Again the advantage to the hacker is obvious--a partly- known

telephone number can be located by writing some simple software

routine to test the variables.

 However, not all auto-dial facilities are equally useful. Some

included in US-originated communications software and terminal

emulators are for specific 'smart' modems not available

elsewhere--and there is no way of altering the software to work with

other equipment. In general, each modem that contains an auto-dialler

has its own way of requiring instructions to be sent to it. If an

auto-dialling facility is important to you, check that your software

is configurable to your choice of auto-dial modem.

 Another hazard is that certain auto-diallers only operate on the

multi-frequency tones method ('touch-tone') of dialling used in large

parts of the United States and only very slowly being introduced in

other countries. The system widely used in the UK is called 'pulse'

dialling. Touch-tone dialling is much more rapid than pulse dialling,

of course.

 Finally, on the subject of US-originated software, some packages

will only accept phone numbers in the standard North American format

of: 3-digit area code, 3-digit local code, 4-digit subscriber code.

In the UK and Europe the phone number formats vary quite
considerably. Make sure that any auto-dial facility you use actually

operates on your phone system.

Format Screen - Most professional on-line and time-share services

assume an 80-column screen. The 'format screen' option in terminal

emulators may allow you to change the regular text display on your

micro to show 80 characters across by means of a graphics 'fiddle';

alternatively, it may give you a more readable display of the stream

from the host by forcing line feeds at convenient intervals, just

before the stream reaches the right- hand margin of the micro's

'natural' screen width.

 Related to this are settings to handle the presentation of the

cursor and to determine cursor movement about the screen-- normally

you won't need to use these facilities, but they may help you when

on-line to some odd-ball, non-standard service. Certain specific

'dumb' terminals like the VT52 (which has become something of a

mainframe industry standard) use special sequences to move the cursor

about the screen--useful when the operator is filling in standard

forms of information.

 Other settings within this category may allow you to view

characters on your screen which are not part of the normal character

set. The early Apples, for example, lacked lower case, presenting

everything in capitals (as does the ZX81), so various ingenious

'fixes' were needed to cope. Even quite advanced home computers may

lack some of the full ASCII character set, such oddities as the tilde

~ or backslash \ or curly bracket { }, for example.

Re-assign - keyboard A related problem is that home micro keyboards

may not be able to generate all the required characters the remote

service wishes to see. The normal way to generate an ASCII character

not available from the keyboard is from Basic, by using a Print

CHR$(n) type command. This may not be possible when on-line to a

remote computer, where everything is needed in immediate mode. Hence

the requirement for a software facility to re-assign any little-used

key to send the desired 'missing' feature. Typical requirements are

BREAK~ ESC, RETURN (when part of a string as opposed to being the end

of a command) etc. When re-assigning a series of keys, you must make

sure you don't interfere with the essential functioning of the

terminal emulator.

 For example, if you designate the sequence ctrl-S to mean 'send a DC1

character to the host', the chances are you will stop the host from

sending anything to you, because ctrl-S is a common command (some-

times called XOF) to call for a pause--incidentally, you can end the

pause by hitting ctrl-Q. Appendix IV gives a list of the full ASCII

implementation and the usual 'special' codes as they apply to

computer-to-computer communications.

File Protocols - When computers are sending large files to each

other, a further layer of protocol, beyond that defining individual

letters, is necessary. For example, if your computer is automatically

saving to disk at regular intervals as the buffer fills up, it is

necessary to be able to tell the host to stop sending for a period,

until the save is complete. On older time-share services, where the

typical terminal is a teletypewriter, the terminal is in constant

danger of being unable mechanically to keep up with the host

computer's output. For this reason, many host computers use one of

two well-known protocols which require the regular exchange of

special control characters for host and user to tell each other all

is well. The two protocols are:

Stop/Start - The receiving computer can at any time send to the host

a Stop (ctrl-S) signal, followed by, when it is ready a Start,


EOB/ACK - The sending computer divides its file into a blocks (of any

convenient length); after each block is sent, an EOB (End of Block)

character is sent (see ASCII table, Appendix IV). The user's computer

must then respond with a ACK (Acknowledge) character.

 These protocols can be used individually, together or not at all.

You may be able to use the 'Show Control Codes' option to check

whether either of the protocols are in use. Alternatively, if you

have hooked on to a service which for no apparent reason, seems to

stop in its tracks, you could try ending an ACK or Start (ctrl-F or

ctrl-S) and see if you can get things moving.

