T H E H A C K E R ' S H A N D B O O K
Copyright (c) Hugo Cornwall
All rights reserved
First published in Great Britain in 1985 by Century Communications Ltd
Portland House, 12-13 Greek Street, London W1V 5LE.
Reprinted 1985 (four times)
ISBN 0 7126 0650 5
Printed and bound in Great Britain by Billing & Sons Limited, Worcester.
CONTENTS
Introduction vii
1 First Principles 5
2 Computer-to-computer communications 10
3 Hackers' Equipment 17
4 Targets: What you can find on mainframes 32
5 Hackers' Intelligence 44
6 Hackers' Techniques 66
7 Networks 77
8 Viewdata systems 94
9 Radio computer data 106
10 Hacking: the future 115
APPENDICES
I troubleshooting 119
II Glossary 124
III CCITT and related standards 136
IV Standard computer alphabets 137
V Modems 144
VI Radio Spectrum 146
VII Port-finder flow chart 150
INTRODUCTION
The word 'hacker' is used in two different but associated
ways: for some, a hacker is merely a computer enthusiast of any kind,
who loves working with the beasties for their own sake, as opposed to
operating them in order to enrich a company or research project --or
to play games.
This book uses the word in a more restricted sense: hacking is a
recreational and educational sport. It consists of attempting to make
unauthorised entry into computers and to explore what is there. The
sport's aims and purposes have been widely misunderstood; most
hackers are not interested in perpetrating massive frauds, modifying
their personal banking, taxation and employee records, or inducing
one world super-power into inadvertently commencing Armageddon in the
mistaken belief that another super-power is about to attack it. Every
hacker I have ever come across has been quite clear about where the
fun lies: it is in developing an understanding of a system and
finally producing the skills and tools to defeat it. In the vast
majority of cases, the process of 'getting in' is much more
satisfying than what is discovered in the protected computer files.
In this respect, the hacker is the direct descendant of the phone
phreaks of fifteen years ago. Phone phreaking became interesting as
intra-nation and international subscriber trunk dialling was
introduced, but when the London-based phreak finally chained his way
through to Hawaii, he usually had no one there to speak to except the
local weather service or American Express office, to confirm that the
desired target had indeed been hit. One of the earliest of the
present generation of hackers, Susan Headley, only 17 when she began
her exploits in California in 1977, chose as her target the local
phone company and, with the information extracted from her hacks, ran
all over the telephone network. She 'retired' four years later, when
friends started developing schemes to shut down part of the phone
system.
There is also a strong affinity with program copy-protection
crunchers. Most commercial software for micros is sold in a form to
prevent obvious casual copying, say by loading a cassette, cartridge
or disk into memory and then executing a 'save' on to a
blank cassette or disk. Copy-protection devices vary greatly in
their methodology and sophistication and there are those who, without
any commercial motive, enjoy nothing so much as defeating them. Every
computer buff has met at least one cruncher with a vast store of
commercial programs, all of which have somehow had the protection
removed--and perhaps the main title subtly altered to show the
cruncher's technical skills--but which are then never actually used
at all.
Perhaps I should tell you what you can reasonably expect from this
handbook. Hacking is an activity like few others: it is semi-legal,
seldom encouraged, and in its full extent so vast that no individual
or group, short of an organisation like GCHQ or NSA, could hope to
grasp a fraction of the possibilities. So this is not one of those
books with titles like Games Programming with the 6502 where, if the
book is any good and if you are any good, you will emerge with some
mastery of the subject-matter. The aim of this book is merely to give
you some grasp of methodology, help you develop the appropriate
attitudes and skills, provide essential background and some
referencing material--and point you in the right directions for more
knowledge. Up to a point, each chapter may be read by itself; I have
compiled extensive appendices, containing material which will be of
use long after the main body of the text has been absorbed.
