💾 Archived View for gemini.spam.works › mirrors › textfiles › politics › hacking.txt captured on 2020-10-31 at 15:08:57.

View Raw

More Information

-=-=-=-=-=-=-

Mail-From: ARPAnet host SRI-CSL rcvd at Wed Sep 28 15:58-PDT
Date: 26 Sep 1983 20:08-PDT
Sender: GEOFF@SRI-CSL
Subject: Telecommunications Security and Privacy.
From: the tty of Geoffrey S. Goodfellow
Reply-To: Geoff@SRI-CSL
To: Human-nets:, 
To: Telecom:, 
To: Security-Forum:, 
To: Info-Micro:
Cc: csl:, 
Cc: others:
Message-ID: <[SRI-CSL]26-Sep-83 20:08:20.GEOFF>
Redistributed-To: dist:
Redistributed-By: GEOFF at SRI-CSL
Redistributed-Date: 28 Sep 1983

On  Monday,  September  26th,  I  appeared  before  and  presented  invited 
testimony   at   the  U.S.    House  of  Representatives  Subcommittee   on 
Transportation, Aviation and Materials on the subject of Telecommunications 
Security and Privacy.

Due to the activities of the Milwaukee 414s and the subsequent hoopla  that 
has  been generated in the media,  HACKING has been getting a bad name.   I 
therefore  decided to address my testimony to the TRUE nature  of  computer 
hackers and hacking (in an attempt to put the entire situation in some type 
of  perspective).   I  also addressed what can and should be done  to  help 
abate the 'unsavory' hacking problem.  And lastly, how low tech the current 
hackings have been and what we might be seeing more of in the future.

I'm  told  the  hearings went out live over CNN -- there were at  least  16 
video  cameras  that I could count and the rest of the room was  jammed  to 
standing room only with reporters and other media.

Individuals who presented testimony were: Neal Patrick (of the 414s); Jimmy 
McClary (Los Alamos Division leader for Security);  Donn Parker and  myself 
(from SRI); and Steve Walker (formerly of DARPA/Pentagon).

Those interested in what I had to say about hacking and such are invited to 
FTP  a copy of my prepared testimony from [SRI-CSL]<GEOFF>HOUSE.DOC;  There 
is  also  a .LPT version with line-printer overstriking,  should  you  want 
that.   If you cannot FTP a copy for whatever reason,  I'll be able to send 
one by netmail if you mail a request to Geoff@SRI-CSL.

Geoff 
...............................................................................
...............................................................................




                      TESTIMONY BY GEOFFREY S. GOODFELLOW

       Before  the Subcommittee on Transportation,  Aviation and  Materials          
on the subject of Telecommunications Security and Privacy.

                               26 September 1983



1. Introduction

My   name  is  Geoffrey  S.  Goodfellow.   I am primarily employed  by  the 
Computer Science Laboratory at SRI International,  Menlo Park,  California.  
For  the  past 10  years  at SRI,  I have been involved in research efforts 
related  with packet switched  computer  network   communication   systems,  
protocols   and   security technologies.     I  have also been involved  in 
various  operating  and sub-system  development  projects.   Currently,  my 
responsibilities  include  a  position  as Principle  Investigator of SRI's 
involvement  in  a  Department of Defense program aimed at  developing  and  
proving  secure  computer  systems,   that  operate  at different  security  
levels  and communicate via networks.   A detailed biography of  my  career  
from    7th   grade   school   where   I   discovered   computers    (which 
eventually   lead   to  my permanent abandonment of the formal  educational 
system  during  high  school) to how I got to where I  am  today  with   no  
degrees   or  any type of equivalency to my name is included at the end  of 
my testimony.

I   am  a  coauthor of the Hacker's Dictionary -- A Guide to the  World  of 
Computer Wizards, a new book being published this fall.

