back to it what it says to you.

Sometimes commands must be preceded by a

control character. For example, instead of typing
"login,"

one types

Unless
something

the
(like

"/login."

system

specifically

asks

for

a log-on ID in a particular format)

it's a good idea to try these commands, because you

never know when one of them will work.

date

list

log

man

page
open

time

load
login

trace

dir

info

net

call

begin

sys

go

connect public

show

state

logon
1
phone(s) help

mail

print

control

tele

buy

show

bye

email

shell

menu

sell

hint

quit

demo

access

demo

start

intro

exit

run

sched

who

whois

end
on

games

calendar

link

Appendix D:

Novice Word List

This is a list of words that turn up frequently as

passwords. Using one of these as a password
usually indicates a novice
or disinterested
computer user. In other words, if you happen to
know a certain user is new to computing, either
due to postings on a bulletin board, age, or
whatever, then these are the words you would

want to try.
In addition to these words,

you will want to

try

the letters of the alphabet, various combinations of

letters,

and numbers, and things

easily typed

on a

standard keyboard, such as "poiuy" and "yhnujm".

Also for novices, try names and team names, cars,

colors, animals, job-related words, pet names,
music groups, local popular radio station call
letters, local slang, names of cities or towns,
company names, and names or type of computer.
For parents, try things like "dad," "daddy,"
"mother," or "mommy." For people of certain
occupations, something like "Dr. Daddy" may be

more appropriate.
Two lists of words are given. The first is my
own. The second, written by Robert Morris Jr., was
used by the worm program that blazed through the
Internet in 1988. Many of the words he used seem
oddly chosen and superfluous, and there are many
others which I can't understand why he did not

include.

reasons.

have

it

listed

also think

here mostly for historical

it's

interesting to see

how

another hacker handles a situation. Duplications

between the lists have been removed from my list.

My List:
account
adventure
aid

birthday

disk

black
blue

diskette

dollar

dumb

book/s
bowling

earth

brain

eat

ass

breast

fish

asshole

car/s

force

bach
bard

Christmas
code

barf

comp
cow

Friday
fuck
fucku

aids

alpha
angel

baseball
basic

basketball

bboard
bbs

crazy
cunt
darkstar

fuckyou

games
go
god

dead

golf

beam

death

ham

beta

dick

happy

big

disc

hell

hi

nazi

strike

atmosphere

clusters

establish

hitler

no

striker

aztecs

coffee

estate

hockey

o.k.

