Again the advantage to the hacker is obvious--a partly- known
telephone number can be located by writing some simple software
routine to test the variables.
However, not all auto-dial facilities are equally useful. Some
included in US-originated communications software and terminal
emulators are for specific 'smart' modems not available
elsewhere--and there is no way of altering the software to work with
other equipment. In general, each modem that contains an auto-dialler
has its own way of requiring instructions to be sent to it. If an
auto-dialling facility is important to you, check that your software
is configurable to your choice of auto-dial modem.
Another hazard is that certain auto-diallers only operate on the
multi-frequency tones method ('touch-tone') of dialling used in large
parts of the United States and only very slowly being introduced in
other countries. The system widely used in the UK is called 'pulse'
dialling. Touch-tone dialling is much more rapid than pulse dialling,
of course.
Finally, on the subject of US-originated software, some packages
will only accept phone numbers in the standard North American format
of: 3-digit area code, 3-digit local code, 4-digit subscriber code.
In the UK and Europe the phone number formats vary quite
considerably. Make sure that any auto-dial facility you use actually
operates on your phone system.
Format Screen - Most professional on-line and time-share services
assume an 80-column screen. The 'format screen' option in terminal
emulators may allow you to change the regular text display on your
micro to show 80 characters across by means of a graphics 'fiddle';
alternatively, it may give you a more readable display of the stream
from the host by forcing line feeds at convenient intervals, just
before the stream reaches the right- hand margin of the micro's
'natural' screen width.
Related to this are settings to handle the presentation of the
cursor and to determine cursor movement about the screen-- normally
you won't need to use these facilities, but they may help you when
on-line to some odd-ball, non-standard service. Certain specific
'dumb' terminals like the VT52 (which has become something of a
mainframe industry standard) use special sequences to move the cursor
about the screen--useful when the operator is filling in standard
forms of information.
Other settings within this category may allow you to view
characters on your screen which are not part of the normal character
set. The early Apples, for example, lacked lower case, presenting
everything in capitals (as does the ZX81), so various ingenious
'fixes' were needed to cope. Even quite advanced home computers may
lack some of the full ASCII character set, such oddities as the tilde
~ or backslash \ or curly bracket { }, for example.
Re-assign - keyboard A related problem is that home micro keyboards
may not be able to generate all the required characters the remote
service wishes to see. The normal way to generate an ASCII character
not available from the keyboard is from Basic, by using a Print
CHR$(n) type command. This may not be possible when on-line to a
remote computer, where everything is needed in immediate mode. Hence
the requirement for a software facility to re-assign any little-used
key to send the desired 'missing' feature. Typical requirements are
BREAK~ ESC, RETURN (when part of a string as opposed to being the end
of a command) etc. When re-assigning a series of keys, you must make
sure you don't interfere with the essential functioning of the
terminal emulator.
For example, if you designate the sequence ctrl-S to mean 'send a DC1
character to the host', the chances are you will stop the host from
sending anything to you, because ctrl-S is a common command (some-
times called XOF) to call for a pause--incidentally, you can end the
pause by hitting ctrl-Q. Appendix IV gives a list of the full ASCII
implementation and the usual 'special' codes as they apply to
computer-to-computer communications.
File Protocols - When computers are sending large files to each
other, a further layer of protocol, beyond that defining individual
letters, is necessary. For example, if your computer is automatically
saving to disk at regular intervals as the buffer fills up, it is
necessary to be able to tell the host to stop sending for a period,
until the save is complete. On older time-share services, where the
typical terminal is a teletypewriter, the terminal is in constant
danger of being unable mechanically to keep up with the host
computer's output. For this reason, many host computers use one of
two well-known protocols which require the regular exchange of
special control characters for host and user to tell each other all
is well. The two protocols are:
Stop/Start - The receiving computer can at any time send to the host
a Stop (ctrl-S) signal, followed by, when it is ready a Start,
(ctrl-Q).
EOB/ACK - The sending computer divides its file into a blocks (of any
convenient length); after each block is sent, an EOB (End of Block)
character is sent (see ASCII table, Appendix IV). The user's computer
must then respond with a ACK (Acknowledge) character.
These protocols can be used individually, together or not at all.
You may be able to use the 'Show Control Codes' option to check
whether either of the protocols are in use. Alternatively, if you
have hooked on to a service which for no apparent reason, seems to
stop in its tracks, you could try ending an ACK or Start (ctrl-F or
ctrl-S) and see if you can get things moving.