THE  STATEMENTS  INCLUDED  HEREIN ARE MY OWN   AND   DO   NOT   NECESSARILY  
REPRESENT THOSE OF SRI INTERNATIONAL OR ANY CLIENTS OF SRI.

2. The Nature of Computer Hackers and Hacking.

The primary nature of a computer hacker can be defined as follows:

   - A   person  who  enjoys  learning  or  knowing the details of computer 
     systems and how to stretch their capabilities,   as  opposed  to  most 
     users  of  computers,   who  prefer  to learn or know only the minimum 
     amount necessary in order to get their job done.

   - One who programs computers enthusiastically,  for the sheer fun of it, 
     and gets a non professional amount of enjoyment out of using them.

   - A person capable of appreciating the irony  and  beauty  (i.e.   `hack 
     value') of a program.

   - A  person  who  is  good  at programming quickly or is an expert on  a 
     particular program.   (This definition and  the  proceeding  ones  are 
     correlated, and people who fit them congregate).

Unfortunately, though, hacking has an unsavory faction to it:

   - A  malicious  or  inquisitive  meddler  (i.e.  `poacher') who tries to 
     discover information by poking around.     For  example,  a  "password 
     hacker"  is one who tries,  possibly by deceptive or illegal means, to 
     discover other people's computer passwords.   A  "network  hacker"  is 
     one   who  tries to learn about the computer network (possibly because 
     he wants to interfere--one can tell the difference only  by   context, 
     tone of voice and manner of approach).

Hackers   of   all  factions,   whether benign or of the  unsavory  flavor, 
consider themselves somewhat of an elite, though one to which  new  members  
are   gladly  welcome.     Hacking  is  meritocracy   based   on   ability.    
There  is  a certain self-satisfaction in identifying yourself as a  hacker 
(but  if  you claim  to  be one and are not,  you'll  quickly  be  labelled 
`bogus'). 

The   hacker   is   intensely   interested  in technology  and  is  a  very 
inquisitive  person.   Many  are social outcasts who don't enjoy  the  same 
things as most other kids their age.   Hackers of the unsavory flavor are a  
very   curious  breed  of individual  --  many  can  best  be  described as 
loners  looking for someone to appreciate their talents.   They  know  full 
well  that what they're doing errs  on the  `dark  side (of the force)'  -- 
to coin a phrase.  Unsavory hackers want to get caught so they can be given 
the  appreciation they desire -- and the process of getting caught adds  an 
essence of thrill to their endeavor.

I  would  like to state for the record,  that benign hackers,  such as   I,  
deplore  the   unsanctioned  entry and subsequent  rummaging  of  mainframe 
computer systems and networks.  These types of  activities  are  tarnishing  
the  profession  of hacking and giving it a bad name.

In  the  Real  World,   computer  system  organizations  are  generally run 
like  totalitarian  police  states.   This  unfortunate   reality   fosters  
resentment   in  hackers   and   a  desire to challenge  the  reverence  of 
authority  develops.   As a result,  the way hackers bring themselves to  a 
system managers attention is  via the medium they know and relate to  best: 
a terminal and modem and your computer system.    In most cases, the hacker 
wouldn't  personally  think  of  or know how to go  about  calling  up  the 
director  of a computer system and offering his services to you as a bright 
young  guy  for the fear  of  reprisals  or  not  being   taken  seriously.    
Instead,   they  choose  to `introduce' you to them by meddling  with  your  
computer  system,   cavalierly  circumventing  security   and    protection 
mechanisms,   in   order   to   satiate  their  hunger  for  knowledge  and 
develop an understanding of how things work.

The organization will respond in kind by  trying  to  `plug  the  leak'  of  
an  intrusion   into  their  system  by erecting barriers.   This  type  of 
reaction  is precisely the wrong approach to  take,   because  the   hacker  
will   notice   the  beefed-up   defenses  and  see  them   as   a  further 
challenge  of his prowess and ingenuity and legitimate users are  subjected 
to greater inconvenience.