stupid

coke

euclid

home

okay
open

suck

azure
bacchus

collins

evelyn

sun

bailey

commrades

extension

oreo
overload

sunshine

banana

superbowl

bandit

computer
condo

felicia

superman

banks

cookie

system

barber
baritone

cooper

fender
fermat

Cornelius

fidelity

hope
horses

hump

identify

pass
penis
Pepsi
play

in

please

id

ident
identify

talk

fairway

television

bass

couscous

finite

tennis

bassoon

creation

fishers

print

terminal

batman

creosote

flakes

keyboard

printer

test

beater

cretin

float

kiU

pswd

tester

beauty
beethoven
beloved
benz
beowulf

daemon

flower

dancer

flowers

daniel

foolproof

danny

football

dave
december

foresight

intro

king

qwerty

kiss

radar

later

radio

thanks
thunder
thunderbolt

life

real

tiger

lion

red

tincan

berkeley

little

rex

tits

berliner

login

run

tv

beryl

logon

Saturday

beverly

love

sex

fyger
universe

bicameral

defoe
deluge
desperate
develop

frighten

format
forsythe
fourier

fred
friend

manager

shit

user

bob

dieter

marijuana

skull

brenda

digital

fun

me

smart

vagina
white

brian

fungible

mensa
Mickey
mine

snoopy

who

bridget

discovery
disney

soccer

word
world

broadway
bumbling

dog

space
spacebar

drought

gardner
garfield

duncan

fauss

modem

gabriel

Monday
money
moon

starlight

you

burgess
campanile

eager

george

stars

zoo

cantor

easier

gertrude

cardinal

ginger

mouse

startup

carmen

edges
edinburgh

stop

Carolina

gnu

castle

edwin
edwina
egghead
eiderdown

cat

eileen

gosling

cayuga

einstein

gouge

Celtics

elephant

music

yes

start

Caroline

cascades

Morris's List:
answer

aaa
academia

algebra
aliases

anthropoge

aerobics

alphabet

anvils

airplane

ama

anything

albany

amorphous

aria

albatross

analog
anchor

ariadne

albert

arrow

alex

andromache

arthur

alexander

animals

athena

glacier

golpher
gorgeous
gorges

cerulean

elizabeth

graham
gryphon

change

ellen

guest

charles

emerald
engine

guitar

gumption

charming
charon

engineer

guntis

Chester

enterprise

cigar

enzyme

classic

ersatz

hacker
hamlet
handily

happening

patricia

sal

target

harmony

lynne
macintosh

peoria

mack

penguin

saxon
scamper

tarragon

harold

harvey

maggot
malcolm
mark
markus

persona

scheme

percolate

scott

persimmon

scotty

telephone
temptation
thailand

pete

secret

tiger

marty
marvin

peter

sensor

toggle

phoenix

serenity

philip

sharks

tomato
topography

pierre

sharon

tortoise

pizza
plover

Sheffield

toyota

sheldon

trails

plymouth

shiva

trivial

shivers

trombone

shuttle

tubas

signature

tuttle

hebrides
heinlein
hello

help
herbert

taylor

imperial

master
maurice
mellon
merlin
mets
michael

include

michelle

ingres

mike

polynomial
pondering
pork

inna
innocuous
irishman

minimum

poster

simon

minsky
moguls
moose
morley
mozart
nancy

praise

simple

umesh
unhappy

precious

singer

unicorn

prelude

single

unknown

prince

smile

urchin

princeton

smiles

utility

hibernia

honey
horus
hutchins
imbroglio

isis

japan
Jessica

protect

smooch

vacant

protozoa

smother

vertigo

johnny

napoleon
nepenthe

pumpkin

snatch

vicky

Joseph
joshua

ness

puneet
puppet

snoopy

village

network

soap

Virginia

judith

newton

rabbit

socrates

juggle

next

sossina

julia

nic

sparrows

warren
weenie
whatnot

kathleen

noxious

rachmaninoff
rainbox
raindrop

spit

whiting

kermit

nutrition

raleigh

spring

whitney

random

jester

jixian

kernel

nyquist

springer

will

kirkland

oceanography rascal

squires

knight

ocelot

really

strangle

william
Williamsburg

ladle

olivetti

rebecca

Stratford

willie

lambda

olivia

remote

Stuttgart

lamination

oracle

rick

subway

winston
Wisconsin
wizard

larkin

orca

ripple

success

larry

orwell

robotics

summer

lazarus

osiris

rochester

lebesgue

outlaw

rolex

lee

oxford

romano

leland

pacific

ronald

super
superstage
support
supported

leroy

painless

surfer

wombat
woodwind

wormwood
yaco

yang

lewis

pakistan

rosebud
rosemary

suzanne

yellowstone
yosemite

light

pam

roses

swearer

zap

lisa

papers

ruben

symmetry

Zimmerman

louis

password

rules

tangerine

.v- .-v: :
:

;:;-..