File transmission - All terminal emulators assume you will want to
send, as well as receive, text files. Thus, in addition to the
protocol settings already mentioned, there may be additional ones for
that purpose, e.g. the XMODEM protocol very popular on bulletin
boards. Hackers, of course, usually don't want to place files on
remote computers.....
Specific terminal emulation - Some software has pre-formatted sets of
characteristics to mimic popular commercial 'dumb' terminals. For
example, with a ROM costing under £60 fitted to a BBC micro, you can
obtain almost all of the features of DEC's VT100 terminal, which
until recently was regarded as something of an industry-standard and
costing just under £1000.
Other popular terminals are the VT52 and some Tektronix models, the
latter for graphics display. ANSI have produced a 'standard'
specification.
Baudot characters - The Baudot code, or International Telegraphic
Code No 2, is the 5-bit code used in telex and telegraphy -- and in
many wire-based news services. A few terminal emulators include it as
an option, and it is useful if you are attempting to hack such
services. Most software intended for use on radio link-ups (see
Chapter 10) operates primarily in Baudot, with ASCII as an option.
Viewdata emulation - This gives you the full, or almost full,
graphics and text characters of UK-standard viewdata. Viewdata tv
sets and adapters use a special character-generator chip and a few,
mostly British-manufactured, micros use that chip also-- the Acorn
Atom was one example. The BBC has a teletext mode which adopts the
same display. But for most micros, viewdata emulation is a matter of
using hi-res graphics to mimic the qualities of the real thing, or to
strip out most of the graphics. Viewdata works on a screen 40
characters by 24 rows, and as some popular home micros have 'native'
displays smaller than that, some considerable fiddling is necessary
to get them to handle viewdata at all.
In some emulators, the option is referred to as Prestel or
Micronet--they are all the same thing. Micronet-type software usually
has additional facilities for fetching down telesoftware programs
(see Chapter 10).
Viewdata emulators must attend not only to the graphics
presentation, but also to split-speed operation: the usual speeds are
1200 receive from host, 75 transmit to host. USA users of such
services may get them via a packet-switched network, in which case
they will receive it either at 1200/1200 full duplex or at 300/300.
Integrated terminal emulators offering both 'ordinary'
asynchronous emulation and viewdata emulation are rare: I have to use
completely different and non-compatible bits of software on my own
home set-up.
Modems
Every account of what a modem is and does begins with the classic
explanation of the derivation of the term: let this be no exception.
Modem is a contraction of modulator-demodulator.
A modem taking instructions from a computer (pin 2 on RS232C)
converts the binary 0's and 1's into specific single tones, according
to which 'standard' is being used. In RS232C/V24, binary 0 (ON)
appears as positive volts and binary 1 (OFF) appears as negative
volts.
The tones are then fed, either acoustically via the telephone
mouth-piece into the telephone line, or electrically, by generating
the electrical equivalent direct onto the line. This is the
modulating process.
In the demodulating stage, the equipment sits on the phone line
listening for occurrences of pre-selected tones (again according to
whichever 'standard' is in operation) and, when it hears one,
delivers a binary 0 or binary 1 in the form of positive or negative
voltage pulses into pin 3 of the computer's serial port.
This explanation holds true for modems operating at up to 1200
baud; above this speed, the modem must be able to originate tones,
and detect them according to phase as well, but since higher-speed
working is unusual in dial-up ports--the hacker's special interest,
we can leave this matter to one side.
The modem is a relatively simple bit of kit: on the transmit side
it consists of a series of oscillators acting as tone generators, and
on receive has a series of narrow band-pass filters. Designers of
modems must ensure that unwanted tones do not leak into the telephone
line (exchanges and amplifiers used by telephone companies are
sometimes remotely controlled by the injection of specific tones) and
also that, on the receive side, only the distinct tones used for
communications are 'interpreted' into binary 0s or 1s. The other
engineering requirements are that unwanted electrical currents do not
wander down the telephone cable (to the possible risk of phone
company employees) or back into the user's computer.
Until relatively recently, the only UK source of low-speed modems
was British Telecom. The situation is much easier now, but
de-regulation of 'telephone line attachments', which include modems,
is still so recent that the ordinary customer can easily become
confused. Moreover, modems offering exactly the same service can vary
in price by over 300%. Strictly speaking, all modems connected to
the phone line should be officially approved by BT or other
appropriate regulatory authority.
At 300 baud, you have the option of using direct-connect modems
which are hard-wired into the telephone line, an easy enough
exercise, or using an acoustic coupler in which you place the
telephone hand-set. Acoustic couplers are inherently prone to
interference from room-noise, but are useful for quick lash-ups and
portable operation. Many acoustic couplers operate only in
'originate' mode, not in' answer'. Newer commercial direct- connect
modems are cheaper than acoustic couplers.