Instead,  what an organization should do is try to befriend hackers   which  
have  penetrated   their  inner sanctums.   The perspective that should  be 
taken is one of "Is it helpful or  useful  for  you  to  do  this?"  rather  
than  "Are  you authorized to do this?".   You must in effect come down  to 
the hackers level and circulate  among them.  Show them that you appreciate 
their talents.   If you ask them nonforeboding questions and take a genuine 
interest  in what they're doing,  most of the time you'll find they're more 
than  happy  to  tell  you  exactly  what it  is  they're  looking  for  or 
interested  in.    The  hacker  wants  to  learn  and  you  can  be   their 
guide/teacher.   This  is how I was dealt  with  by  the  firm  that caught 
me  during my unsavory hacking days in 1973 when I breached security  on  a 
large   commercial  timesharing  network  and many  of  its  host  computer 
systems.   I was very much inspired by this method of catching and steering 
unsavory hackers towards more constructive use of their talents.

There is,  however, a more virulent strain of the unsavory faction,  namely  
the  electronic  vandals or joy-riders (N.B.  NOT  HACKERS).   This  strain 
includes,  for example, kids whose parents are of an affluent nature.  As a 
result,  these  kids have  an  inflated world picture and little or no true 
sense  of  reality,  due to the nature of their care-free life  styles  and 
upbringing.    These  kids  plague computer  systems  and  networks as they 
would spray paint on school walls,  t-p someone's house,  or engage in  the 
use of so called 'recreational'  drugs.    In other  words,  these  illicit  
activities  are engaged in with absolute reckless abandon and disregard for 
the  rights  or sovereignty of other people's  property.  As  with  regular 
vandalism,  the  primary  motivators seems to be simply  doing  it  because  
they   can   get away with it,  and because of the respect it  brings  them 
among  their equally disrespectful peers.   This differs from the  unsavory 
hacker  in that there is no constructive purpose or motive  involved,  such  
as    learning  or   acquiring   knowledge.     This  problem  is   further 
exacerbated by the juvenile age of the perpetrators and the unlikelihood of 
prosecution,   even  if  caught. The perpetrators are smugly aware of their 
immunity in most cases!

3. What Can and Should Be Done to Help Abate The Unsavory Hacking Problem?

From  my  own observations and inspections of systems and from what I  have 
been  reading  in  the press,   I  have  come  to   the   conclusion   that  
computer   site  administrators   are  not taking  reasonable  and  prudent 
measures  to  protect  their computer systems from  even  the  most  casual 
methods of circumvention.  A  rather egregious example of this would be the 
installation  of which the 414s allegedly logged  into with username "test" 
and password "test".  Usernames and passwords of this sort are not uncommon 
and  sites which set up logins like this are  just asking  for  a break  in 
-- just  as someone who would leave a key in the lock on the front door  of 
their house,  complete with the WELCOME! mat out  for  all  to see, invites 
the casual burglar.

The   way I view `reasonable and prudent' measures of protection  from  the 
casual  penetration  is by drawing a paradigm with the way  DoD  classified 
information is handled.

With respect to the handling and use  of  classified  information,   it  is  
the responsibility of the organization to which you belong,  in conformance 
with  DoD guidelines,   to  provide  you  with  rules  and  regulations  in 
the  handling of classified information.  It is also the responsibility  of 
your   organization  to provide  you  with a safe place (i.e.  a vault)  to 
store  said information and to provide adequate safeguards (such as   alarm  
systems,  security  personnel  and patrols) to prevent unauthorized access.

The   same   methodology   should  be taken to heart by  administrators  of 
computer  systems.  It's  their responsibility to  provide  reasonable  and  
prudent  measures to  prevent  unauthorized  access  attempts  from gaining 
access to the system. This means a few very basic things like:

   - Forcing  users to choose reasonable passwords  -  not  their  spouse's 
     name or their dog's name.