---..--..........^

Appendix E:

Job-Related

These are passwords that might come up in a

If the system
you're attempting to get into is an office, it's a good
idea to try these words before the novice list.
For office settings, also try the company name
secretarial or office clerk setting.

and variations (initials, abbreviations), titles of

software programs they might use there, and
words related to that particular job.

memo

spread

info

work

spread-

sheets

wp

comp

job

office

word

file

doc

paper/s

file/s

busy

notes

report/s

sheet/s

type

docu-

ments
enter

dbase

printer

database print

journal

process

desk

desktop

write

folders

secretary

terminal

news

processor

text

txt

data

compute] term

letter/s

mail

mailing

business docs

read

stuff

project

labor

public

Word List

week

day

phone/s

lotus

123

disk

disc

level

service

admin

pc

net

network protect

safe

boss

software

IBM

account-

Friday

ing

Monday book/s

writer

begin

secretery

margin

list

field

record

check

sec

pres

manage

table

clock

Appendix F:

Technical

Most people who use computers are

just

casual users, but then there are the powerusers

people

like

you

who know what

they're

doing and love doing it. These sorts of people

are also often fond of ham radio, science fiction
and fantasy, electronics, mathematics, chess,

Word List

bboard

chomp

erotics

beam
beamup

Christmas

expert

cluster

external

berserk/er

connect

biff

cowboy

female
foobar

bilbo

crack/er

fractal

blast

crunchy

freq

board

crusher

bogon

frequency
frodo

programming, and other related things. This

list is comprised of words taken from some of
these categories. Also try words from the

bomb

data
date

Glossary. You'll notice that a lot of Star Trek

bones

dbms

frontier

words have been included here, as

big among computer users.

bridge
broadcast

demigod

function

demo

gene

buzz

devil

generation

atheist

cable

diana

genius

attack

cage
captain

digital

g
god

Star Trek

is

fronteir

absolut

ambassador
anarchism
anarchy

avatar

absolute

analog

baggins

central

director

band
bandwidth
bang

chang

dos

channel
chaos

dump

barf

chen

ebdic

group

baud

chess

enterprise

hack/er

chief

enterprize

ham

choke

erotica

hamradio

abort

abortion

access

application

address

arc

ai

archive

algorithm
alias

alpha

ascii

async
atheism

bbaggins

dipole

dvorak

green
grep
grok
gronk

hobbit

oscillator

szone

home

tasha

host

output
overheat
overload

technical

hotkey

picard

technician

horizontal

tech

human

piggy

test

index
input

power

time
tng

iris

primos
procedure
prodigy

isis

jip

pres

transport
transporter
travel

kermit
king

protocol

trek

quartz

treker

kirk

quattro

trekie

klingon
Ian

query

trekker

quit

trekkie

lang

qwerty

trekky

language

radio

tribble/s

laser

random

troy

lee

ravel

tsupport

lord

register

tyar

male

riker

man

robot

unix
var

mark
mask

romulan
romulon
romulun

variable

rtty

virus

master
matrix

vax
vector

memory

ryker

vms

mensa

scotty

vulcan

menu

scraft

modal

shuttle

wan
wang

mode

shuttlecraft

warf

model

skip

warp

modem

wc

msdos

skipzone
space
speed
spock

nc-101

star

net.god

stars

worm
xmodem

network

startrek

xterm

next

sting

nil

strek

ymodem
zmodem

nill

sttng

nim

su

node

sundevil
super
superuser
support
swl
synch

modulate

moon

null
object

ohm
oop
operation

wheel
wizard
worf

yar
zero

zoo

Appendix G:
Social Security Number Listing

And ICAO Alphabet

The Social Security number has pretty much

become the Great American Serial Number. The
Administration (there's that SS
wants to have a number issued to every
American newborn. In addition to maintaining
records on virtually every American, the SSA keeps

Social

Security

again!)

track of millions of foreigners

who

who work

once worked in

in this

country and
have since retired to live outside the US.
Except for a few numbers issued in the
mid-1970s to military recruits, all Social Security
numbers contain nine digits. Those military SSNs
contained ten digits beginning with zero. There are
very few of those ten-digit numbers around.
country or

this

The first three numerals are known as "area

numbers" because they indicate from which state
the subject applied for a number. Remember, SS
records are confidential

and not available

for public

been reserved for Puerto Rico,

600-601 for Arizona, and 602-626 for California
although no numbers in any of these ranges has yet
been assigned. (That is, there are currently no SSNs
between 596-626.)
1963. 596-599 has

Alabama

416-424

Alaska

574

American Samoa

581-585

Arizona
Arkansas

526-527, 600-601

California

545-573, 602-626

Colorado

521-524
040-049
221-222
577-579

Connecticut

Delaware
District of Columbia

Florida

Georgia

or even law-enforcement review.