At higher speeds acoustic coupling is not recommended, though a
75/1200 acoustic coupler produced in association with the Prestel
Micronet service is not too bad, and is now exchanged on the
second-hand market very cheaply indeed.
I prefer modems that have proper status lights--power on, line
seized, transmit and receive indicators. Hackers need to know what is
going on more than most users.
The table below shows all but two of the types of service you are
likely to come across; V-designators are the world-wide 'official'
names given by the CCITT; Bell-designators are the US names:
Service Speed Duplex Transmit Receive Answer
Designator 0 1 0 1
V21 orig 300(*) full 1180 980 1850 1650 -
V21 ans 300(*) full 1850 1650 1180 980 2100
V23 (1) 600 half 1700 1300 1700 1300 2100
V23 (2) 1200 f/h(**) 2100 1300 2100 1300 2100
V23 back 75 f/h(**) 450 390 450 390 -
Bell 103 orig 300(*) full 1070 1270 2025 2225 -
Bell 103 ans 300(*) full 2025 2225 1070 1270 2225
Bell 202 1200 half 2200 1200 2200 1200 2025
(*)any speed up to 300 baud, can also include 75 and 110 baud
services
(**)service can either be half-duplex at 1200 baud or asymmetrical
full duplex, with 75 baud originate and 1200 baud receive (commonly
used as viewdata user) or 1200 transmit and 75 receive (view data host)
The two exceptions are:
V22 1200 baud full duplex, two wire
Bell 212A The US equivalent
These services use phase modulation as well as tone.
British Telecom markets the UK services under the name of
Datel--details are given in Appendix V.
BT's methods of connecting modems to the line are either to
hard-wire the junction box (the two outer-wires are the ones you
usually need)--a 4-ring plug and associated socket (type 95A) for
most modems, a 5-ring plug and associated socket (type 96A) for
Prestel applications (note that the fifth ring isn't used)--and, for
all new equipment, a modular jack called type 600. The US also has a
modular jack, but of course it is not compatible.
Modern modem design is greatly aided by a wonder chip called the
AMD 7910. This contains nearly all the facilities to modulate and
demodulate the tones associated with the popular speed services, both
in the CCITT and Bell standards. The only omission--not always made
clear in the advertisements--are services using 1200/1200
full-duplex, ie V22 and Bell 212A.
Building a modem is now largely a question of adding a few
peripheral components, some switches and indicator lights, and a box.
In deciding which 'world standard' modem to purchase, hackers should
consider the following features:
Status lights you need to be able to see what is happening on the line.
Hardware/software switching - cheaper versions merely give you a
switch on the front enabling you to change speeds, originate or
answer mode and CClTT or Bell tones. More expensive ones feature
firmware which allows your computer to send specially formatted
instructions to change speed under program control. However, to make
full use of this facility, you may need to write (or modify) your
terminal emulator.
Auto-dial - a pulse dialler and associated firmware are included in
some more expensive models. You should ascertain whether the
auto-dialer operates on the telephone system you intend to hook the
modem up to--some of the US 'smart' modems present difficulties
outside the States. You will of course need software in your micro to
address the firmware in the modem --and the software has to be part
of your terminal emulator, otherwise you gain nothing in convenience.
However, with appropriate software, you can get your computer to try
a whole bank of numbers one after the other.
D25 connector - this is the official 'approved' RS232CN24 physical
connection--useful from the point-of-view of easy hook-up. A number
of lower-cost models substitute alternative DIN connectors. You must
be prepared to solder up your own cables to be sure of connecting up
properly.
Documentation I always prefer items to be accompanied by proper
instructions. Since hackers tend to want to use equipment in
unorthodox ways, they should look for good documentation too.
Finally, a word on build-your-own modems. A number of popular
electronics magazines and mail-order houses have offered modem
designs. Such modems are not likely to be approved for direct
connection to the public telephone network. However, most of them
work. If you are uncertain of your kit-constructing skills, though.
remember badly-built modems can be dangerous both to your computer
and to the telephone network.
Test Equipment
Various items of useful test equipment occasionally appear on the
second-hand market--via mail-order, in computer junk shops, in the
flea-market section of exhibitions and via computer clubs.
It's worth searching out a cable 'break-out' box. This lets you
restrap a RS232C cable without using a soldering iron--the various
lines are brought out on to an accessible matrix and you use small
connectors to make (or break) the links you require. It's useful if
you have an 'unknown' modem, or an unusually configured computer.