   - Setting  up  proper  modem controls on dial-up/remote access ports  so 
     that  disconnection causes any jobs (or  trojan  horses  left  on  the 
     port)  to  be flushed and results in resetting the port to  not-logged 
     in status.

   - Reporting  incorrect password attempts to the system  console  or  log 
     file.

   - Causing   line   disconnection  after  a  few  successively   repeated 
     incorrect password attempts.

   - Using encrypted passwords,  so it is not  possible  to  compromise  an 
     entire    systems  password  list  when  circumvention  of  a  systems 
     protection mechanisms is attained.   This is analogous  to  the  DoD's 
     compartmentalization  of  information -- so a breach in one area  does 
     not sacrifice security in all areas.

The second facet of the paradigm is the users' responsibility.  I don't  go  
out  to   lunch and leave my secrets sitting on my desk.  I put them  in  a 
vault.  And  I don't go throwing them over the embassy walls.   So  it   is  
the   same   for   the  computer   system   user.      It   is  the   users 
responsibility  to  choose reasonable passwords and not leave them  written 
down   anywhere,   such  as  on  their  desk blotter or white board  or  to 
pass them out to others.

The  third  matter  is  a  paradigm  of a different nature.  This has to do 
with  socially acceptable values.   Namely,  when I was brought up,  I  was 
taught  about trespassing. If I went to someone's house and found the front 
door wide open,  I don't  really  know  of  anyone  who would walk right in 
and look around.   They would instead stand at the door,  ring the doorbell 
or knock or call  out.   This type  of  responsibility  or  sense of morals 
has to be applied to the computer technology field.

Research  into  methods of improving the safeguarding of  information  flow 
through technology should be pursued.  One such project is the one of which  
I  am  the Principle Investigator of at SRI, which has to do with this type 
of  technology.  Our   involvement  has  to do with developing and  proving 
technologies  that will absolutely assure that I will only have  access  to  
information   in  a  computer system  database  of  which my clearance  and 
my `need to know' entitles me too,  while prohibiting me from information I 
am not cleared or permitted to  access.  However,  one must carefully weigh 
the  value  of  increased security with the cost in  user  convenience  and 
flexibility.

Explicit   federal   and  state  criminal  statutes  should be  enacted  to 
allow  a  vehicle  for  vigorous prosecution,  should it  be  warranted  or 
desired, by injured parties.  These  explicit  laws  would  also  hopefully  
act  as  a  method  of deterrence.

4. Let Us Not Lull Ourselves into a False Sense of Security.

In    general   unsanctioned   computer   system   penetrations   can    be 
performed  by  individuals who possess three basic  aspects   of   computer  
knowledge:  access, skill and information.

Access   can   be   defined  as  a  terminal  and   modem.   Skill  can  be 
defined  as ingenuity or familiarity with  computer   systems,   especially  
with   the   given  system   type  that   the   penetration   is   directed 
towards.   Information  can be defined as dial-up  phone  numbers,  network 
address  or  means  of accessing a given computer  system  -- perhaps  even 
physical.  Information can also include various methods, most likely in the 
form  of  'bugs' (i.e.   shortcomings)  or  'features'  (i.e.   an   aspect  
inherent   to   the hardware or software design of the system)  which  will 
permit  the  holder  to  circumvent the operating   system   security   and 
protection  mechanisms,  and  in effect gain carte blanche  access  to  the 
computer. Carte  blanche  can be defined as allowing the holder to override 
file security and protection considerations,  in that you can read or alter 
any  data  and   even change the nature of the  computer  operating  system 
software itself.

In  the  good  ol' days such skill and information was  not  widely  known.  
However,  with  the  ever  increasing  number  of  computer  systems,  both  
personal and mainframe alike,  information and skill  is  spreading  to  an  
ever     increasing    number    of    individuals    and     institutions.    
Unfortunately,   not   all   of the individuals are as scrupulous  as  they 
should  be.   Such instruments  as  `Pirate Bulletin  Board'  systems   are  
being  used to disseminate this information on a  nationwide,  on-call,  as 
needed basis.