It is one of the characteristics of hacking anecdotes, like those
relating to espionage exploits, that almost no one closely involved
has much stake in the truth; victims want to describe damage as
minimal, and perpetrators like to paint themselves as heroes while
carefully disguising sources and methods. In addition, journalists
who cover such stories are not always sufficiently competent to write
accurately, or even to know when they are being hoodwink- ed. (A note
for journalists: any hacker who offers to break into a system on
demand is conning you--the most you can expect is a repeat
performance for your benefit of what a hacker has previously
succeeded in doing. Getting to the 'front page' of a service or
network need not imply that everything within that service can be
accessed. Being able to retrieve confidential information, perhaps
credit ratings, does not mean that the hacker would also be able to
alter that data. Remember the first rule of good reporting: be
sceptical.) So far as possible, I have tried to verify each story
that appears in these pages, but hackers work in isolated groups and
my sources on some of the important hacks of recent years are more
remote than I would have liked. In these
cases, my accounts are of events and methods which, in all the
circumstances, I believe are true. I welcome notes of correction.
Experienced hackers may identify one or two curious gaps in the
range of coverage, or less than full explanations; you can chose any
combination of the following explanations without causing me any
worry: first, I may be ignorant and incompetent; second, much of the
fun of hacking is making your own discoveries and I wouldn't want to
spoil that; third, maybe there are a few areas which are really best
left alone.
Nearly all of the material is applicable to readers in all
countries; however, the author is British and so are most of his
experiences.
The pleasures of hacking are possible at almost any level of
computer competence beyond rank beginner and with quite minimal
equipment. It is quite difficult to describe the joy of using the
world's cheapest micro, some clever firmware, a home-brew acoustic
coupler and find that, courtesy of a friendly remote PDP11/70, you
can be playing with Unix, the fashionable multitasking operating
system.
The assumptions I have made about you as a reader are that you own a
modest personal computer, a modem and some communications software
which you know, roughly, how to use. (If you are not confident yet,
practise logging on to a few hobbyist bulletin boards.) For more
advanced hacking, better equipment helps; but, just as very tasty
photographs can be taken with snap-shot cameras, the computer
equivalent of a Hasselblad with a trolley- load of accessories is not
essential.
Since you may at this point be suspicious that I have vast
technical resources at my disposal, let me describe the kit that has
been used for most of my network adventures. At the centre is a
battered old Apple II+, its lid off most of the time to draw away the
heat from the many boards cramming the expansion slots. I use an
industry standard dot matrix printer, famous equally for the variety
of type founts possible, and for the paper-handling path, which
regularly skews off. I have two large boxes crammed full of software,
as I collect comms software in particular like a deranged
philatelist, but I use one package almost exclusively. As for
modems--well, at this point the set-up does become unconventional; by
the phone point are jack sockets for BT 95A, BT 96A, BT 600 and a
North American modular jack. I have two acoustic couplers, devices
for plunging telephone handsets into so that the computer can talk
down the line, at operating speeds of 300/300 and 75/1200. I also
have three heavy, mushroom coloured 'shoe-boxes', representing modem
technology of 4 or 5 years ago and operating at various speeds and
combinations of duplex/half- duplex. Whereas the acoustic coupler
connects my computer to the line by audio, the modem links up at the
electrical level and is more accurate and free from error. I have
access to other equipment in my work and through friends, but this is
what I use most of the time.
Behind me is my other important bit of kit: a filing cabinet.
Hacking is not an activity confined to sitting at keyboards and
watching screens. All good hackers retain formidable collections of
articles, promotional material and documentation; read on, and you
will see why.
Finally, to those who would argue that a hacker's handbook must be
giving guidance to potential criminals, I have two things to say:
First, few people object to the sports of clay-pigeon shooting or
archery, although rifles, pistols and crossbows have no 'real'
purpose other than to kill things--and hackers have their own code of
responsibility, too. Second, real hacking is not as it is shown in
the movies and on tv, a situation which the publication of this book
may do something to correct. The sport of hacking itself may involve
breach of aspects of the law, notably theft of electricity, theft of
computer time and unlicensed usage of copyright material; every
hacker must decide individually each instance as it arises. Various people
helped me on various aspects of this book; they must all remain unnamed--they
know who they are and that they have my thanks.
