Discussions‎ > ‎

Security and hacking

5. A case of social engineering and bad password security

posted Jun 3, 2016, 10:17 AM by el komodos-drago   [ updated Jun 3, 2016, 4:01 PM by Jeff Ogden ]

my dad broke into someone's account in Durham university after finding out that their password was the same as their boyfriends name. he then set it to run a script that logged them off every time they logged on. this went on for a while (I'm a little short on the details) until he decided to stop it. only one problem; he couldn't remember how. so he e-mailed his friend in another university and found something out about e-mail security on some one else computer A.K.A. they where reading his mail. he was suspended and almost kicked out of university while someone with higher permissions and a much higher sense of right and wrong fixed their account. he jokes on occasion that this is why Durham got rid of their MTS system.
~ el drago

4. Computer offences at the University of Alberta

posted Sep 15, 2010, 8:08 PM by Jeff Ogden   [ updated Sep 29, 2010, 7:04 AM ]

From The Department of Computing Science: The First Twenty-Five Years,
by Keith Smillie, December 1990, Department of Computing Science,
The University of Alberta, Edmonton, Alberta, Canada

Page 29:
During the 1970s there occurred a series of computer offences at the University of Alberta which had their origins in the Department. The resulting trial and subsequent appeals caused nation-wide publicity in the daily and periodical press. In the spring of 1976 a student investigated the security of the MTS system as a project for a Computing Science course. Unfortunately, the resulting program which could reduce the charges for a computer run became available to other uses. The following year it became apparent to Computing Services staff that malicious users were tampering with the MTS system and causing malfunctions. After an extensive and lengthy investigation charges of theft and tampering were brought against a University student, a former University student and a high-school student. One person was convicted on both charges, another was convicted on the charge of theft and the third acquitted. Both of the convicted persons received suspended sentences, one of which was overturned by the Alberta Court of Appeal on the grounds that the computer could not be defined as a "telecommunication facility" and thus be covered by the Criminal Code. The Government of Alberta made an unsuccessful attempt to appeal this decision to the Supreme Court of Canada.

So we have reported hacking or security incidents for WSU, UM, and UQV. Anyone from UBC, NUMAC, SFU, or RPI care to fess-up or explain how you manged to recruit a more honest or at least law abiding class of students?

<< Previous  Next >>

3. "We were not very happy ..." is an understatement

posted Sep 15, 2010, 6:35 PM by Jeff Ogden   [ updated Sep 29, 2010, 7:05 AM ]

The following is one item from the sidebar article "Some Days Were Better Than Others" which appeared in the 13 May 1996 issue of the UM IT Digest (the "Goodbye MTS" issue):

The first MTS Workshop in Newcastle, England, took all the MTS developers away from Ann Arbor near the end of a term during which a U-M class had been assigned the problem of finding security holes in MTS. While no one was particularly surprised that these students found some holes, we were not very happy when they took advantage of their illegal access and started wreaking havoc in the system. This happened at a time when international networking was still very new and very primitive. To get a connection back to U-M, we had to use a very slow and unreliable long-distance phone connection from Newcastle to London, where the only international network connection in the United Kingdom was, in order to fix the security problems in Ann Arbor.
          –Mike Alexander

I remember working  with Mike Alexander, Scott Gerstenberger, and George Helffrich from a terminal in the Newcastle machine room. The network connection was a dial-up call to the BPO network which had a new X.25 interconnection to GTE's TELENET network which in turn had an interconnection to the Merit Network which was connected to UM's MTS system. We'd been challenged by Elizabeth Barraclough at the start of the MTS Workshop when she said that she expected that someone would make such a connection work before the Workshop was over. And after some arm twisting with the folks at the BPO, we were in fact able to make the connection work. At the time we didn't realize how we'd be using the new connection in just a few days time.

The long distance call, the network, or something was pretty noisy and unreliable. So unreliable that we didn't trust it to patch the system directly. Instead we put the system status commands into a file, printed the file out a few times and read it over very carefully, sent messages to the console warning the system operators in Ann Arbor about what we were going to do, and then sourced the file. It worked OK and we put the same patch into RAMROD. This kept the lid on things until some of us returned home and could fix things for real.