Guam

Very few SSNs above 595 have been issued, so

stay away from brute forcing those. The 700-729

Hawaii

was

by the Railroad Retirement

Agency years ago, and so any SSN beginning with
700 or above would belong to older people. New
numbers in that range have not been assigned since
range

issued

Idaho
Illinois

Indiana

Iowa
Kansas

429-432

261-267,589-595
252-260
581-585
575-576
518-519
318-361
303-317
478-485
509-515

Kentucky
Louisiana

Maine
Maryland
Massachusetts

Michigan
Minnesota
Mississippi

Missouri

Montana
Nebraska

Nevada
New Hampshire

New Jersey
New Mexico
New York
Norm Carolina

400-407
433-439
004-007
212-220
010-034
362-386
468-477
425-428,587-588
486-500
516-517
505-508

530
001-003
135-158
525,585
050-134

Maryland
Delaware

Idaho

212-220
221-222
223-231
232-236
237-246
247-251
252-260
261-267
268-302
303-317
318-361
362-386
387-399
400-407
408-415
416-424
425-428
429-432
433-439
440-448
449-467
468-477
478-485
486-500
501-502
503-504
505-508
509-515
516-517
518-519

Wyoming

520

Colorado
New Mexico
Arizona

521-524
525,585
526-527

Utah

528-529

Virginia

West Virginia
North Carolina
South Carolina
Georgia
Florida

Ohio
Indiana
Illinois

Michigan
Wisconsin
Kentucky
Tennessee

Alabama

237-246

Mississippi

North Dakota
Ohio

501-502

Arkansas

268-302

Louisiana

Oklahoma
Oregon

Oklahoma

Puerto Rico

440-448
540-544
159-211
581-585
581-585

Railroad

700-729

Rhode Island

035-039
247-251

Pennsylvania
Philippine Islands

South Carolina
South Dakota
Tennessee
Texas
Utah

503-504
408-415
449-467

Vermont

528-529
008-009

Virgin Islands

580

Virginia

223-231

Washington
West Virginia
Wisconsin

531-539
232-236
387-399

Wyoming

520

New Hampshire
Maine
Vermont
Massachusetts

Rhode Island
Connecticut

New York
New Jersey
Pennsylvania

Texas
Minnesota

Iowa
Missouri

North Dakota
South Dakota
Nebraska
Kansas

Montana

Nevada

530

Washington
Oregon

531-539
540-544

California

545-573

Alaska

574

Hawaii
District of Columbia

575-576
577-579

Virgin Islands

580

008-009
010-034

American Samoa

035-039
040-049

Puerto Rico

581-585
581-585
581-585
581-585
700-729

001-003
004-007

050-134
135-158
159-211

Guam
Philippine Islands

Railroad

isttngAnd ICAO Alphabet 203

,

a'x:x:<:-,-x-:y:-Cy: -^:--::Wf

INVALID SSNs
1.

2.

3.

4.

Ending in four zeros

Leading numbers 73 through 79
Leading number 6 or 8
very few ever
Leading number 9 is suspect

issued

Spelled Speech
The International
has a standard

list

Civil Aviation Organization

words used

of

for international

communication among pilots and air traffic

controllers to substitute for letters and digits when
appropriate. The chosen words are easy to
understand regardless of accent. (The words in
parentheses on the following chart are words used
by the US Military before the ICAO agreement was
reached.)

The ICAO words should be added

novice and technical

word

list.

And

to

any
no

of course,

brute force attack of a military installation or

aeronautics-related site

would be complete without

them.