CHAPTER 1
First Principles
The first hack I ever did was executed at an exhibition stand run
by BT's then rather new Prestel service. Earlier, in an adjacent
conference hall, an enthusiastic speaker had demonstrated view-
data's potential world-wide spread by logging on to Viditel, the
infant Dutch service. He had had, as so often happens in the these
circumstances, difficulty in logging on first time. He was using one
of those sets that displays auto-dialled telephone numbers; that was
how I found the number to call. By the time he had finished his third
unsuccessful log-on attempt I (and presumably several others) had all
the pass numbers. While the BT staff were busy with other visitors to
their stand, I picked out for myself a relatively neglected viewdata
set. I knew that it was possible to by-pass the auto-dialler with its
pre-programmed phone numbers in this particular model, simply by
picking up the the phone adjacent to it, dialling my preferred
number, waiting for the whistle, and then hitting the keyboard button
labelled 'viewdata'. I dialled Holland, performed my little by-pass
trick and watched Viditel write itself on the screen. The pass
numbers were accepted first time and, courtesy of...no, I'll spare
them embarrassment...I had only lack of fluency in Dutch to restrain
my explorations. Fortunately, the first BT executive to spot what I
had done was amused as well.
Most hackers seem to have started in a similar way. Essentially
you rely on the foolishness and inadequate sense of security of
computer salesmen, operators, programmers and designers.
In the introduction to this book I described hacking as a sport;
and like most sports, it is both relatively pointless and filled with
rules, written or otherwise, which have to be obeyed if there is to
be any meaningfulness to it. Just as rugby football is not only about
forcing a ball down one end of a field, so hacking is not just about
using any means to secure access to a computer.
On this basis, opening private correspondence to secure a password
on a public access service like Prestel and then running around the
system building up someone's bill, is not what hackers call hacking.
The critical element must be the use of skill in some shape or form.
Hacking is not a new pursuit. It started in the early 1960s when
the first "serious" time-share computers began to appear at
university sites. Very early on, 'unofficial' areas of the memory
started to appear, first as mere notice boards and scratch pads for
private programming experiments, then, as locations for games.
(Where, and how do you think the early Space Invaders, Lunar Landers
and Adventure Games were created?) Perhaps tech-hacking-- the
mischievous manipulation of technology--goes back even further. One
of the old favourites of US campus life was to rewire the control
panels of elevators (lifts) in high-rise buildings, so that a request
for the third floor resulted in the occupants being whizzed to the
twenty-third.
Towards the end of the 60s, when the first experimental networks
arrived on the scene (particularly when the legendary
ARPAnet--Advanced Research Projects Agency network-- opened up), the
computer hackers skipped out of their own local computers, along the
packet-switched high grade communications lines, and into the other
machines on the net. But all these hackers were privileged
individuals. They were at a university or research resource, and they
were able to borrow terminals to work with.
What has changed now, of course, is the wide availability of home
computers and the modems to go with them, the growth of public-access
networking of computers, and the enormous quantity and variety of
computers that can be accessed.
Hackers vary considerably in their native computer skills; a basic
knowledge of how data is held on computers and can be transferred
from one to another is essential. Determination, alertness,
opportunism, the ability to analyse and synthesise, the collection of
relevant helpful data and luck--the pre-requisites of any
intelligence officer--are all equally important. If you can write
quick effective programs in either a high level language or machine
code, well, it helps. A knowledge of on-line query procedures is
helpful, and the ability to work in one or more popular mainframe and
mini operating systems could put you in the big league.
The materials and information you need to hack are all around
you--only they are seldom marked as such. Remember that a large
proportion of what is passed off as 'secret intelligence' is openly
available, if only you know where to look and how to appreciate what
you find. At one time or another, hacking will test everything you
know about computers and communications. You will discover your
abilities increase in fits and starts, and you must
be prepared for long periods when nothing new appears to happen.