File transmission - All terminal emulators assume you will want to

send, as well as receive, text files. Thus, in addition to the

protocol settings already mentioned, there may be additional ones for

that purpose, e.g. the XMODEM protocol very popular on bulletin

boards. Hackers, of course, usually don't want to place files on

remote computers.....

Specific terminal emulation - Some software has pre-formatted sets of

characteristics to mimic popular commercial 'dumb' terminals. For

example, with a ROM costing under £60 fitted to a BBC micro, you can

obtain almost all of the features of DEC's VT100 terminal, which

until recently was regarded as something of an industry-standard and

costing just under £1000.

 Other popular terminals are the VT52 and some Tektronix models, the

latter for graphics display. ANSI have produced a 'standard'


Baudot characters - The Baudot code, or International Telegraphic

Code No 2, is the 5-bit code used in telex and telegraphy -- and in

many wire-based news services. A few terminal emulators include it as

an option, and it is useful if you are attempting to hack such

services. Most software intended for use on radio link-ups (see

Chapter 10) operates primarily in Baudot, with ASCII as an option.

Viewdata emulation - This gives you the full, or almost full,

graphics and text characters of UK-standard viewdata. Viewdata tv

sets and adapters use a special character-generator chip and a few,

mostly British-manufactured, micros use that chip also-- the Acorn

Atom was one example. The BBC has a teletext mode which adopts the

same display. But for most micros, viewdata emulation is a matter of

using hi-res graphics to mimic the qualities of the real thing, or to

strip out most of the graphics. Viewdata works on a screen 40

characters by 24 rows, and as some popular home micros have 'native'

displays smaller than that, some considerable fiddling is necessary

to get them to handle viewdata at all.

 In some emulators, the option is referred to as Prestel or

Micronet--they are all the same thing. Micronet-type software usually

has additional facilities for fetching down telesoftware programs

(see Chapter 10).

 Viewdata emulators must attend not only to the graphics

presentation, but also to split-speed operation: the usual speeds are

1200 receive from host, 75 transmit to host. USA users of such

services may get them via a packet-switched network, in which case

they will receive it either at 1200/1200 full duplex or at 300/300.

 Integrated terminal emulators offering both 'ordinary'

asynchronous emulation and viewdata emulation are rare: I have to use

completely different and non-compatible bits of software on my own

home set-up.


 Every account of what a modem is and does begins with the classic

explanation of the derivation of the term: let this be no exception.
Modem is a contraction of modulator-demodulator.

 A modem taking instructions from a computer (pin 2 on RS232C)

converts the binary 0's and 1's into specific single tones, according

to which 'standard' is being used. In RS232C/V24, binary 0 (ON)

appears as positive volts and binary 1 (OFF) appears as negative


 The tones are then fed, either acoustically via the telephone

mouth-piece into the telephone line, or electrically, by generating

the electrical equivalent direct onto the line. This is the

modulating process.

 In the demodulating stage, the equipment sits on the phone line

listening for occurrences of pre-selected tones (again according to

whichever 'standard' is in operation) and, when it hears one,

delivers a binary 0 or binary 1 in the form of positive or negative

voltage pulses into pin 3 of the computer's serial port.

 This explanation holds true for modems operating at up to 1200

baud; above this speed, the modem must be able to originate tones,

and detect them according to phase as well, but since higher-speed

working is unusual in dial-up ports--the hacker's special interest,

we can leave this matter to one side.
 The modem is a relatively simple bit of kit: on the transmit side

it consists of a series of oscillators acting as tone generators, and

on receive has a series of narrow band-pass filters. Designers of

modems must ensure that unwanted tones do not leak into the telephone

line (exchanges and amplifiers used by telephone companies are

sometimes remotely controlled by the injection of specific tones) and

also that, on the receive side, only the distinct tones used for

communications are 'interpreted' into binary 0s or 1s. The other

engineering requirements are that unwanted electrical currents do not

wander down the telephone cable (to the possible risk of phone

company employees) or back into the user's computer.

 Until relatively recently, the only UK source of low-speed modems

was British Telecom. The situation is much easier now, but

de-regulation of 'telephone line attachments', which include modems,

is still so recent that the ordinary customer can easily become

confused. Moreover, modems offering exactly the same service can vary

in price by over 300%. Strictly speaking, all modems connected to

the phone line should be officially approved by BT or other

appropriate regulatory authority.

 At 300 baud, you have the option of using direct-connect modems

which are hard-wired into the telephone line, an easy enough

exercise, or using an acoustic coupler in which you place the

telephone hand-set. Acoustic couplers are inherently prone to

interference from room-noise, but are useful for quick lash-ups and

portable operation. Many acoustic couplers operate only in

'originate' mode, not in' answer'. Newer commercial direct- connect

modems are cheaper than acoustic couplers.

