![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
My Mitnick Story
Aug. 5th, 2011 03:47 pm(true story follows, and yes, I was there, this is not third person
"friend of a friend") story. And yes, I have corroborating witnesses.
(edit: this was not Mitnick's first exploit into DEC. He apparently also
got onto the RSTS/E dev system "Ark" in 1979, see the story in
http://passwordresearch.com/stories/story47.html for details. And yes,
I know the Anton of that story and he knows me, but this story is
entirely orthogonal to that story)
Back in the Old Days (summer of 1986, to be precise), I was a fledgling
programmer/hacker at DEC in Hudson, Massachusetts. DEC documentation
used the example name NODE for the name of a computer, and USER for the
name of a user (yes, all caps), and of course, USER had the password of
PASSWORD. So, the standard example email address was like this (note
that this was before Internet and so no "@" sign):
To: NODE::USER
... and a certain young engineer (NOT ME! But someone I worked with...
initials were /redacted/ and he rode a BMW motorcycle...) thought it would be
cool to have a DEC-internal machine named NODE, with a user named
USER, to see what email came in on it from the noobs who read the
documentation literally.
We saw some interesting stuff come in for NODE::USER. Trivia. Jokes.
The occasional lurid hookup booty-call. All good fun; we had a
DEC-internal mailing list you could subscribe to if you wanted to see
the traffic.
But- that meant that there was a user named USER, on node NODE. And
USER's account had to have a password. Which was, of course, PASSWORD,
just like the documentation used.
The owner of NODE did the "right things". Among them, it was a VMS
machine (i.e. quite good security at the time), USER didn't have any
privs at all, was in it's own group, and besides, the machine was on the
internal network at DEC, where in theory at least everyone was trusted.
In theory at least....
When Mitnick (yeah, *that* Kevin Mitnick) broke into DEC ISTG and ZKO
the first time (this was summer of 1986, mind you, way way before
Shimomura et al), he did it by social-engineering (we think) a phone
number in the modem bank (remember modem banks?). That got him into
the LAT (the terminal server), with a social-engineered password.
From there, he tried NODE::USER, password PASSWORD, and sure enough, he
was in.
NODE's owner noticed something was up- that there was activity when
there ought to be none. So we started watching- but we were slow off
the starting gate. It caused considerable consternation when this
unknown visitor continued to social-engineer out of NODE:: and up into ZKO.
In fact, we didn't even know his name - Mitnick wasn't famous then.
(it turns out that one person working in the group _did_ know him
socially- and that was the "social engineering entry point).
We just referred to him as "Our Friend"; that was as good a codename
as any; we specifically avoided any online discussion of the goings-on
because we didn't know what Our Friend might be reading. Everything
was face-to-face communication or handwritten notes, kept in folders
in locked desk drawers, and shared only with those with a need to know.
We realized Our Friend was no ordinary "leave nothing but footprints, take
nothing but pictures" kind of tourist, and I built some special hardware
(thank you Radio Shack Marlboro for proto-board and the rack of cheap
chips on blue cards in the back of the store, and a certain state judge
for issuing a wiretap warrant !).
We didn't know how good Our Friend really was at hacking, and
that's why we built the special-purpose hardware - he *might* have already
compromised the LAT terminal server and thus we couldn't trust that,
we had to build something that was, from his end of the telephone wire,
undetectable.
From then on, we watched and logged every move Mitnick made. Fortunately,
his tradecraft was as bad as his social engineering was good (he
never even changed the modem line number he was dialing in on! ).
We got the evidence.
Mitnick went to jail for a year.
Clearly, that was not enough. His tradecraft improved slightly but his
sense of ethics remained as weak as ever.
He did mung on a few things, including some mission critical software.
His coding style wasn't great. But since we never could be sure he
didn't have another back door into the systems, we had to wait till
he got put in jail before we could start a full sweep of everything,
and then that's exactly what we did. Full examination of every line
of code; it took the group I was in basically 100 man-months to do.
Not cheap, but I take some comfort that he spent about the same number
of man-months in jail.
Anyway, I've not had any dealings with him since '86, and like it just
fine that way.