What does this mean?

Up until now most unsanctioned computer system penetrations have not   been  
the  high  technological  acts of chicanery the media has made them out  to 
be.   They  were primarily performed by individuals who  were  as  familiar  
with  computer technology  as,   say,  an auto enthusiast is with what goes 
on  under  the  hood  of your car.   The 'auto whiz'  has  the  breadth  of 
knowledge  necessary to 'hot wire' a motor vehicle,  just as your  computer  
literate    individual    has   the   breadth  necessary   to   perform   a 
technological 'hot wire' inside a computer system.

However,    the   current   low  to  medium  technological  approaches   to  
system penetrations are likely to change.

I define the technological levels as follows:   high tech is defined  as  a  
new  method   of  circumvention.     High  tech   methods   are   primarily  
invented   by  individuals or a group of individuals who have an  in  depth 
understanding  of  the  desired technology the caper is  directed  against.  
Medium tech can  be  defined as an individual who has the same basic  level 
of  understanding  as  the high tech guy,   but  uses   the  knowledge  and 
perhaps fine tunes or refines it a bit (i.e.  the medium tech individual is 
a  knowledgeable  user).   The low  tech  individual is  just  a  user   of  
the knowledge with little or no understanding of what is involved in making 
the technology perform its desired function.

In  the  not  to distant future with higher  stakes,  increased  levels  of  
knowledge and  other  aspects  better understood,  I believe we will see  a 
trend  towards  a  more 'higher tech' level of  system   penetrations   and  
circumventions.    These capers will be harder to detect and deter.

The further development of formal specification and verification techniques 
and  associated   technologies   will   permit   the   system   developers,  
reviewers    or   specifier  himself  to  verify  that  a   given    system  
specification  is  consistent with a given model of desired operation.

5. Recommendations

In   conclusion,   I   would  like  to say that I believe the scale of  the 
hacking problem is going to escalate dramatically as more of the technology  
makes  its way  into  the  mass  market.   There is no one easy solution to 
these problems. The directions that need to  be  taken  are  technological,  
ethical/moral   and  social.     Hopefully an increased  awareness  of  the 
vulnerability of our systems to penetration and circumvention will allow us 
to see the light,  in the form of solutions, at the end of the tunnel.  And 
hopefully that light, is not a train.

6. Biography (The Making of a Hacker)

My  first  experience  with  computers (and   the   world   of   `hacking')  
manifested  itself   during  my  7th grade school when I discovered a  room 
full  of  teletypes connected to a computer system at  Stanford  University  
which  offered  Computer Assisted Instruction/drill programs.

Having  discovered `The Computer Room',  I started arriving at school early 
each  day  to be able to play with them.   I would also  spend  the   lunch  
hour,   recess and as long as I could after school in the computer room, as 
well.

Luckily,  that  summer I was permitted to hang-out at the Stanford facility 
which  had  the computer system that served our school  and  others.   This 
allowed  me the opportunity  to  interact  with  the  system designers  and 
learn  how  everything worked.   At the facility,  I   quickly   began   to  
develop   a   keen   interest  in system-level  software,   such   as   the  
operating   system  and  privileged type programs which only `the  wizards' 
could run or  know  the  inner  workings  of.  However,  I did not let this 
fact keep me from learning about the system.

During   the  8th grade,  my parents wishing to contribute to  their  son's 
apparent avid absorption of computer technology,  procured a used  teletype  
machine   and modem  from  a  large time-sharing computer  firm.   I  don't 
know how,  but in the process,  they managed to talk the firm out of `free' 
account   for   after  hours and  weekend  use.    The firm  then  promptly 
forgot about me.   After running the usual course of computer games,  which 
quickly  became  quite boring,  my attention turned towards  the  operating 
system  and  its protection mechanism,  which I  took delight  in   finding  
ways   around.     This  of  course,   was  noticed  by   the  time-sharing 
company  and one summer evening,  after they were  sure  it  was  me inside 
their  system,  their vice president and district manager came knocking  at 
our door,  and in effect said,  "gotcha!".   The result of being caught was 
that  I  was  hired  for  the summer to help them make  their  system  more 
secure and plug the holes that I had uncovered in my wanderings.