 At higher speeds acoustic coupling is not recommended, though a

75/1200 acoustic coupler produced in association with the Prestel

Micronet service is not too bad, and is now exchanged on the

second-hand market very cheaply indeed.

 I prefer modems that have proper status lights--power on, line

seized, transmit and receive indicators. Hackers need to know what is

going on more than most users.

 The table below shows all but two of the types of service you are

likely to come across; V-designators are the world-wide 'official'

names given by the CCITT; Bell-designators are the US names:

Service Speed Duplex Transmit Receive Answer

Designator 0 1 0 1

V21 orig 300(*) full 1180 980 1850 1650 -

V21 ans 300(*) full 1850 1650 1180 980 2100

V23 (1) 600 half 1700 1300 1700 1300 2100

V23 (2) 1200 f/h(**) 2100 1300 2100 1300 2100

V23 back 75 f/h(**) 450 390 450 390 -

Bell 103 orig 300(*) full 1070 1270 2025 2225 -

Bell 103 ans 300(*) full 2025 2225 1070 1270 2225

Bell 202 1200 half 2200 1200 2200 1200 2025

(*)any speed up to 300 baud, can also include 75 and 110 baud


(**)service can either be half-duplex at 1200 baud or asymmetrical

full duplex, with 75 baud originate and 1200 baud receive (commonly

used as viewdata user) or 1200 transmit and 75 receive (view data host)

The two exceptions are:

V22 1200 baud full duplex, two wire

Bell 212A The US equivalent

These services use phase modulation as well as tone.

 British Telecom markets the UK services under the name of

Datel--details are given in Appendix V.

 BT's methods of connecting modems to the line are either to

hard-wire the junction box (the two outer-wires are the ones you

usually need)--a 4-ring plug and associated socket (type 95A) for

most modems, a 5-ring plug and associated socket (type 96A) for

Prestel applications (note that the fifth ring isn't used)--and, for

all new equipment, a modular jack called type 600. The US also has a

modular jack, but of course it is not compatible.

 Modern modem design is greatly aided by a wonder chip called the

AMD 7910. This contains nearly all the facilities to modulate and

demodulate the tones associated with the popular speed services, both

in the CCITT and Bell standards. The only omission--not always made

clear in the advertisements--are services using 1200/1200

full-duplex, ie V22 and Bell 212A.

 Building a modem is now largely a question of adding a few

peripheral components, some switches and indicator lights, and a box.

In deciding which 'world standard' modem to purchase, hackers should

consider the following features:

Status lights you need to be able to see what is happening on the line.

Hardware/software switching - cheaper versions merely give you a

switch on the front enabling you to change speeds, originate or

answer mode and CClTT or Bell tones. More expensive ones feature

firmware which allows your computer to send specially formatted

instructions to change speed under program control. However, to make

full use of this facility, you may need to write (or modify) your

terminal emulator.

Auto-dial - a pulse dialler and associated firmware are included in

some more expensive models. You should ascertain whether the

auto-dialer operates on the telephone system you intend to hook the

modem up to--some of the US 'smart' modems present difficulties

outside the States. You will of course need software in your micro to

address the firmware in the modem --and the software has to be part

of your terminal emulator, otherwise you gain nothing in convenience.

However, with appropriate software, you can get your computer to try

a whole bank of numbers one after the other.

D25 connector - this is the official 'approved' RS232CN24 physical

connection--useful from the point-of-view of easy hook-up. A number

of lower-cost models substitute alternative DIN connectors. You must

be prepared to solder up your own cables to be sure of connecting up


 Documentation I always prefer items to be accompanied by proper

instructions. Since hackers tend to want to use equipment in

unorthodox ways, they should look for good documentation too.

Finally, a word on build-your-own modems. A number of popular

electronics magazines and mail-order houses have offered modem

designs. Such modems are not likely to be approved for direct

connection to the public telephone network. However, most of them

work. If you are uncertain of your kit-constructing skills, though.

remember badly-built modems can be dangerous both to your computer

and to the telephone network.

Test Equipment

 Various items of useful test equipment occasionally appear on the

second-hand market--via mail-order, in computer junk shops, in the

flea-market section of exhibitions and via computer clubs.

 It's worth searching out a cable 'break-out' box. This lets you

restrap a RS232C cable without using a soldering iron--the various

lines are brought out on to an accessible matrix and you use small

connectors to make (or break) the links you require. It's useful if

you have an 'unknown' modem, or an unusually configured computer.

