Hacker Perspective: Bruce Sutherland (z3r043x)
Since I was quite young, I had always been interested in computers.
I started out at the age of 11 using my grandfather's Heathkit/Zenith Z-100, which ran the CP/M operating system, circa 1981.
After mastering the use of programs like PIP (for file copying) and WordStar 3.0, I became interested in BASIC programming. So much so that I remember a few times being sternly told by my parents that it was now 2:30 am and that I needed to get to bed so I could get up in time for school later that morning. I had become so engrossed with keying in the BASIC programs which were listed in Byte Magazine that I forgot what time it was. So started my adventure into exploring, programming, and learning about computers which, in my opinion, is what hacking is in spirit.
The computer systems that followed were the Commodore VIC-20 and, in 1984, the IBM PC. Around this time, I had started working at a local Inacomp Computer Centers store selling IBM PCs, IBM ATs, the portable Osborne 1 (which weighed in at a feather light 24.5 pounds), and eventually the fledgling Apple Macintosh.
During high school, while my friends were trying out for football and soccer, I was at home writing code. At this point, I knew what I wanted to do with my life.
Around this time, I had read a book by Clifford Stoll called The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. It involved the author who, upon being tasked with uncovering the source of a $0.75 accounting error on a timeshare computer system under his care at Lawrence Berkeley National Laboratory, was swept up into a world inhabited by German hackers selling information to the Russian KGB. Needless to say, I was very intrigued by this story and by a new (to me) operating system called UNIX.
Since Cliff Stoll had printed his email address as part of a postscript in The Cuckoo's Egg, I wrote an email to him - using my CompuServe account - asking him if he had any suggestions about how I might go about learning more about UNIX. In reply, he mentioned that I should try to get some time on my local university's mainframe. It turns out that this was nearly impossible as my local community college was using an IBM System/370 that did not run UNIX or even IBM's flavor of UNIX called AIX. No luck there.
Fast-forward to 1995; I was working in my own business installing and maintaining Novell networks for customers of my father's accounting software dealership business. A couple of years earlier, I had started playing around with a new UNIX-like operating system called Linux, which allowed me to learn the structure and layout of UNIX type systems. I was hooked. I spent hours upon hours learning and exploring. Since Linux ran on inexpensive Intel-based microprocessors, I was able to load it on old, discarded equipment that I came across in my computer business.
A year earlier, I had moved into my first apartment in downtown West Palm Beach, Florida. My Internet access consisted of a dial-up connection using a USRobotics V.33 modem that was screaming fast for the time. My Internet Service Provider, along with the dial-up connection, allowed the use of a UNIX shell account on one of their in-house servers running the FreeBSD operating system. This was great because you could log into the shell account via dial-up and have access via FTP or Telnet to the rest of the Internet at T1 speeds. Heaven!
Feeding my love for the exploration of computer systems, I spent hours writing Bash shell scripts to do things like automate file downloads and keep ping logs of web servers' uptime out on the Internet. Around this time, I had also become interested in UNIX security and computer security in general.
One day, out of curiosity, I was poking around the /dev directory on the ISP's shell server and noticed a device that looked very similar to one I had seen on one of my own Linux servers. It was a device called /dev/st0. This was the system's device name of a tape backup drive on my server.
I issued the command cat /dev/st0 and, after about 30 seconds, lo and behold, the complete contents of the mounted tape were being dumped to the screen. "Well, that's not good," I thought. The information being dumped looked like the sort of computer gibberish I would sometimes see if I tried to view the contents of a file that was only meant to be run by the system.
I had no way of knowing what exactly was on the tape, so I took a guess. I dumped the entire contents of the tape to a file, downloaded it to my system, deleted it from my shell account, then ran some analyses on it.
One major thing I found was that the system's /etc/passwd file, that contained all of the user accounts, was on the tape as well as the /etc/shadow file that contained the encrypted passwords for all of those accounts. These two files are usually not accessible to any user, except through the "superuser" account, on a UNIX system and they weren't on this system either, except I wasn't accessing them directly. I was accessing them from the tape drive.
At the time, I had read an article about different methods of securing a UNIX's authentication system (password and shadow files) because, by default, the "shadow" file was encrypted. However, the passwords could be recovered using what is called a "dictionary attack". A dictionary attack is accomplished by encrypting all of the words in the dictionary with the same method UNIX uses to encrypt the "shadow" file and then comparing each encrypted password in the "shadow" file with every encrypted entry in the dictionary. If you have a match, voilà, you have recovered the password for that account.
Next, and this was purely in the spirit of exploration of course, I compiled and set up a UNIX program called "crack" which would perform a dictionary attack on a merged version of a UNIX password store. This crack program was set up on the fastest computer to which I had access at the time. This was a system running Novell UnixWare that sported two Intel Pentium processors running at a blistering 90 MHz each. I'll wait for you to stop laughing now... but remember, this was 1995.