While  employed for the summer,  1973,  I chanced to meet up with   another  
summer  hire   who  had done some work at NASA-AMES and had knowledge of  a 
Department of Defense computer network,  called the ARPANET,  which  linked  
together    computers  all   over   the   country   at   various   research 
establishments,  universities  and  military bases.   My  new-found  friend 
passed me a dial-up number,  and on a scrap of paper,  wrote a few commands 
that would allow me to  connect  up  to  various systems on the network.

In    these   early   days  of  the   ARPANET   (which   pioneered   packet  
switching technology,  a method for allowing computers of different flavors 
and  types  to `talk'  to  one-another),  the majority of the computers had 
`guest' accounts on them with purposefully obvious and published passwords. 
This was done in  order to  promote the free use of resources at other host 
systems and to let users of the network have a chance to explore, learn and 
use said systems.

Needless  to say,  this was a gold mine that no hacker,   such  as  myself,  
could  pass  up.    So I spent the better part of the summer  learning  and 
using as many different computer systems as possible, all over the country.

One  of  my favorite systems to use was the guest login account on  a  host  
called  SRI-AI,   a   PDP-10  running  the  Tenex operating  system,  which 
belonged  to  the  Stanford Research  Institute's  Artificial  Intelligence 
Center.     I  thought  it nice to have a system right in my very own  home 
town.   I  made it a point to get to  know the operations of this system as 
well as I could in hopes that perhaps someday I might have a login  account 
of  my own to use and it would be  nice  to be familiar with it in such  an 
event.

Well, that day came when, as usual, I logged into the public guest account, 
and  out   popped   a message of the form "Welcome to the  SRI-AI  computer 
public guest account.   If you think you have a need for your own  account, 
send  a note  (with the  on-line  electronic  mail program,  of course)  to 
the system administrator, explaining your need."

Such  an  invitation was just to good to pass up and having  my  very   own  
login account  is something I had dreamed about.  So, I took it upon myself 
to send a message saying I was a hacker who had been spending time on   the  
public   guest account  learning  about  their system and wanted to have an 
increased  level  of access and login area of my own  to  store  files.  In 
return,  I  would  freely   help improve the systems capabilities  thru  my 
hacking.

After  some  initial  trepidation  on the part of the systems administrator 
was overcome,  my account was granted.   This allowed me to make SRI-AI  my 
home   base  of  network  operations.     I  immediately proceeded to  hack 
away to my heart's content,  now that, in effect, I had become a legitimate 
network user.

After demonstrating my competence and some semblance of responsibility,   I  
was  granted  system privileges (i.e.  carte blanche access to  all  system 
resources).  This permitted me to learn and develop a further understanding 
of the system.

So, I hung around SRI for about 9 months.  I was given a building pass,  so  
as  to have physical as well as electronic (remote) access to the  computer 
systems.  This   allowed   me  to come and go at odd hours,  which are  the 
hours hackers are best known to keep.

Then, there was an opening for a part-time weekend computer operator's job, 
and since I had demonstrated  my  competence,   I  was  immediately   hired  
for  the position.    I  was now in my senior year of high school, and as a 
result of my increased access to computers, my grade average  followed  the  
typical  hacker curve,  i.e. down.  until, two weeks into the final quarter 
of  my senior year in high school,  I dropped out,  and became full-time at 
SRI.   I have never returned to a classroom since the day I left school  in 
1974.
I dropped out,  and became full-time at 
SRI.   I have never re