 Related, but much more expensive, is a RS232C/V24 analyser --this

gives LED status lights for each of the important lines, so you can

see what is happening.

 Lastly, if you are a very rich and enthusiastic hacker, you can

buy a protocol analyser. This is usually a portable device with a

VDU, full keyboard, and some very clever firmware which examines the

telephone line or RS232C port and carries out tests to see which of

several popular datacomms protocols is in use. Hewlett Packard do a

nice range. Protocol analysers will handle synchronous transmissions

as well as synchronous. Cost: £1500 and up...and up.



 Wherever hackers gather, talk soon moves from past achievements

and adventures to speculation about what new territory might be

explored. It says much about the compartmentalisation of computer

specialities in general and the isolation of micro- owners from

mainstream activities in particular that a great deal of this

discussion is like that of navigators in the days before Columbus:

the charts are unreliable, full of blank spaces and confounded with


 In this chapter I am attempting to provide a series of notes on

the main types of services potentially available on dial-up, and to

give some idea of the sorts of protocols and conventions employed.

The idea is to give voyagers an outline atlas of what is interesting

and possible, and what is not.

On-line hosts

 On-line services were the first form of electronic publishing: a

series of big storage computers--and on occasion, associated

dedicated networks -- act as hosts to a group of individual databases

by providing not only mass data storage and the appropriate 'search

language' to access it, but also the means for registering, logging

and billing users. Typically, users access the on-line hosts via a

phone number which links into a a public data network using packet

switching (there's more on these networks in chapter 7).

 The on-line business began almost by accident; large corporations

and institutions involved in complicated technological developments

found that their libraries simply couldn't keep track of the

publication of relevant new scientific papers, and decided to

maintain indices of the papers by name, author, subject-matter, and

so on, on computer. One of the first of these was the armaments and

aircraft company, Lockheed Corporation.

 In time the scope of these indices expanded and developed and

outsiders -- sub-contractors, research agencies, universities,

government employees, etc were granted access. Other organisations

with similar information-handling requirements asked if space could

be found on the computer for their needs.

 Eventually Lockheed and others recognised the beginnings of a quite

separate business; in Lockheed's case it lead to the foundation of

Dialogue, which today acts as host and marketing agent for almost 300

separate databases. Other on-line hosts include BRS (Bibliographic

Retrieval Services), Comshare (used for sophisticated financial

modelling), DataStar, Blaise (British Library) I P Sharp, and


 On-line services, particularly the older ones, are not especially

user-friendly by modern standards. They were set up at a time when

both core and storage memory was expensive, and the search languages

tend to be abbreviated and formal. Typically they are used, not by

the eventual customer for the information, but by professional

intermediaries--librarians and the like-- who have undertaken special

courses. Originally on-line hosts were accessed by dumb terminals,

usually teletypewriters like the Texas Whisperwriter portable with

built-in acoustic modem, rather than by VDUs. Today the trend is to

use 'front-end' intelligent software on an IBM PC which allows the

naive user to pose his/her questions informally while offline; the

software then redefines the information request into the formal

language of the on-line host (the user does not witness this process)

and then goes on-line via an auto-dial modem to extract the

information as swiftly and efficiently as possible.

On-line services require the use of a whole series of passwords:

the usual NUI and NUA for PSS (see chapter 7), another to reach the

host, yet another for the specific information service required.

Charges are either for connect-time or per record retrieved, or

sometimes a combination.

The categories of on-line service include bibliographic, which

merely indexes the existence of an article or book--you must then

find a physical copy to read; and source, which contains the article

or extract thereof. Full-text services not only contain the complete

article or book but will, if required, search the entire text (as

opposed to mere keywords) to locate the desired information. An

example of this is LEXIS, a vast legal database which contains nearly

all important US and English law judgements, as well as statutes.

News Services

The vast majority of news services, even today, are not, in the

strictest sense, computer-based, although computers play an important

role in assembling the information and, depending on the nature of

the newspaper or radio or tv station receiving it, its subsequent


 The world's big press agencies--United Press, Associated Press,

Reuters, Agence France Presse, TASS, Xinhua, PAP, VoA -- use telex

techniques to broadcast their stories. Permanent leased telegraphy

lines exist between agencies and customers, and the technology is

pure telex: the 5-bit Baudot code (rather than ASCII) is adopted,

giving capital letters only, and 'mark' and space' are sent by

changing voltage conditions on the line rather than audio tones.

Speeds are 50 or 75 baud.