Alpha/Alfa (Able)
Bravo (Baker)

November (Nan)
Oscar (Oboe)

Charlie

Delta (Dog)

Papa (Peter)
Quebec

Echo (Easy)

Romeo (Roger)

Foxtrot (Fox)

Sierra (Sugar)

Golf (George)

Tango (Tare)
Uniform (Uncle)

Hotel (How)
India (Item)

Victor

Juliet (Jig)

Whisky (William)

Kilo (King)

Xray
Yankee (Yoke)
Zulu (Zebra)

Lima (Love)
Mike

Numbers: Wun, Too, Thuh-ree, Fo-wer,

Seven, Ate, Niner, Zero.

Fi-yiv, Six,

...

-i:*y.-fx

Appendix H:

Additional R/SE
Role Playing Situations

Classic social engineering excuse: "Hey,

the

password and

this

work has got

forgot

Can you help me out?"

Call

and ask

for a naive user.

take a break from

want

work

Ask

for a

if

they want to

little bit.

you'll fix

it

and

call

back

later.

You

do:

On

your

modem.

Place fliers in the college computer room: "We

need system managers immediately! Looks good
Password
on resume! Name
We will
upgrade you to blah blah..." Or work this on, say,
Psychology or Economics students
tell them
there's a special project they can enroll in for
credit or money.
Send a memo out saying the dial-in number for a
local BBS has changed. Set up your own
computer with a simulator. When they phone in
and enter their login data, instruct them that the
original number is to be used for people in their
area code, and that they should re-dial.

after

legitimate user

who

was involved with the

you will want to talk to the software
company and see if you can find out what the
bugs were and how they were exploited or

Say you

user.) If software failure

new

help system or tutorial that

will help them learn. Ask the user to shut down
and login under some made-up password. When
it doesn't work, act surprised and say, "Gee, what
do you normally do here?" Then tell the user
to test a

manager

an incident and say

has been locked
out, or who's had an account destroyed. (Do your
research first, and find the name of a legitimate
Call a system

you are a

to get done.

incident,

repaired.

Tag team. You are

in your target's office with the

account holder. An accomplice makes a phone
call, says he's the parking attendant calling from
the garage. He thinks the account holder's car

was broken

into.

The

target leaves,

alone with the computer.

and you

are

SECRETS OF A SUPER HACKER

by The Knightmare
With an Introduction by Gareth Branwyn
This is the most amazing book on computer hacking we have ever seen! The Knightmare is the kind of
Super Hacker that keeps security managers from sleeping at night. He's not motivated by money or
malice
he's in it for the hack. And if your computer has any link whatsoever to the outside world it is

vulnerable to his attack.

Hacker reveals in step-by-step, illustrated detail the techniques used by hackers

Here are some of the methods covered in this extraordinary manual:

Secrets of a Super

get at your data.

to

Brute Force Attacks: Hurling passwords at a system until

Social Engineering and Reverse Social Engineering: Seducing legitimate users into revealing their
passwords.

Spoofing: Designing

Superuser Abuser.

Screen Stealing:

Data Delivery:

How to hide the information you've collected; How to e-mail it to your computer.

Stair Stepping:

How to use a low-level account to gain ever-higher levels of access.

And Much More!

it

cracks.

dummy screens; Delivering fake e-mail.

How to get system managers to do your dirty work for you!

How to secretly record every image that appears on a computer screen.

Including a brief history of hacking,

lists

of likely passwords,

and a summary

of

computer crime laws.

The Super Hacker reveals all his tricks: Trojan Horses, Viruses, Worms, Trap Doors and Dummy
Accounts. The how-to text is highlighted with bare-knuckle tales of The Knightmare's hacks, including
on-site hacking, remote-access hacking and bulletin board busting.
Chapters include: Researching the Hack Passwords and Access Control Social Engineering
Reverse Social Engineering Public Access Computers and Terminals On-Site Hacking: The
Trespasser-Hacker Hacking at Home: Dialing Up Computers with Your Modem Electronic Bulletin

Boards What to Do When Inside How to Keep from Getting Caught The Hacker's Code of Ethics
Bibliography Glossary And Much, Much More!!!