Related, but much more expensive, is a RS232C/V24 analyser --this
gives LED status lights for each of the important lines, so you can
see what is happening.
Lastly, if you are a very rich and enthusiastic hacker, you can
buy a protocol analyser. This is usually a portable device with a
VDU, full keyboard, and some very clever firmware which examines the
telephone line or RS232C port and carries out tests to see which of
several popular datacomms protocols is in use. Hewlett Packard do a
nice range. Protocol analysers will handle synchronous transmissions
as well as synchronous. Cost: £1500 and up...and up.
CHAPTER 4
Targets
Wherever hackers gather, talk soon moves from past achievements
and adventures to speculation about what new territory might be
explored. It says much about the compartmentalisation of computer
specialities in general and the isolation of micro- owners from
mainstream activities in particular that a great deal of this
discussion is like that of navigators in the days before Columbus:
the charts are unreliable, full of blank spaces and confounded with
myth.
In this chapter I am attempting to provide a series of notes on
the main types of services potentially available on dial-up, and to
give some idea of the sorts of protocols and conventions employed.
The idea is to give voyagers an outline atlas of what is interesting
and possible, and what is not.
On-line hosts
On-line services were the first form of electronic publishing: a
series of big storage computers--and on occasion, associated
dedicated networks -- act as hosts to a group of individual databases
by providing not only mass data storage and the appropriate 'search
language' to access it, but also the means for registering, logging
and billing users. Typically, users access the on-line hosts via a
phone number which links into a a public data network using packet
switching (there's more on these networks in chapter 7).
The on-line business began almost by accident; large corporations
and institutions involved in complicated technological developments
found that their libraries simply couldn't keep track of the
publication of relevant new scientific papers, and decided to
maintain indices of the papers by name, author, subject-matter, and
so on, on computer. One of the first of these was the armaments and
aircraft company, Lockheed Corporation.
In time the scope of these indices expanded and developed and
outsiders -- sub-contractors, research agencies, universities,
government employees, etc were granted access. Other organisations
with similar information-handling requirements asked if space could
be found on the computer for their needs.
Eventually Lockheed and others recognised the beginnings of a quite
separate business; in Lockheed's case it lead to the foundation of
Dialogue, which today acts as host and marketing agent for almost 300
separate databases. Other on-line hosts include BRS (Bibliographic
Retrieval Services), Comshare (used for sophisticated financial
modelling), DataStar, Blaise (British Library) I P Sharp, and
Euronet-Diane.
On-line services, particularly the older ones, are not especially
user-friendly by modern standards. They were set up at a time when
both core and storage memory was expensive, and the search languages
tend to be abbreviated and formal. Typically they are used, not by
the eventual customer for the information, but by professional
intermediaries--librarians and the like-- who have undertaken special
courses. Originally on-line hosts were accessed by dumb terminals,
usually teletypewriters like the Texas Whisperwriter portable with
built-in acoustic modem, rather than by VDUs. Today the trend is to
use 'front-end' intelligent software on an IBM PC which allows the
naive user to pose his/her questions informally while offline; the
software then redefines the information request into the formal
language of the on-line host (the user does not witness this process)
and then goes on-line via an auto-dial modem to extract the
information as swiftly and efficiently as possible.
On-line services require the use of a whole series of passwords:
the usual NUI and NUA for PSS (see chapter 7), another to reach the
host, yet another for the specific information service required.
Charges are either for connect-time or per record retrieved, or
sometimes a combination.
The categories of on-line service include bibliographic, which
merely indexes the existence of an article or book--you must then
find a physical copy to read; and source, which contains the article
or extract thereof. Full-text services not only contain the complete
article or book but will, if required, search the entire text (as
opposed to mere keywords) to locate the desired information. An
example of this is LEXIS, a vast legal database which contains nearly
all important US and English law judgements, as well as statutes.
News Services
The vast majority of news services, even today, are not, in the
strictest sense, computer-based, although computers play an important
role in assembling the information and, depending on the nature of
the newspaper or radio or tv station receiving it, its subsequent
handling.
The world's big press agencies--United Press, Associated Press,
Reuters, Agence France Presse, TASS, Xinhua, PAP, VoA -- use telex
techniques to broadcast their stories. Permanent leased telegraphy
lines exist between agencies and customers, and the technology is
pure telex: the 5-bit Baudot code (rather than ASCII) is adopted,
giving capital letters only, and 'mark' and space' are sent by
changing voltage conditions on the line rather than audio tones.