 The user cannot interrogate the agency in any way. The stories

come in a single stream which is collected on rolls of paper and then

used as per the contract between agency and subscriber. To hack a

news agency line you will need to get physically near the appropriate

leased line, tap in by means of an inductive loop, and convert the

changing voltage levels (+80 volts on the line) into something your

RS232C port can handle. You will then need software to translate the

Baudot code into the ASCII which your computer can handle internally,

and display on screen or print to a file. The Baudot code is given in

 None of this is easy and will probably involve breaches of several

laws, including theft of copyright material! However a number of news

agencies also transmit services by radio, in which case the signals

can be hijacked with a short-wave receiver. Chapter 9 explains.

 Historic news, as opposed to the current stuff from agencies, is

now becoming available on-line. The New York Times, for example, has

long held its stories in an electronic 'morgue' or clippings library.

Initially this was for internal use, but for the last several years

it has been sold to outsiders, chiefly broadcasting stations and

large corporations. You can search for information by a combination

of keyword and date-range. The New York Times Information Bank is

available through several on-line hosts.

 As the world's great newspapers increasingly move to electronic

means of production--journalists working at VDUs, sub-editors

assembling pages and direct-input into photo-typesetters--the

additional cost to each newspaper of creating its own morgue is

relatively slight and we can expect to see many more commercial


 In the meantime, other publishing organisations have sought to

make available articles, extract or complete, from leading magazines

also. Two UK examples are Finsbury Data Services' Textline and

Datasolve's d Reporter, the latter including material from the BBC's

monitoring service, Associated Press, the Economist and the Guardian.

Textline is an abstract service, but World Reporter gives the full

text. In October 1984 it already held 500 million English words.

 In the US there is NEXIS, which shares resources with LEXIS; NEXIS

held 16 million full text articles at that same date. All these

services are expensive for casual use and are accessed by dial-up

using ordinary asynchronous protocols.

 Many electronic newsrooms also have dial-in ports for reporters

out on the job; depending on the system these ports not only allow

the reporter to transmit his or her story from a portable computer,

but may also (like Basys Newsfury used by Channel Four News) let them

see news agency tapes, read headlines and send electronic mail. Such

systems have been the subject of considerable hacker speculation.

Financial Services

 The financial world can afford more computer aids than any other

non-governmental sector. The vast potential profits that can be made

by trading huge blocks of currency, securities or commodities--and

the extraordinary advantages that a slight 'edge' in information can

bring--have meant that the City, Wall Street and the equivalents in

Hong Kong, Japan and major European capitals have been in the

forefront of getting the most from high-speed comms.

 Ten years ago the sole form of instant financial information was

the ticker tape--telegraphy technology delivering the latest share

price movements in a highly abbreviated form. As with its news

equivalents, these were broadcast services (and still are, for the

services still exist) sent along leased telegraph lines. The user

could only watch, and 'interrogation' consisted of back-tracking

along a tape of paper. Extel (Exchange Telegraph) continues to use

this technique, though it is gradually upgrading by using viewdata

and intelligent terminals.

 However, just over ten years ago Reuters put together the first

packages which gave some intelligence and 'questioning power' to the

end user. Each Reuters' Monitor is intelligent, containing (usually)

a DEC PDP-8 series mini and some firmware which accepts and selects

the stream of data from the host at the far end of the leased line,

marshalls interrogation requests and takes care of the local display.

Information is formatted in 'pages' rather like viewdata frames, but

without the colour. There is little point in eavesdropping into a

Reuters line unless you know what the terminal firmware does. Reuters

now face an aggressive rival in Telerate, and the fight is on to

deliver not only fast comprehensive prices services but international

screen-based dealing as well. The growth of Reuters and its rivals is

an illustration of technology creating markets--especially in

international currency--where none existed before.

 The first sophisticated Stock Exchange prices 'screens' used

modified closed circuit television technology. London had a system

called Market Price Display Service--MPDS--which consisted of a

number of tv displays of current prices services on different

'channels' which could be selected by the user. But London now uses

TOPIC, a leased line variant on viewdata technology, though with its

magazine-like arrangement and auto-screen refresh, it has as much in

common with teletext as Prestel. TOPIC carries about 2,500 of the

total 7,500 shares traded in London, plus selected analytical

material from brokers. Datastream represents a much higher level of

sophistication: using its £40,000 plus pa terminals you can compare

historic data-- price movements, movements against sector indices

etc--and chart the results.

 The hacker's reward for getting into such systems is that you can

see share and other prices on the move. None of these prices is

confidential; all could be obtained by ringing a stockbroker.