Popular films and tv series have built up a mythology of what
hackers can do and with what degree of ease. My personal delight in
such Dream Factory output is in compiling a list of all the mistakes
in each episode. Anyone who has ever tried to move a graphics game
from one micro to an almost-similar competitor will already know that
the chances of getting a home micro to display the North Atlantic
Strategic Situation as it would be viewed from the President's
Command Post would be slim even if appropriate telephone numbers and
passwords were available. Less immediately obvious is the fact that
most home micros talk to the outside world through limited but
convenient asynchronous protocols, effectively denying direct access
to the mainframe products of the world's undisputed leading computer
manufacturer, which favours synchronous protocols. And home micro
displays are memory-mapped, not vector-traced... Nevertheless, it is
astonishingly easy to get remarkable results. And thanks to the
protocol transformation facilities of PADs in PSS networks (of which
much more later), you can get into large IBM devices....
The cheapest hacking kit I have ever used consisted of a ZX81, 16K
RAMpack, a clever firmware accessory and an acoustic coupler. Total
cost, just over ْ100. The ZX81's touch-membrane keyboard was one
liability; another was the uncertainty of the various connectors.
Much of the cleverness of the firmware was devoted to overcoming the
native drawbacks of the ZX81's inner configuration--the fact that it
didn't readily send and receive characters in the industry-standard
ASCII code, and that the output port was designed more for instant
access to the Z80's main logic rather than to use industry-standard
serial port protocols and to rectify the limited screen display.
Yet this kit was capable of adjusting to most bulletin boards;
could get into most dial-up 300/300 asynchronous ports,
re-configuring for word-length and parity if needed; could have
accessed a PSS PAD and hence got into a huge range of computers not
normally available to micro-owners; and, with another modem, could
have got into viewdata services. You could print out pages on the ZX
'tin-foil' printer. The disadvantages of this kit were all in
convenience, not in facilities. Chapter 3 describes the sort of kit
most hackers use.
It is even possible to hack with no equipment at all. All major
banks now have a network of 'hole in the wall' cash machines-- ATMs
or Automatic Telling Machines, as they are officially
known. Major building societies have their own network. These
machines have had faults in software design, and the hackers who
played around with them used no more equipment than their fingers and
brains. More about this later.
Though I have no intention of writing at length about hacking
etiquette, it is worth one paragraph: lovers of fresh-air walks obey
the Country Code; they close gates behind them, and avoid damage to
crops and livestock. Something very similar ought to guide your
rambles into other people's computers: don't manipulate files unless
you are sure a back-up exists; don't crash operating systems; don't
lock legitimate users out from access; watch who you give information
to; if you really discover something confidential, keep it to
yourself. Hackers should not be interested in fraud. Finally, just
as any rambler who ventured past barbed wire and notices warning
about the Official Secrets Acts would deserve whatever happened
thereafter, there are a few hacking projects which should never be
attempted.
On the converse side, I and many hackers I know are convinced of one
thing: we receive more than a little help from the system managers of
the computers we attack. In the case of computers owned by
universities and polys, there is little doubt that a number of them
are viewed like academic libraries--strictly speaking they are for
the student population, but if an outsider seriously thirsty for
knowledge shows up, they aren't turned away. As for other computers,
a number of us are almost sure we have been used as a cheap means to
test a system's defences...someone releases a phone number and
low-level password to hackers (there are plenty of ways) and watches
what happens over the next few weeks while the computer files
themselves are empty of sensitive data. Then, when the results have
been noted, the phone numbers and passwords are changed, the security
improved etc etc....much easier on dp budgets than employing
programmers at £150/man/ day or more. Certainly the Pentagon has been
known to form 'Tiger Units' of US Army computer specialists to
pin-point weaknesses in systems security.