No system can withstand the ingenious, unrelenting assaults of The Knightmare.

concerned with computer security should miss this amazing manual of mayhem.
To order more copies

And no

person

copy plus $4.00 for the shipping and

handling of 1 to 3 books, $6.00 for 4 or more. Be sure to enclose your name and shipping address with
your request. Send your order to: Loompanics Unlimited, PO Box 1197, Port Townsend,
98368.
Washington residents please include 7.9% sales tax. Also see the You Will Also Want To Read Section
and the Catalog Ad at the end of this book.
of this book, please include $19.95 per

WA

f OU WILL ALSO WANT T<

61139 Methods

Of

Disguise, Second Edition, by

tors; Private safe deposit boxes; Sex in the mail;

Fake ID; Financial privacy; Electronic mail drops;
Branch offices; and much more. 1988, 5Vi x &h, 112

John Sample. This new edition is expanded and

updated with many easy-to-follow ideas for
changing your facial characteristics, altering the
look of your eyes and mouth, changing the shape
of your body, disguising your voice, controlling
and changing habits and mannerisms, along with
how to make a pocket disguise kit to carry with
you for those quick changes. 1994, 5Vi x 8%, 268 pp,
over 130 detailed illustrations, soft cover. $14.95.

The Big Book of

10048

pp, illustrated, soft cover. $12.50.

made over seemingly casual lunches.

Eavesdrop to your heart's content. Videotape now,
translate later. Learn secrets
secretly. The author
taught thousands of people to read lips. His easy-

step-by-step,

to-use,

you

to

illustrated

become a creative spy

sons. 1985, 5Vi

8Vi,

method enables
few short les-

in just a

136 pp, illustrated, soft cover.

$7.95.

We

offer

unusual books

We live in an information age: information

bought, sold and stolen like any other good.
Businesses and individuals are learning to keep

B.

are being

than 100 illustrations, soft cover. $14.95.

Luger.

Edward

James Bond-type skill every

snoop should be familiar with
"listen-in" on
conversations you can't hear! Find out what deals

Secret Hiding Places, by

Code Making and Code Breaking, by Jack

Easy, by

Nitchie. Here's a

Jack Luger. This is the biggest and best book on

concealment of physical objects ever printed! This
book tells how searchers find hidden contraband
and how to hide your stuff so it can't be found.
Topics include where to hide, what to hide and
how to hide your stuff. 1988, 8*6 xll, 128 pp, more

10052

Made

55046 Lip Reading

the

very finest

in

controversial and

complete catalog

is

sent

FREE

with every book order. If you would like to order the

catalog separately, please see our ad on the next page.

is

their secrets safe

with

this

practical,

SUPHK93

illustrated

guide to building and busting codes. Learn

how to
how

construct simple or complex codes. Learn

computers are used to make and break codes.

Learn why the most unbreakable code isn't always

LOOMPANICS UNLIMITED
PO BOX 1197
PORT TOWNSEND, WA 98368
(206) 385-2230

the best. Ideal for those interested in professional

and personal privacy. 1990,

5Vi

x 8%, 125 pp,

illus-

trated, soft cover. $10.95.

Please send
Spies,

by Duncan

Long. Industrial spies try to uncover legal or

fi-

nancial problems, violations of government regulations,

marketing plans,

new product

have checked above.

(which includes $4.00 for

am enclosing $
shipping and handling of
I

Defeating Industrial

55086

me the books

1 to

3 books, $6.00 for 4

or more.) Washington residents please include 7.9%

for sales tax.

information

company secrets. Defeating Industrial

shows how to stop them. It covers every as-

or other
Spies

NAME

pect of information security, including physical

bugs and
x 8*A, 132 pp, il-

plant, employees, guards, computers,

wiretaps,

and much more.