Speeds are 50 or 75 baud.
The user cannot interrogate the agency in any way. The stories
come in a single stream which is collected on rolls of paper and then
used as per the contract between agency and subscriber. To hack a
news agency line you will need to get physically near the appropriate
leased line, tap in by means of an inductive loop, and convert the
changing voltage levels (+80 volts on the line) into something your
RS232C port can handle. You will then need software to translate the
Baudot code into the ASCII which your computer can handle internally,
and display on screen or print to a file. The Baudot code is given in
None of this is easy and will probably involve breaches of several
laws, including theft of copyright material! However a number of news
agencies also transmit services by radio, in which case the signals
can be hijacked with a short-wave receiver. Chapter 9 explains.
Historic news, as opposed to the current stuff from agencies, is
now becoming available on-line. The New York Times, for example, has
long held its stories in an electronic 'morgue' or clippings library.
Initially this was for internal use, but for the last several years
it has been sold to outsiders, chiefly broadcasting stations and
large corporations. You can search for information by a combination
of keyword and date-range. The New York Times Information Bank is
available through several on-line hosts.
As the world's great newspapers increasingly move to electronic
means of production--journalists working at VDUs, sub-editors
assembling pages and direct-input into photo-typesetters--the
additional cost to each newspaper of creating its own morgue is
relatively slight and we can expect to see many more commercial
services.
In the meantime, other publishing organisations have sought to
make available articles, extract or complete, from leading magazines
also. Two UK examples are Finsbury Data Services' Textline and
Datasolve's d Reporter, the latter including material from the BBC's
monitoring service, Associated Press, the Economist and the Guardian.
Textline is an abstract service, but World Reporter gives the full
text. In October 1984 it already held 500 million English words.
In the US there is NEXIS, which shares resources with LEXIS; NEXIS
held 16 million full text articles at that same date. All these
services are expensive for casual use and are accessed by dial-up
using ordinary asynchronous protocols.
Many electronic newsrooms also have dial-in ports for reporters
out on the job; depending on the system these ports not only allow
the reporter to transmit his or her story from a portable computer,
but may also (like Basys Newsfury used by Channel Four News) let them
see news agency tapes, read headlines and send electronic mail. Such
systems have been the subject of considerable hacker speculation.
Financial Services
The financial world can afford more computer aids than any other
non-governmental sector. The vast potential profits that can be made
by trading huge blocks of currency, securities or commodities--and
the extraordinary advantages that a slight 'edge' in information can
bring--have meant that the City, Wall Street and the equivalents in
Hong Kong, Japan and major European capitals have been in the
forefront of getting the most from high-speed comms.
Ten years ago the sole form of instant financial information was
the ticker tape--telegraphy technology delivering the latest share
price movements in a highly abbreviated form. As with its news
equivalents, these were broadcast services (and still are, for the
services still exist) sent along leased telegraph lines. The user
could only watch, and 'interrogation' consisted of back-tracking
along a tape of paper. Extel (Exchange Telegraph) continues to use
this technique, though it is gradually upgrading by using viewdata
and intelligent terminals.
However, just over ten years ago Reuters put together the first
packages which gave some intelligence and 'questioning power' to the
end user. Each Reuters' Monitor is intelligent, containing (usually)
a DEC PDP-8 series mini and some firmware which accepts and selects
the stream of data from the host at the far end of the leased line,
marshalls interrogation requests and takes care of the local display.
Information is formatted in 'pages' rather like viewdata frames, but
without the colour. There is little point in eavesdropping into a
Reuters line unless you know what the terminal firmware does. Reuters
now face an aggressive rival in Telerate, and the fight is on to
deliver not only fast comprehensive prices services but international
screen-based dealing as well. The growth of Reuters and its rivals is
an illustration of technology creating markets--especially in
international currency--where none existed before.
The first sophisticated Stock Exchange prices 'screens' used
modified closed circuit television technology. London had a system
called Market Price Display Service--MPDS--which consisted of a
number of tv displays of current prices services on different
'channels' which could be selected by the user. But London now uses
TOPIC, a leased line variant on viewdata technology, though with its
magazine-like arrangement and auto-screen refresh, it has as much in
common with teletext as Prestel. TOPIC carries about 2,500 of the
total 7,500 shares traded in London, plus selected analytical
material from brokers. Datastream represents a much higher level of
sophistication: using its £40,000 plus pa terminals you can compare
historic data-- price movements, movements against sector indices
etc--and chart the results.
