Hackers Anonymous

I had absolutely no experience of computers before I went to university. My school hadn’t even had any of those classic BBC machines, and the home computers of the day were not up to much.

None the less, I signed up to do Computer Science as an auxiliary course to my Physics and Maths, and I learned a little about programming and algorithms, and even something about hardware. After my degree, it was actually the computing experience that got me a job, in software engineering.

The new software centre I joined had one (count them) computer to serve the general needs of about 20 engineers for documents, memos, mail, calendars and the like. It was a Digital (a.k.a DEC) VAX 11/780. (Actual software development was mainly done on specialised microprocessor systems.)

I was one of the two “system managers” or “superusers” of the VAX when it was first installed, and this meant that we had to go on the requisite training course at DEC’s centre in Reading.

Since we were being trained to administer the VAX, the machines and accounts we had at DEC had full privileges to do anything, and one of those things was to link up with other machines using the DECNET. It was the very early days of the internet (nobody knew it would catch on) and DEC had implemented their own network, with their own protocols, linking many of their own sites, and some of their customers’.

When you got a new VAX, it had default accounts and passwords, which you were supposed to change immediately for security, but my colleague and I played a game of connecting to remote machines and testing those default logins. It was surprising how often that worked. Because of the design of the DECNET, you could usually “see” more different computers once you logged in to a remote one. You could navigate around the world, one step at a time.

hacked computerWell, that was my first experience of “hacking”. It was harmless; no damage done; and in the subsequent years, I would occasionally browse around networks and poke at distant computers. (I have one particular memory of accessing a NASA computer which had been set up for use by astronauts. Security was trivial to circumvent, and you could choose any user’s account to impersonate. I picked Neil Armstrong.)

It was around that time that the concept of hacking became more widely known, with the publication of Clifford Stoll’s book “The Cuckoo’s Egg”, in which he described tracking and identifying a hacker who was probing American military systems, and stealing material which he sold to the KGB. (Really!)

According to Stoll’s book, many of the military computers had very poor security, and the hacker, Markus Hess, could often log in by using the default passwords, as I had with the DEC machines, or even by logging in as “guest”, with no password at all.

But that was all twenty years ago, in simpler times, and you’d expect that security would be taken much more seriously today, particularly since there are billions of people (and a few dogs) using the internet.

Actually, no. At least not in the American military. The recent protracted extradition case of Gary McKinnon demonstrated that a casual hacker with relatively little technical expertise could access and even gain control of computers, simply because security was sloppy. (To me, prosecuting McKinnon seemed like a poor choice of priorities, when there were obviously some computer staff who needed their asses kicked. Badly.)

Me, I don’t do that stuff any more. Not since I got all mature and sensible. But I do like to keep up with current news and events, and the main theme is still that the human is the weakest link. Almost all hacking and computer misuse depends on exploitation of known vulnerabilities which already have been fixed by security updates. Or rather, and this is the point, not fixed because the computer’s owner didn’t bother to implement the updates.

Though the root cause is that security in the current computer and internet infrastructure requires humans to do things that humans aren’t very good at: boring, repetitive, technical tasks. Until humans are cut out of the chain of defence, they’ll still be the major vulnerability. For now, you’re on your own.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s