In all, it took about a month and a half to recover ten percent of the 4000 encrypted passwords, and this was using an English-only dictionary with no numbers. Now I had unfettered access to 400 accounts, most of which were owned by major businesses in the West Palm Beach area. I should also mention that these passwords gave the user access to a dial-up connection, email account, and UNIX shell account, all with the same password. At this point, I could have touched my pinky to the corner of my mouth and started laughing maniacally thinking about all the mayhem I could have caused, but I've never been one to cause unwarranted damage to anyone's property, and that includes computer systems.
Instead, I called the ISP and told them that their tape drive was accessible from any user shell account and that they should change the permissions to prevent that from happening. After being admonished by the system administrator for "poking around" in the /dev directory, it took them a full month to fix the problem.
What happened next was nothing short of insanity.
About two weeks later, I got a call on a Saturday morning from a Palm Beach County Sheriff's detective stating that he was from the "Palm Beach County Computer Crimes Unit" investigating a case of computer hacking and that my account was implicated. He asked me if I had any kids at home who had access to a computer and if I had given anyone access to my dial-up account. I answered "no" in both cases. He then asked me to call him if I had any further information, and that he would meanwhile continue investigating. Now it was clear that that bastard system administrator had obviously reported me to the Sheriff's department.
At this point, I kind of started to freak out.
I had visions of Palm Beach County Sheriff's deputies raiding my apartment and office, confiscating all of my computers as evidence and effectively shutting down my business. If anyone has ever read about similar cases, they know that the police absolutely do not give a shit about a person's livelihood, even if they're merely suspected of a crime.
Over the next month, the Sheriff's detective proceeded to harass me by phone, telling me about all of "the hacker's" activities in the shell account since I reported the tape drive issue to the ISP. Also, the detective used computer terms which made it obvious to me that he had no clue what he was talking about. His continued line of questioning led me to believe that he was trying to get me to "break" and admit something. Now, I'm not an attorney, but I'm also not stupid enough to admit anything to the police, however innocent my intentions were.
That month, I made it a point to back up all of my critical work systems and stash backup tapes and spare computers at friends' houses around town in case of a raid. The harassment calls continued until one weekend I had had enough. was out of town, necessary for me to feel safe from arrest, and I called the detective to tell him that we needed to end this. I told him that I would be retaining an attorney who would be in contact with him about the case. This is when he said, amazingly, "Why don't you come to my office..." which was in the same complex as the county jail by the way, "... and if I need to read you your rights, then you can get an attorney." This is when I wanted to run to the nearest mirror to see if there was a sign that read "IDIOT" on my forehead. Was this guy for real? Previous to this, I had had a healthy mistrust for the government and law enforcement people in general, but now? Let's just say that I expect anything a law enforcement officer says to be a lie until it's proven otherwise - the admission of which tends to get me out of jury duty pretty easily, too.
I also secured a small piece of insurance in preparation for the worst-case scenario. Was I to be arrested and charged, I thought it would be a wise move to chat up a local TV reporter whom I recognized while out at a bar one night. I told her that I had information about a "possible" computer security breach at a large local ISP and asked if she would be interested in the story. After her eyes lit up, I asked for her card and told her that I would be in touch. If these bastards were going to bring me down for helping them secure their own systems, they would be going down, too. Let's see how many customers would close their accounts following that announcement on the evening news.
The whole situation ended soon after I retained a criminal attorney, lined up a bail bondsman in case of arrest, and waited. After a few weeks, I got a call from my attorney letting me know that he had called the Sheriff's detective and told him in no uncertain terms, "... either arrest [me] or stop calling [me]." Also, that he was guilty of harassing the public. Apparently, the detective offered some lame semblance of a denial and, more importantly, was never heard from again.
This is when I realized that I probably had skills that could most probably scare the shit out of system administrators and the public alike. From that point on, I decided to educate myself about "real" computer security issues and use my skills to help the public, while charging them handsomely in the process, of course.
With my first large paycheck from a programming job, I purchased a lifetime subscription to 2600 Magazine. I also began attending various computer security conferences like DEFCON which is held every year in Las Vegas.
I tend to like the less "corporate" type conferences, due to the number of "marketing types" who are there to sell rather than learn. The key to keeping current in this quickly changing field is education. Not the type you would get from a formal institution but more self-directed education. Formal schools tend to be woefully behind the curve as far as what's actually happening in the world.
Bruce Sutherland currently resides in central Florida on the east coast and actively consults with businesses throughout the state on security and business process problems. He was a speaker this year at the DEFCON 19 hacker convention in Las Vegas where he presented his talk entitled "How To Get Your Message Out When Your Government Turns Off The Internet" about sending messages to Twitter via satellite using a portable ham radio.