The hacker's reward for getting into such systems is that you can
see share and other prices on the move. None of these prices is
confidential; all could be obtained by ringing a stockbroker.
However, this situation is likely to change; as the City makes the
change from the traditional broker/jobber method of dealing towards
specialist market making, there will then be electronic prices
services giving privileged information to specialist share dealers.
All these services are only available via leased lines; City
professionals would not tolerate the delays and uncertainties of
dial-up facilities. However dial-up ports exist for demonstrations,
exhibitions, engineering and as back-up--and a lot of hacking effort
has gone into tracking them down.
In the United States, in addition to Reuters, Telerate and local
equivalents of official streams of stock exchange and over-the-
counter data, there is Dow Jones, best known internationally for its
market indices similar to those produced by the Financial Times in
London. Dow Jones is in fact the owner of the Wall Street Journal and
some influential business magazines. Its Dow Jones News/Retrieval
Service is aimed at businesses and private investors. It features
current share prices, deliberately delayed by 15 minutes, historic
price data, which can be charted by the user's own computer
(typically an Apple or IBM PC) and historic 'morgue' type company
news and analysis. Extensions of the service enable customers to
examine accounts of companies in which they are interested. The bulk
of the information is US-based, but can be obtained world-wide via
packet-switching networks. All you need are the passwords and special
software.
Business Information
Business information is usually about the credit-worthiness of
companies, company annual reports, trading opportunities and market
research. The biggest electronic credit data resource is owned by the
international company Dun & Bradstreet: during 1985-86 it is due to
spend £25m on making its data available all over Europe, including
the UK. The service, which covers more than 250,000 UK businesses, is
called DunsPrint and access is both on-line and via a viewdata
front-end processor. Another credit agency, CNN Services, extensively
used already by the big clearing banks, and with 3000 customers
accessing information via viewdata sets, has recently also announced
an extended electronic retrieval service for its own called Guardian
Business Information A third UK credit service available
electronically is called InfoLink.
In addition, all UK companies quoted on the London Stock Exchange
and many others of any size who are not, have a report and analysis
available from ICC (InterCompany Comparisons) who can be accessed via
on--line dial--up, through a viewdata interface and also by
Datastream customers. Dun & Bradstreet also have an on--line service
called KBE covering 20,000 key British enterprises.
Prodigious quantities of credit and background data on US
companies can be found on several of the major on--line hosts. A
valid phone number, passwords and extracts from the operations manual
of one of the largest US services, TRW--it has credit histories on 90
million people--sat on some hackers' bulletin boards (of which much
more later) for over twelve months during 1983 and 1984 before the
company found out. No one knows how many times hackers accessed the
service. According to the Washington Post, the password and manual
had been obtained from a Sears Roebuck national chain store in
Sacramento; some hackers claimed they were able to alter credit
records, but TRW maintain that telephone access to their systems is
designed for read-only operations alone, updating of files taking
place solely on magnetic tape.
US market research and risk analysis comes from Frost Sullivan.
Risk analysis tells international businessmen which countries are
politically or economically unstable, or likely t become so, and so
unsafe to do business with. I once found myself accessing a
viewdata-based international assessment service run b a company
called Control Risks, which reputedly has strong link to the Special
Air Service. As so often happens when hacker think they are about to
uncover secret knowledge, the actual data files seemed relatively
trivial, the sort of judgements that could be made by a bright sixth
former who read posh newspapers and thoughtful weekly magazines.
University facilities
In complete contrast to computers that are used to store and
present data are those where the value is to deliver processing power
to the outside world. Paramount among these are those installed in
universities and research institutes.
Although hackers frequently acquire phone numbers to enter such
machines, what you can do once you are there varies enormously. There
are usually tiers and banks of passwords, each allowing only limited
access to the range of services. It takes considerable knowledge of
the machine's operating system to break through from one to another
and indeed, in some cases, the operating system is so thoroughly
embedded in the mainframe's hardware architecture that the
substantial modifications necessary to permit a hacker to roam free
can only be done from a few designated terminals, or by having
physical access to the machine. However, the hobbyist bulletin board
system quite often provides passwords giving access to games and the
ability to write and run programs in exotic languages--my own first
hands--on experience of Unix came in exactly this way. There are
bulletin boards on mainframes and even, in some cases, boards for
hackers!