However, this situation is likely to change; as the City makes the

change from the traditional broker/jobber method of dealing towards

specialist market making, there will then be electronic prices

services giving privileged information to specialist share dealers.

All these services are only available via leased lines; City

professionals would not tolerate the delays and uncertainties of

dial-up facilities. However dial-up ports exist for demonstrations,

exhibitions, engineering and as back-up--and a lot of hacking effort

has gone into tracking them down.

 In the United States, in addition to Reuters, Telerate and local

equivalents of official streams of stock exchange and over-the-

counter data, there is Dow Jones, best known internationally for its

market indices similar to those produced by the Financial Times in

London. Dow Jones is in fact the owner of the Wall Street Journal and

some influential business magazines. Its Dow Jones News/Retrieval

Service is aimed at businesses and private investors. It features

current share prices, deliberately delayed by 15 minutes, historic

price data, which can be charted by the user's own computer

(typically an Apple or IBM PC) and historic 'morgue' type company

news and analysis. Extensions of the service enable customers to

examine accounts of companies in which they are interested. The bulk

of the information is US-based, but can be obtained world-wide via

packet-switching networks. All you need are the passwords and special


Business Information

 Business information is usually about the credit-worthiness of

companies, company annual reports, trading opportunities and market

research. The biggest electronic credit data resource is owned by the

international company Dun & Bradstreet: during 1985-86 it is due to

spend £25m on making its data available all over Europe, including

the UK. The service, which covers more than 250,000 UK businesses, is

called DunsPrint and access is both on-line and via a viewdata

front-end processor. Another credit agency, CNN Services, extensively

used already by the big clearing banks, and with 3000 customers

accessing information via viewdata sets, has recently also announced

an extended electronic retrieval service for its own called Guardian

Business Information A third UK credit service available

electronically is called InfoLink.

  In addition, all UK companies quoted on the London Stock Exchange

and many others of any size who are not, have a report and analysis

available from ICC (InterCompany Comparisons) who can be accessed via

on--line dial--up, through a viewdata interface and also by

Datastream customers. Dun & Bradstreet also have an on--line service

called KBE covering 20,000 key British enterprises.

 Prodigious quantities of credit and background data on US

companies can be found on several of the major on--line hosts. A

valid phone number, passwords and extracts from the operations manual

of one of the largest US services, TRW--it has credit histories on 90

million people--sat on some hackers' bulletin boards (of which much

more later) for over twelve months during 1983 and 1984 before the

company found out. No one knows how many times hackers accessed the

service. According to the Washington Post, the password and manual

had been obtained from a Sears Roebuck national chain store in

Sacramento; some hackers claimed they were able to alter credit

records, but TRW maintain that telephone access to their systems is

designed for read-only operations alone, updating of files taking

place solely on magnetic tape.

US market research and risk analysis comes from Frost Sullivan.

Risk analysis tells international businessmen which countries are

politically or economically unstable, or likely t become so, and so

unsafe to do business with. I once found myself accessing a

viewdata-based international assessment service run b a company

called Control Risks, which reputedly has strong link to the Special

Air Service. As so often happens when hacker think they are about to

uncover secret knowledge, the actual data files seemed relatively

trivial, the sort of judgements that could be made by a bright sixth

former who read posh newspapers and thoughtful weekly magazines.

University facilities

 In complete contrast to computers that are used to store and

present data are those where the value is to deliver processing power

to the outside world. Paramount among these are those installed in

universities and research institutes.

 Although hackers frequently acquire phone numbers to enter such

machines, what you can do once you are there varies enormously. There

are usually tiers and banks of passwords, each allowing only limited

access to the range of services. It takes considerable knowledge of

the machine's operating system to break through from one to another

and indeed, in some cases, the operating system is so thoroughly

embedded in the mainframe's hardware architecture that the
substantial modifications necessary to permit a hacker to roam free

can only be done from a few designated terminals, or by having

physical access to the machine. However, the hobbyist bulletin board

system quite often provides passwords giving access to games and the

ability to write and run programs in exotic languages--my own first

hands--on experience of Unix came in exactly this way. There are

bulletin boards on mainframes and even, in some cases, boards for


 Given the nature of hacking, it is not surprising that some of the

earliest japes occurred on computers owned by universities. Way back

in the 1970s, MIT was the location of the famous 'Cookie Monster',

inspired by a character in the then-popular Rowan & Martin Laugh-in

television show. As someone worked away at their terminal, the word

'cookie' would appear across their screen, at first slowly wiping out

the user's work. Unless the user moved quickly, things started to

speed up and the machine would flash urgently: "Cookie, cookie, give

me a cookie". The whole screen would pulse with this message until,

after a while, the hacking program relented and the 'Monster' would

clear the screen, leaving the message: "I didn't want a cookie

anyway." It would then disappear into the computer until it snared

another unsuspecting user. You could save yourself from the Monster
by typing the word "Cookie", to which it replied "Thank you" and then