1991, 5*A

lustrated, soft cover. $16.95.

How

to Use Mail Drops for Privacy and

by Jack Luger. Mail drops are the number
one most important technique for insuring your

61092

ADDRESS

Profit,

CITY

They are confidential mailing addresses

you to receive and send mail anonymously. How to select a mail drop; Dodging credi-

STATE/ZIP

privacy.

that allow

We now accept Visa and MasterCard.

there are books about the skills of apocalypse

"Yes,

wiretapping,

smuggling,

spying, surveillance, fraud,

gunmanship,

lockpicking,

self-defense,

eavesdropping,

car

and dropping out of sight. Apparently writing books

spare cash between wars. The books are useful, and it's

chasing, civil warfare, surviving jail,

is

the

good

way mercenaries bring

the information

is

in

freely available (and they definitely inspire interesting dreams),

but their advice should be taken with a salt shaker or two and all your wits.

volumes are truly scary. Loompanics

Though

them.

catalog

is

full

is

of 'you'll-wish-you'd-read-these-when-it's-too-late'

genuinely informative.

offer hard-to-find

rhetoric,

their

The Next Whole Earth Catalog

N THE WORLD!!!

in

our exciting

new catalog:

Hiding/Concealment of physical objects! A complete section of the best

books ever written on hiding things.
Fake ID/Alternate Identities! The most comprehensive selection of books on
this little-known subject ever offered for sale! You have to see it to believe it!
Investigative/Undercover methods and techniques! Professional secrets known

only to a few,

carry

books on the world's most unusual subjects. Here are a

few of the topics covered IN-DEPTH

of these

who

"

THE BEST BOOK CADUOG

We

A few

the best of the Libertarian suppliers

now revealed to you to use! Actualpolice manuals on shadowing

and surveillancel
much, much

And

more, including Locks

and

Locksmithing, Self-Defense,

Money-Making Opportunities,
Weapons, Sex, Drugs, Anarchism, and more!

Intelligence Increase, Life Extension,

Oddities, Exotic

Human

Our book catalog is 280 pages, 8 /2 x 1 1 packed with over 800 of the most
controversial and unusual books ever printed! You can order every book listed!
Periodic supplements keep you posted on the LATEST titles available!!! Our
1

catalog

is

$5.00, including shipping and handling.

Our book catalog is truly THE BEST BOOK CA TALOG IN THE WORLD! Order
will be very pleased, we know.

yours today. You

LOOMPANICS UNLIMITED
PO BOX 11 97
PORT TOWNSEND, WA 98368
USA

SECRETS OF

SUPER HACKER

He's not

'QtoGaa^i
motivated by

money

outside world, there

or

is

itil

no question The Knightmare can break

Secrets of a Super Hacker

techniques covered

in this

is

the only question

data-devouring dossier:

it

cracks.

lc 5

$mm%sami

Superuser Abi

Screen Stealing:

Data Delivery:

How

mm mmm

to g(

fplM&l ps#$5^^^^^^H to

e-mai

Stair Stepping:

How

to

use a low- evel account

to gain ever-higher levels of

And Much More!

Including a brief
a

summary

The Super Hacker reveals

The how-to

to.

Spoofing:

Designing

whether he wants

Brute Force Attacks:

Seducing

is

an extraordinary manual on the methods of hacking. Here are some of the

Hurling passwords at a system until

in;

text

is

of

isswords

hi

com

all his secrets:

Trojan Horses, Viruses,

Worms, Trap Doors and Dummy Accounts.

highlighted with bare-knuckle tales of The Knightmare's hacks, including on-site hacking,

remote-access hacking and bulletin board busting.

No system can withstand the ingenious, unrelenting assaults of The Knightmare. And no person concerned
with computer security should miss this amazing manual of

mayhem.

ISBN l-SS^SO-lDb-S

90000

781559"501064