Given the nature of hacking, it is not surprising that some of the
earliest japes occurred on computers owned by universities. Way back
in the 1970s, MIT was the location of the famous 'Cookie Monster',
inspired by a character in the then-popular Rowan & Martin Laugh-in
television show. As someone worked away at their terminal, the word
'cookie' would appear across their screen, at first slowly wiping out
the user's work. Unless the user moved quickly, things started to
speed up and the machine would flash urgently: "Cookie, cookie, give
me a cookie". The whole screen would pulse with this message until,
after a while, the hacking program relented and the 'Monster' would
clear the screen, leaving the message: "I didn't want a cookie
anyway." It would then disappear into the computer until it snared
another unsuspecting user. You could save yourself from the Monster
by typing the word "Cookie", to which it replied "Thank you" and then
vanished.
In another US case, this time in 1980, two kids in Chicago,
calling themselves System Cruncher and Vladimir, entered the computer
at DePaul University and caused a system crash which cost $22,000 to
fix. They were prosecuted, given probation and were then made a movie
offer.
In the UK, many important university and research institution
computers have been linked together on a special data network called
SERCNET. SERC is the Science and Engineering Research Council.
Although most of the computers are individually accessible via PSS,
SERCNET makes it possible to enter one computer and pass through to
others. During early 1984, SERCNET was the target of much hacker
attention; a fuller account appears in chapter 7, but to anticipate a
little, a local entry node was discovered via one of the London
University college computers with a demonstration facility which, if
asked nicely, disgorged an operating manual and list of 'addresses'.
One of the minor joys of this list was an entry labelled "Gateway to
the Universe", pure Hitch-hiker material, concealing an extensive
long-term multi-function communications project. Eventually some
hackers based at a home counties university managed to discover ways
of roaming free around the network....
Banking
Prominent among public fantasies about hackers is the one where
banks are entered electronically, accounts examined and some money
moved from one to another. The fantasies, bolstered by
under-researched low-budget movies and tv features, arise from
confusing the details of several actual happenings.
Most 'remote stealing' from banks or illicit obtaining of account
details touch computers only incidentally and involve straight-
forward fraud, conning or bribery of bank employees. In fact, when
you think about the effort involved, human methods would be much more
cost-effective for the criminal. For hackers, however, the very
considerable effort that has been made to provide security makes the
systems a great challenge in them- selves.
In the United Kingdom, the banking scene is dominated by a handful
of large companies with many branches. Cheque clearing and account
maintenance are conducted under conditions of high security with
considerable isolation of key elements; inter-bank transactions in
the UK go through a scheme called CHAPS, Clearing House Automatic
Payments System, which uses the X.25 packet switching protocols (see
chapter 7). The network is based on Tandem machines; half of each
machine is common to the network and half unique to the bank. The
encryption standard used is the US Data Encryption Standard. Certain
parts of the network, relating to the en- and de-cryption of
messages, apparently auto-destruct if tampered with.
The service started early in 1984. The international equivalent
is SWIFT (Society for Worldwide Interbank Financial Transactions);
this is also X.25- based and it handles about half-a-million messages
a day. If you want to learn someone's balance, the easiest and most
reliable way to obtain it is with a plausible call to the local
branch. If you want some easy money, steal a cheque book and cheque
card and practise signature imitation. Or, on a grander scale, follow
the example of the £780,000 kruggerand fraud in the City. Thieves
intercepted a telephone call from a solicitor or bank manager to
'authenticate' forged drafts; the gold coins were then delivered to a
bogus company.
In the United States, where federal law limits the size of an
individual bank's operations and in international banking, direct
attacks on banks has been much easier because the technology adopted
is much cruder and more use is made of public phone and telex lines.
One of the favourite techniques has been to send fake authorisations
for money transfers. This was the approach used against the Security
National Pacific Bank by Stanley Rifkin and a Russian diamond dealer
in Geneva. $10.2m moved from bank to bank across the United States
and beyond. Rifkin obtained code numbers used in the bilateral Test
Keys. The trick is to spot weaknesses in the cryptographic systems
used in such authorisations. The specifications for the systems
themselves are openly published; one computer security expert, Leslie
Goldberg, was recently able to take apart one scheme--proposed but
not actually implemented--and show that much of the 'key' that was
supposed to give high level cryptographic security was technically
redundant, and could be virtually ignored. A surprisingly full
account of his 'perfect' fraud appears in a 1980 issue of the journal
Computer Fraud and Security Bulletin.
There are, however, a few areas where banking is becoming
vulnerable to the less mathematically literate hacker. A number of
international banks are offering their big corporation customers
special facilities so that their Treasury Departments (which ensure,
among other things, that any spare million dollars are not left doing
nothing over night but are earning short-term interest) can have
direct access to their account details via a PC on dial-up. Again,
telebanking is now available via Prestel and some of its overseas
imitators. Although such services use several layers of passwords to
validate transactions, if those passwords are mis-acquired, since no
signatures are involved, the bank account becomes vulnerable.