 In another US case, this time in 1980, two kids in Chicago,

calling themselves System Cruncher and Vladimir, entered the computer

at DePaul University and caused a system crash which cost $22,000 to

fix. They were prosecuted, given probation and were then made a movie


 In the UK, many important university and research institution

computers have been linked together on a special data network called

SERCNET. SERC is the Science and Engineering Research Council.

Although most of the computers are individually accessible via PSS,

SERCNET makes it possible to enter one computer and pass through to

others. During early 1984, SERCNET was the target of much hacker

attention; a fuller account appears in chapter 7, but to anticipate a

little, a local entry node was discovered via one of the London

University college computers with a demonstration facility which, if

asked nicely, disgorged an operating manual and list of 'addresses'.

One of the minor joys of this list was an entry labelled "Gateway to

the Universe", pure Hitch-hiker material, concealing an extensive

long-term multi-function communications project. Eventually some

hackers based at a home counties university managed to discover ways

of roaming free around the network....


 Prominent among public fantasies about hackers is the one where

banks are entered electronically, accounts examined and some money

moved from one to another. The fantasies, bolstered by

under-researched low-budget movies and tv features, arise from

confusing the details of several actual happenings.

 Most 'remote stealing' from banks or illicit obtaining of account

details touch computers only incidentally and involve straight-

forward fraud, conning or bribery of bank employees. In fact, when

you think about the effort involved, human methods would be much more

cost-effective for the criminal. For hackers, however, the very

considerable effort that has been made to provide security makes the

systems a great challenge in them- selves.

 In the United Kingdom, the banking scene is dominated by a handful

of large companies with many branches. Cheque clearing and account

maintenance are conducted under conditions of high security with

considerable isolation of key elements; inter-bank transactions in

the UK go through a scheme called CHAPS, Clearing House Automatic

Payments System, which uses the X.25 packet switching protocols (see

chapter 7). The network is based on Tandem machines; half of each

machine is common to the network and half unique to the bank. The

encryption standard used is the US Data Encryption Standard. Certain

parts of the network, relating to the en- and de-cryption of

messages, apparently auto-destruct if tampered with.

 The service started early in 1984. The international equivalent

is SWIFT (Society for Worldwide Interbank Financial Transactions);

this is also X.25- based and it handles about half-a-million messages

a day. If you want to learn someone's balance, the easiest and most

reliable way to obtain it is with a plausible call to the local

branch. If you want some easy money, steal a cheque book and cheque

card and practise signature imitation. Or, on a grander scale, follow

the example of the £780,000 kruggerand fraud in the City. Thieves

intercepted a telephone call from a solicitor or bank manager to

'authenticate' forged drafts; the gold coins were then delivered to a

bogus company.

 In the United States, where federal law limits the size of an

individual bank's operations and in international banking, direct

attacks on banks has been much easier because the technology adopted

is much cruder and more use is made of public phone and telex lines.
One of the favourite techniques has been to send fake authorisations

for money transfers. This was the approach used against the Security

National Pacific Bank by Stanley Rifkin and a Russian diamond dealer

in Geneva. $10.2m moved from bank to bank across the United States

and beyond. Rifkin obtained code numbers used in the bilateral Test

Keys. The trick is to spot weaknesses in the cryptographic systems

used in such authorisations. The specifications for the systems

themselves are openly published; one computer security expert, Leslie

Goldberg, was recently able to take apart one scheme--proposed but

not actually implemented--and show that much of the 'key' that was

supposed to give high level cryptographic security was technically

redundant, and could be virtually ignored. A surprisingly full

account of his 'perfect' fraud appears in a 1980 issue of the journal

Computer Fraud and Security Bulletin.

There are, however, a few areas where banking is becoming

vulnerable to the less mathematically literate hacker. A number of

international banks are offering their big corporation customers

special facilities so that their Treasury Departments (which ensure,

among other things, that any spare million dollars are not left doing

nothing over night but are earning short-term interest) can have

direct access to their account details via a PC on dial-up. Again,
telebanking is now available via Prestel and some of its overseas

imitators. Although such services use several layers of passwords to

validate transactions, if those passwords are mis-acquired, since no

signatures are involved, the bank account becomes vulnerable.