The task of patching the UM system was made considerably easier because an MTS distribution had recently been sent out and there were MTS listings in the Newcastle machine room that either exactly matched the system running back in Ann Arbor or were very close.

And after I got back to Ann Arbor, I got a message from Gavin Eadie (the Workshop coordinator) asking if UM would pay the bill for the use of the network. We did.

The class, Computer and Communication Sciences 673, Advanced System Programming, taught by Bernie Galler and Larry Flanigan, had 12 students.  The results from the class, without any mention of the "havoc", were reported in a widely referenced paper:

Hebbard, B., et al., "A Penetration Analysis of the Michigan Terminal System", ACM Operating Systems Review, pp. 7-20, Vol. 14, No. 1, January 1980. A PDF of the paper is available here.

From the paper:

This project was undertaken by a graduate-level computer science class at the University of Michigan in Ann Arbor. It was done at the invitation and with the full cooperation of the University of Michigan Computing Center, which is interested in assessing and improving the security of its operating system, the Michigan Terminal System (MTS).

The members of this team each had the advantage of several years' experience as users of MTS and had access to all user-level documentation and manuals. Since system documentation was made available to the team as well, the meeting time during the first few weeks of the project was devoted entirely to learning as much as possible about the internal structure of MTS. Members of the Computing Center staff gave lectures on their respective areas of responsibility, explaining in some detail the internal structure of various components, pointing out sources of more detailed documentation, and giving some introduction to the mountains of assembly-code listings.

Not mentioned in the paper was the fact that there was an explicit bargain struck between the UM Computing Center and members of the class. The CC staff would help the class get started and give them access to source code, the class was free to test out their ideas on MTS as long as they did not disrupt the operation of the system, and if they needed to do any tests that might be disruptive, they would come to us and we'd setup a test environment where they could do their tests safely. That bargain was not fully honored and I remember being annoyed with Bernie and Larry for not doing more to bring the class back into line.

All of the problems discovered by the class were fixed shortly after the developers returned from the UK. That isn't to say that there weren't other problems that had yet to be discovered.

2. Jobs for hackers?

posted Sep 15, 2010, 6:23 PM by Jeff Ogden   [ updated Sep 29, 2010, 7:08 AM ]

This is from Josh Simon's "Anecdotes" page:

Security and hacking

According to legend, several graduate-level Computer Science classes were given instructions to try to break into MTS. The few who succeeded in breaching the system security (mainly those who managed to obtain privileges beyond those of their normal user accounts) were given employment at the University's Computing Center. Their first task was to plug the security hole they found.

I think I was involved in this incident. There was such a class (CCS 673) and it did find problems with some aspects of MTS security. I don't think it is true that the UM Computing Center hired anyone because of their involvement, but some members of the class did work for the Computing Center.  And as I remember things it was George Helffrich who fixed most of the problems found by the class. George and I gave the class an introduction to the internals of MTS, but we weren't students in the class. See the next posting for more.

1. Mark Zbikowski and WSU?

posted Sep 15, 2010, 6:15 PM by Jeff Ogden   [ updated Dec 25, 2011, 9:04 PM ]

The following item is from http://www.hacker.org/forum/viewtopic.php?p=2159&sid=cd5277dd8bebb99521c66eb49c80cccb:

Mark Zbikowski — In his senior year at Roeper, c. 1973/4, Zbikowski became known as one of the earliest computer crackers, after cracking the security system on Wayne State University's MTS (Michigan Terminal System, developed at University of Michigan) mainframe for his own amusement. According to Zbikowski, when he offered to show the university how to fix the security leak, university officials threatened prosecution and offered him a job during the same meeting.

Mark went on to Harvard and joined Bill Gates and Steve Ballmer at Microsoft.  From http://en.wikipedia.org/wiki/Mark_Zbikowski:

Mark Zbikowski (born March 21 1956 in Detroit, Michigan) is a former Microsoft Architect and one of the first computer hackers. He started working at the company only a few years after its inception, leading efforts in MS-DOS, OS/2, Cairo and Windows NT. In 2006 he was honored for 25 years of service with the company, the first employee to reach this milestone other than Bill Gates and Steve Ballmer.

This all sounds as if it might be true, but I don't really have any facts to go on. Can anyone confirm or provide details?

<< Previous  Next >>

1-5 of 5