And THAT, children, is why you should be careful on the Internet...
"friend of a friend") story. And yes, I have corroborating witnesses.
(edit: this was not Mitnick's first exploit into DEC. He apparently also
got onto the RSTS/E dev system "Ark" in 1979, see the story in
http://passwordresearch.com/stories/story47.html for details. And yes,
I know the Anton of that story and he knows me, but this story is
entirely orthogonal to that story)
Back in the Old Days (summer of 1986, to be precise), I was a fledgling
programmer/hacker at DEC in Hudson, Massachusetts. DEC documentation
used the example name NODE for the name of a computer, and USER for the
name of a user (yes, all caps), and of course, USER had the password of
PASSWORD. So, the standard example email address was like this (note
that this was before Internet and so no "@" sign):
To: NODE::USER
... and a certain young engineer (NOT ME! But someone I worked with...
initials were /redacted/ and he rode a BMW motorcycle...) thought it would be
cool to have a DEC-internal machine named NODE, with a user named
USER, to see what email came in on it from the noobs who read the
documentation literally.
We saw some interesting stuff come in for NODE::USER. Trivia. Jokes.
The occasional lurid hookup booty-call. All good fun; we had a
DEC-internal mailing list you could subscribe to if you wanted to see
the traffic.
But- that meant that there was a user named USER, on node NODE. And
USER's account had to have a password. Which was, of course, PASSWORD,
just like the documentation used.
The owner of NODE did the "right things". Among them, it was a VMS
machine (i.e. quite good security at the time), USER didn't have any
privs at all, was in it's own group, and besides, the machine was on the
internal network at DEC, where in theory at least everyone was trusted.
In theory at least....
When Mitnick (yeah, *that* Kevin Mitnick) broke into DEC ISTG and ZKO
the first time (this was summer of 1986, mind you, way way before
Shimomura et al), he did it by social-engineering (we think) a phone
number in the modem bank (remember modem banks?). That got him into
the LAT (the terminal server), with a social-engineered password.
From there, he tried NODE::USER, password PASSWORD, and sure enough, he
was in.
NODE's owner noticed something was up- that there was activity when
there ought to be none. So we started watching- but we were slow off
the starting gate. It caused considerable consternation when this
unknown visitor continued to social-engineer out of NODE:: and up into ZKO.
In fact, we didn't even know his name - Mitnick wasn't famous then.
(it turns out that one person working in the group _did_ know him
socially- and that was the "social engineering entry point).
We just referred to him as "Our Friend"; that was as good a codename
as any; we specifically avoided any online discussion of the goings-on
because we didn't know what Our Friend might be reading. Everything
was face-to-face communication or handwritten notes, kept in folders
in locked desk drawers, and shared only with those with a need to know.
We realized Our Friend was no ordinary "leave nothing but footprints, take
nothing but pictures" kind of tourist, and I built some special hardware
(thank you Radio Shack Marlboro for proto-board and the rack of cheap
chips on blue cards in the back of the store, and a certain state judge
for issuing a wiretap warrant !).
We didn't know how good Our Friend really was at hacking, and
that's why we built the special-purpose hardware - he *might* have already
compromised the LAT terminal server and thus we couldn't trust that,
we had to build something that was, from his end of the telephone wire,
undetectable.
From then on, we watched and logged every move Mitnick made. Fortunately,
his tradecraft was as bad as his social engineering was good (he
never even changed the modem line number he was dialing in on! ).
We got the evidence.
Mitnick went to jail for a year.
Clearly, that was not enough. His tradecraft improved slightly but his
sense of ethics remained as weak as ever.
He did mung on a few things, including some mission critical software.
His coding style wasn't great. But since we never could be sure he
didn't have another back door into the systems, we had to wait till
he got put in jail before we could start a full sweep of everything,
and then that's exactly what we did. Full examination of every line
of code; it took the group I was in basically 100 man-months to do.
Not cheap, but I take some comfort that he spent about the same number
of man-months in jail.
Anyway, I've not had any dealings with him since '86, and like it just
fine that way.
And THAT, children, is why you should be careful on the Internet...