 Finally, the network of ATMs (hole-in-the-wall cash machines) is

expanding greatly. As mentioned early in this book, hackers have

identified a number of bugs in the machines. None of them,

incidentally, lead directly to fraud. These machines allow card-

holders to extract cash up to a finite limit each week (usually

£100). The magnetic stripe contains the account number, validation

details of the owner's PIN (Personal Identity Number), usually 4

digits, and a record of how much cash has been drawn that week. The

ATM is usually off-line to the bank's main computer and only goes

on-line in two circumstances--first, during business hours, to

respond to a customer's 'balance request'; and second, outside

regular hours, to take into local memory lists of invalid cards which

should not be returned to the customer, and to dump out cheque book

and printed statement requests.

 Hackers have found ways of getting more than their cash limit each

week. The ATMs belonging to one clearing bank could be 'cheated' in

this way: you asked for your maximum amount and then, when the
transaction was almost completed, the ATM asked you 'Do you want

another transaction, Yes/No?' If you responded 'yes' you could then

ask for--and get--your credit limit again, and again, and again. The

weakness in the system was that the magnetic stripe was not

overwritten to show you had had a transaction till it was physically

ejected from the machine. This bug has now been fixed.

 A related but more bizarre bug resided for a while on the ATMs

used by that first bank's most obvious High Street rivals. In that

case, you had to first exhaust your week's limit. You then asked for

a further sum, say £75. The machine refused but asked if you wanted a

further transaction. Then, you slowly decremented the amounts you

were asking for by £5...70, 65, 60...and so on, down to £10. You then

told the ATM to cancel the last £5 transaction...and the machine gave

you the full £75. Some hackers firmly believe the bug was placed

there by the original software writer. This bug too has now been


 Neither of these quirks resulted in hackers 'winning' money from

the banks involved; the accounts were in every case, properly

debited. The only victory was to beat the system. For the future, I

note that the cost of magnetic stripe reader/writers which interface

to PCs is dropping to very low levels. I await the first inevitable
news reports.

Electronic Mail

Electronic mail services work by storing messages created by some

users until they are retrieved by their intended recipients.

 The ingredients of a typical system are: registration/logging on

facilities, storage, search and retrieval, networking, timing and

billing. Electronic mail is an easy add-on to most mainframe

installations, but in recent years various organisations have sought

to market services to individuals, companies and industries where

electronic mail was the main purpose of the system, not an add-on.

 The system software in widest use is that of ITI-Dialcom; it's the

one that runs Telecom Gold. Another successful package is that used

in the UK and USA by Easylink, which is supported by Cable & Wireless

and Western Union.

 In the Dialcom/Telecom Gold service, the assumption is made that

most users will want to concentrate on a relatively narrow range of

correspondents. Accordingly, the way it is sold is as a series of

systems, each run by a 'manager': someone within a company. The

'manager' is the only person who has direct contact with the

electronic mail owner and he in turn is responsible for bringing
individual users on to his 'system' -- he can issue 'mailboxes'

direct, determine tariff levels, put up general messages. In most

other services, every user has a direct relationship with the

electronic mail company.

 The services vary according to their tariff structures and levels;

and also in the additional facilities: some offer bi-directional

interfaces to telex; and some contain electronic magazines, a little

like videotex.

 The basic systems tend to be quite robust and hacking is mainly

concentrated on second-guessing users IDs. Many of the systems have

now sought to increase security by insisting on passwords of a

certain length--and by giving users only three or four attempts at

logging on before closing down the line. But increasingly their

customers are using PCs and special software to automate logging-in.

The software packages of course have the IDs nicely pre-stored....

Government computers

 Among hackers themselves the richest source of fantasising

revolves around official computers like those used by the tax and

national insurance authorities, the police, armed forces and
intelligence agencies.

 The Pentagon was hacked in 1983 by a 19-year-old Los Angeles

student, Ronald Austin. Because of the techniques he used, a full

account is given in the operating systems section of chapter 6. NASA,

the Space Agency, has also acknowledged that its e-mail system has

been breached and that messages and pictures of Kilroy were left as


 This leaves only one outstanding mega-target, Platform, the global

data network of 52 separate systems focused on the headquarters of

the US's electronic spooks, the National Security Agency at Fort

Meade, Maryland. The network includes at least one Cray-1, the worlds

most powerful number-cruncher, and facilities provided by GCHQ at


دسته ها :
جمعه یازدهم 11 1387