Most hackers (I'm using this term in its original, non-malicious meaning) like to play around with systems to see what can be done and how security can be defeated. I certainly did that years ago, although I hasten to add that I never did so with any intent to cause havoc, it was just the fun of "Beating the system."

Here's my confession: [Linked Image]

Back when I was around 13 (that would have been 1979) my school had an account with the local technical college to use their PDP-11/40. The PDP had numerous terminals around the building, including a large number of ASR33 teletypes in one room where we could go most evenings, plus about a dozen dial-up lines used for the schools and other remote sites.

Under the operating system they used, all the TTY lines were assigned numbers which could be opened as files if not already in use. In that big TTY room at the college, all the 25-way D-connector outlets that the teletypes plugged into were very conveniently Dymo-taped with the KB numbers, and it didn't take long to sketch out a map of the room. Similarly, it didn't take too long to deduce the KB numbers assigned to the modems.

I wrote a short program which would open a channel to any unlocked TTY port and send appropriate messages, written to imitate the standard OS responses ("WELCOME TO RSTS/E" etc.).

When at the college, I'd pick a vacant terminal (all could be seen from anywhere else in the room), seize it with my program and then wait for someone to sit down and start to log in. The messages they got looked just like the real system prompts, so they would enter their account number and password. To avoid suspicions, my program gave some sort of response along the lines of "SYSTEM ERROR -- PLEASE REPEAT LOGIN" and then drop the link so that they would then log in for real. By that time I already had their password, of course. [Linked Image]

As I said, it was never used for mischief, mostly just for the fun of seeing what the guys at rival high schools were doing!

It's amazing also how much security can be compromised by just a little social engineering. A few years later I put the college computer center staff to the test. I was living 300 miles away by then, and thought it would be fun to see what the new students at my old school were up to.

I called the computer center voice line: "Hello, this is Mr. ---- from ---- High School. I'm having trouble getting into account 37,0. Th password used to be ----, but I think our department head might have just changed it and unfortunately he's not here today. Any chance you could check for me?"

"Just a moment.... The current password is ----."

It really was that simple, although I guess the response might have been different had I not given the correct account number for the school. And that was 20 odd years ago, before computer security became a big issue.