Two spectacular hacks of recent years have captured the public
imagination: the first, the Great Prince Philip Prestel Hack, is
described in detail in chapter 8, which deals with viewdata. The
second was spectacular because it was carried out on live national
television. It occurred on October 2nd 1983 during a follow-up to the
BBC's successful Computer Literacy series. It's worth reporting here,
because it neatly illustrates the essence of hacking as a sport...
skill with systems, careful research, maximum impact with minimum real
harm, and humour.
The tv presenter, John Coll, was trying to show off the Telecom
Gold electronic mail service. Coll had hitherto never liked long
passwords and, in the context of the tight timing and pressures of
live tv, a two letter password seemed a good idea at the time. On
Telecom Gold, it is only the password that is truly confidential;
system and account numbers, as well as phone numbers to log on to the
system, are easily obtainable. The BBC's account number, extensively
publicised, was OWL001, the owl being the 'logo' for the tv series as
well as the BBC computer.
The hacker, who appeared on a subsequent programme as a 'former
hacker' and who talked about his activities in general, but did not
openly acknowledge his responsibility for the BBC act, managed to
seize control of Coll's mailbox and superimpose a message of his own:
Computer Security Error. Illegal access. I hope your television
PROGRAMME runs as smoothly as my PROGRAM worked out your
passwords!
Nothing is secure!
Hackers' Song
"Put another password in,
Bomb it out and try again
Try to get past logging in,
We're hacking, hacking, hacking
Try his first wife's maiden name,
This is more than just a game,
It's real fun, but just the same,
It's hacking, hacking, hacking"
The Nutcracker (Hackers UK)
HI THERE, OWLETS, FROM OZ AND YUG
(OLIVER AND GUY)
After the hack a number of stories about how it had been carried
out, and by whom, circulated; it was suggested that the hackers had
crashed through to the operating system of the Prime computers upon
which the Dialcom electronic mail software
resided--it was also suggested that the BBC had arranged the whole
thing as a stunt, or alternatively, that some BBC employees had fixed
it up without telling their colleagues. Getting to the truth of a
legend in such cases is almost always impossible. No one involved has
a stake in the truth. British Telecom, with a strong commitment to
get Gold accepted in the business community, was anxious to suggest
that only the dirtiest of dirty tricks could remove the inherent
confidentiality of their electronic mail service. Naturally, the
British Broadcasting Corporation rejected any possibility that it
would connive in an irresponsible cheap stunt. But the hacker had no
great stake in the truth either--he had sources and contacts to
protect, and his image in the hacker community to bolster. Never
expect any hacking anecdote to be completely truthful.
CHAPTER 2
Computer-to-Computer Communications
Services intended for access by microcomputers are nowadays
usually presented in a very user-friendly fashion: pop in your
software disc or firmware, check the connections, dial the telephone
number, listen for the tone...and there you are. Hackers, interested
in venturing where they are not invited, enjoy no such luxury. They
may want to access older services which preceded the modern 'human
interface'; they are very likely to travel along paths intended, not for ordinary
customers, but for engineers or salesmen; they could be utilising facilities that
were part of a computer's commissioning process and have been hardly used
since.
So the hacker needs a greater knowledge of datacomms technology than
does a more passive computer user, and some feeling for the history of the
technology is pretty essential, because of its growth pattern and because of the
fact that many interesting installations still use yesterday's solutions.
Getting one computer to talk to another some distance away means
accepting a number of limiting factors:
( Although computers can send out several bits of information at
once, the ribbon cable necessary to do this is not economical at any
great length, particularly if the information is to be sent out over
a network--each wire in the ribbon would need switching separately,
thus making ex- changes prohibitively expensive. So bits must be
transmitted one at a time, or serially.
( Since you will be using, in the first instance, wires and networks
already installed--in the form of the telephone and telex
networks--you must accept that the limited bandwidth of these
facilities will restrict the rate at which data can be sent. The data
will pass through long lengths of wire, frequently being
re-amplified, and undergoing de- gradation as it passes through dirty
switches and relays in a multiplicity of exchanges.
