O'Reilly    
 Published on O'Reilly (http://oreilly.com/)
 See this if you're having trouble printing code examples


Stealing the Network: A Prequel

by Ryan Russell, coauthor of Stealing the Network: How to Own a Continent (Syngress)
07/01/2004

Editor's note: Stealing the Network: How to Own a Continent, the second release from Syngress in this series, uses fictional stories surrounding real technology and techniques to show the dangers that lurk in the shadows of the security industry. Ryan Russell, one of the coauthors of this book, has written this "prequel" depicting a '70s-era hack, set at a tech company back East. If you've been curious about Stealing the Network, this short bit of fiction provides a real sense of the concept behind the book. And be sure to respond to the talkback at the end of this tale -- we'd like to hear your theory.

The young man with the crew cut and habitual shave stood stick-straight at the reception desk of the research building, waiting for the receptionist to produce his temporary badge for the day. His arms were behind his back, left hand held in his right, in a not-at-ease pose. He looked out of place in his own clothes; dark slacks with a sharp crease in each leg, dress shirt with wide collar, and wide striped tie. The only article that seemed to match him were his highly polished, plain black shoes.

"Here you go, sir," she said to him, handing him the typewritten paper badge inside of a plastic holder with clip. She continued, "You're expected in room 365, elevators to your left," as he attached the clip to his shirt pocket.

As he navigated the hallways and rode the elevator, he couldn't help but stare at some of the people there that he saw. Many of them wore regular business attire, and carried folders or briefcases. The ones that made him stare looked rather like cleaned-up hippies. Maybe college professors, if he were feeling generous.

It was one of those people who turned from the chalkboard, chalk still in hand, when he entered room 365. With a grin on his face, he said "Ah, you must be our new Navy man, come to learn computer security." He had made a technical attempt at dressing for work, wearing what must once have been an acceptable shirt and slacks. But Crewcut saw that the man had on the most hideous, garish tie he had ever seen, and was wearing a shabby pair of boat shoes! Most shocking of all to Crewcut were his collar-length hair and full beard and moustache. He was used to seeing computer people wearing blue suits and white shirts.

"So soldier, what's your name, rank, and serial number?" "Sailor, uh. sir. Lieutenant Robert -- you don't really want my serial number, sir?" "No, of course not, I'm just teasing. Here, sit." He said, motioning to a chair.

Related Reading

Stealing the Network: How to Own a Continent
By FX, Ryan Russell, Roelof Temmingh, Russ Rogers, Jay Beale, Joe Grand, Kevin Mitnick, Fyodor, Paul Craig, Thor, Tom Parker

The room looked something like a cross between a classroom and a cafeteria. Two of the walls had well-used chalkboards, and the room was filled with plastic-and-metal chairs, and small tables. Really, the only thing that kept it from being a classroom was that the chairs didn't have desks attached. He took a chair facing the blackboard, and prepared to pay attention. He leaned back slightly startled when Fullbeard, instead of taking up a lecture position at the blackboard, plopped down in a chair on the other side of the table from him. He still held the piece of chalk in his left hand, though, absentmindedly rolling it with his fingertips.

"So, what have they taught you in the Navy?" "Sir? I'm trained as a linguist. I am conversant in Korean." "Ah, a linguist, huh? I was wondering how long it would take the agency to take an interest in some of our research."

Crewcut placed both palms flat on the table, as if preparing to push himself up out of his chair. He said "I don't know what you're referring to," staring deadpan.

"Oh, relax, I know. There's no such agency. What I meant was, what computer training have you had? What passes for computer science in the Navy?"

"I've been trained to write Fortran programs. I've studied the operations of the OS/360 platform that our programs run on."

"Ah! And have you played with the console on the System/360? Have you ever had a chance to bootstrap the system?"

"No sir. We submit our decks to systems operations for batching, and ..."

"Well, you're in for a treat then! Come with me." And Fullbeard excitedly rose from his chair, and started for the door. Crewcut had to hurry and gather his things to follow him. He caught up by the time the elevator door opened. He said "We're heading for the computer room in the basement," and pressed the "B" button. "So, why did you get picked?"

"Sir?"

"Why did they send you out of all the linguists? Why did they single you out for punishment?" he asked, smiling at his own joke.