Finally, the network of ATMs (hole-in-the-wall cash machines) is
expanding greatly. As mentioned early in this book, hackers have
identified a number of bugs in the machines. None of them,
incidentally, lead directly to fraud. These machines allow card-
holders to extract cash up to a finite limit each week (usually
£100). The magnetic stripe contains the account number, validation
details of the owner's PIN (Personal Identity Number), usually 4
digits, and a record of how much cash has been drawn that week. The
ATM is usually off-line to the bank's main computer and only goes
on-line in two circumstances--first, during business hours, to
respond to a customer's 'balance request'; and second, outside
regular hours, to take into local memory lists of invalid cards which
should not be returned to the customer, and to dump out cheque book
and printed statement requests.
Hackers have found ways of getting more than their cash limit each
week. The ATMs belonging to one clearing bank could be 'cheated' in
this way: you asked for your maximum amount and then, when the
transaction was almost completed, the ATM asked you 'Do you want
another transaction, Yes/No?' If you responded 'yes' you could then
ask for--and get--your credit limit again, and again, and again. The
weakness in the system was that the magnetic stripe was not
overwritten to show you had had a transaction till it was physically
ejected from the machine. This bug has now been fixed.
A related but more bizarre bug resided for a while on the ATMs
used by that first bank's most obvious High Street rivals. In that
case, you had to first exhaust your week's limit. You then asked for
a further sum, say £75. The machine refused but asked if you wanted a
further transaction. Then, you slowly decremented the amounts you
were asking for by £5...70, 65, 60...and so on, down to £10. You then
told the ATM to cancel the last £5 transaction...and the machine gave
you the full £75. Some hackers firmly believe the bug was placed
there by the original software writer. This bug too has now been
fixed.
Neither of these quirks resulted in hackers 'winning' money from
the banks involved; the accounts were in every case, properly
debited. The only victory was to beat the system. For the future, I
note that the cost of magnetic stripe reader/writers which interface
to PCs is dropping to very low levels. I await the first inevitable
news reports.
Electronic Mail
Electronic mail services work by storing messages created by some
users until they are retrieved by their intended recipients.
The ingredients of a typical system are: registration/logging on
facilities, storage, search and retrieval, networking, timing and
billing. Electronic mail is an easy add-on to most mainframe
installations, but in recent years various organisations have sought
to market services to individuals, companies and industries where
electronic mail was the main purpose of the system, not an add-on.
The system software in widest use is that of ITI-Dialcom; it's the
one that runs Telecom Gold. Another successful package is that used
in the UK and USA by Easylink, which is supported by Cable & Wireless
and Western Union.
In the Dialcom/Telecom Gold service, the assumption is made that
most users will want to concentrate on a relatively narrow range of
correspondents. Accordingly, the way it is sold is as a series of
systems, each run by a 'manager': someone within a company. The
'manager' is the only person who has direct contact with the
electronic mail owner and he in turn is responsible for bringing
individual users on to his 'system' -- he can issue 'mailboxes'
direct, determine tariff levels, put up general messages. In most
other services, every user has a direct relationship with the
electronic mail company.
The services vary according to their tariff structures and levels;
and also in the additional facilities: some offer bi-directional
interfaces to telex; and some contain electronic magazines, a little
like videotex.
The basic systems tend to be quite robust and hacking is mainly
concentrated on second-guessing users IDs. Many of the systems have
now sought to increase security by insisting on passwords of a
certain length--and by giving users only three or four attempts at
logging on before closing down the line. But increasingly their
customers are using PCs and special software to automate logging-in.
The software packages of course have the IDs nicely pre-stored....
Government computers
Among hackers themselves the richest source of fantasising
revolves around official computers like those used by the tax and
national insurance authorities, the police, armed forces and
intelligence agencies.
The Pentagon was hacked in 1983 by a 19-year-old Los Angeles
student, Ronald Austin. Because of the techniques he used, a full
account is given in the operating systems section of chapter 6. NASA,
the Space Agency, has also acknowledged that its e-mail system has
been breached and that messages and pictures of Kilroy were left as
graffiti.
This leaves only one outstanding mega-target, Platform, the global
data network of 52 separate systems focused on the headquarters of
the US's electronic spooks, the National Security Agency at Fort
Meade, Maryland. The network includes at least one Cray-1, the worlds
most powerful number-cruncher, and facilities provided by GCHQ at
Cheltenham.