( Data must be easily capable of accurate recovery at the far end.
( Sending and receiving computers must be synchronised in their working.
( The mode in which data is transmitted must be one understood by all
computers; accepting a standard protocol may mean adopting the
speed and efficiency of the slowest.
( The present 'universal' standard for data transmission used by
microcomputers and many other services uses agreed tones to signify
binary 0 and binary 1, the ASCII character set (also known as
International Alphabet No 5), and an asynchronous protocol, whereby
the transmitting and receiving computers are locked in step every
time a character is sent, not just at the beginning of a transmission
stream. Like nearly all standards, it is highly arbitrary in its
decisions and derives its importance simply from the fact of being
generally accepted. Like many standards, too, there are a number of
subtle and important variations.
To see how the standard works, how it came about and the reasons
for the variations, we need to look back a little into history.
The Growth of Telegraphy
The essential techniques of sending data along wires has a history
of 150 years, and some of the common terminology of modern data
transmission goes right back to the first experiments.
The earliest form of telegraphy, itself the earliest form of
electrical message sending, used the remote actuation of electrical
relays to leave marks on a strip of paper. The letters of the
alphabet were defined by the patterns of 'mark' and 'space'.
The terms have come through to the present, to signify binary
conditions of '1' and '0' respectively. The first reliable machine
for sending letters and figures by this method dates from 1840; the
direct successor of that machine, using remarkably unchanged
electromechanical technology and a 5-bit alphabetic code, is still
widely used today, as the telex/teleprinter/teletype. The mark and
space have been replaced by holes punched in paper-tape: larger holes
for mark, smaller ones for space. Synchronisation between sending and
receiving stations is carried out by beginning each letter with a
'start' bit (a space) and concluding it with a 'stop' bit (mark). The
'idle' state of a circuit is thus 'mark'. In effect, therefore, each
letter requires the transmission of 7 bits:
. * * . . . * (letter A: . = space; * = mark)
of which the first . is the start bit, the last * is the stop bit and
* * . .. is the code for A.
This is the principle means for sending text messages around the
world, and the way in which news reports are distributed globally.
And, until third-world countries are rich enough to afford more
advanced devices, the technology will survive.
Early computer communications
When, 110 years after the first such machines came on line, the
need arose to address computers remotely, telegraphy was the obvious
way to do so. No one expected computers in the early 1950s to give
instant results; jobs were assembled in batches, often fed in by
means of paper-tape (another borrowing from telex, still in use) and
then run. The instant calculation and collation of data was then
considered quite miraculous. So the first use of data communications
was almost exclusively to ensure that the machine was fed with
up-to-date information, not for the machine to send the results out
to those who might want it; they could wait for the 'print-out' in
due course, borne to them with considerable solemnity by the computer
experts. Typical communications speeds were 50 or 75 baud. (The baud
is the measure of speed of data transmission: specifically, it refers
to the number of signal level changes per second and is thus not the
same as bits-per-second.)
These early computers were, of course, in today's jargon,
single-user/single-task; programs were fed by direct machine coding.
Gradually, over the next 15 years, computers spawned multi-user
capabilities by means of time-sharing techniques, and their human
interface became more 'user-friendly'.
With these facilities grew the demand for remote access to
computers, and modern data communications began.
Even at the very end of the 1960s when I had my own very first
encounter with a computer, the links with telegraphy were still
obvious. As a result of happenstance, I was in a Government-run
research facility to the south-west of London, and the program I was
to use was located on a computer just to the north of Central London;
I was sat down in front of a battered teletype--capitals and figures
only, and requiring not inconsiderable physical force from my
smallish fingers to actuate the keys of my choice. As it was a
teletype outputting on to a paper roll, mistakes could not as readily
be erased as on a VDU, and since the sole form of error reporting
consisted of a solitary ?, the episode was more frustrating than
thrilling. VDUs and good keyboards were then far too expensive for
'ordinary' use.