"Not many of the linguists have any computer training. I extended my training after completing my Korean program. My base commander recommended me based on some of the programs I've written."

"Yeah? What kind of programs did you write?"

"I've written some programs to do letter frequency analysis and to solve monoalphabetic substitution ciphers ..."

"Ah! Cryptograms! We have some champion cryptogram puzzlers here, you know. Every once in a while, we'll have races to solve the daily cryptogram in the paper. Tell me, have you looked at the Enigma?"

"Sir? Have you had cryptographic training?"

"No, no. Just a hobby, something I've picked up here at the office. So? Have you? Looked at the Enigma?"

"A little. I'm working on a program to simulate an Enigma machine in Fortran. It's not done yet."

"Have you tried to break it yet?"

"Tried to break the Enigma encryption? No, I haven't. Sir, you're aware that the Enigma isn't rated for secure communications?"

"Oh yes, I know. It was broken by ..."

"Turing," interrupted Crewcut.

"Oh! So you do know a bit after all."

"I've read some of Turing's papers. I don't understand all of it."

"Maybe there's some hope after all." The elevator doors slid open, and they stepped into a white hallway with pipes on the ceiling.

As they paused at the door to the computer room, Fullbeard glanced guiltily to the left and right down the long hallway. Reaching into his pocket, he produced a brass key that he inserted into the lock, causing a low grinding noise to emanate from the sounding board of the door. Rather than simply turning the key, he placed one shoulder against the door, manipulated the knob with one hand, and violently jiggled the key with the other. After a moment of effort, the key turned, and the door popped inward. It took him nearly as much jiggling to get the key back out.

Seeing the look of confusion on the face of Crewcut, he smiled, and placed the key in Crewcut's hand. Looking at the key, he could see that the cuts were very jagged and uneven. Fullbeard simply stated, "I made it myself. I'm afraid I'm not very good with a hand file. Here." He paused, reaching into his pocket again, and this time extracting a whole key ring. Flipping through the keys, he found another brass key, and pinched the two keys together, holding it up for Crewcut to see. "Look, cuts 1 and 3 from the shoulder are two higher than my office key. This key I made myself will open most of the doors in the building."

"Just another hobby you picked up at the office?"

"Ha, well, college this time."

"How did you know when to stop filing?"

"The short version of the story is that if you've got a key to a given lock in a master key system, and you can take apart that lock, you can easily see the differences in pin heights for your key, and what must be a master key, or at least a sub-master. A few practical experiments, and you're set. Hand-filing a key isn't quite as hard as you might think. I'll show you more later if you want, let's hurry up. I don't want another talking to about unapproved computer room entry."

Now fearing how this would reflect on himself, Crewcut clammed up and followed Fullbeard across the raised floor tiles. They turned a corner to arrive in front of a tall cabinet whose most noticeable feature was a row of lights with many orange and purple switches beneath. "Know what this is?" asked Fullbeard.

"No, sir."

"This is a PDP-11/70. One of the earlier models, with the proper color toggle switches."

Crewcut glanced at the switches, finding it hard to believe there was anything proper about the color scheme. It looked much more like someone had had to assemble it out of two different sets.

"Here," said Fullbeard, reaching down and flipping one of the switches towards the right-hand side. "Halted."

"What?" replied Crewcut, looking panicked, glancing back the way they had come.

At that, Fullbeard actually laughed out loud, and flipped the switch back to its original position. "Resumed."

"Won't that cause problems? Won't someone notice? Who pays for the lost runtime charges?"

Laughing again, Fullbeard said, "We don't charge back CPU time here. This is my system. Well, ours. No, it won't cause any problems. Well, you can, of course, if you don't know what you're doing. No one is going to notice a few-second pause. Our OS gets busy sometimes with a bunch of users, and no one is going to think twice about a small stall. Next time I need to put a new version of the OS on, how about I let you toggle in the bootstrap, OK?"

Crewcut followed Fullbeard out of the room, the look on his face somewhere between awestruck and fearful.

"I know a good Korean food place for lunch. You can order for us."

One Month Later

"So, it's been a month. What do you think of our little projects so far?" queried Fullbeard.

"When do I get root access?"

"Ah! Around here, you're not given the root account, you have to earn it."

"Is that allowed? Can I steal the password?"

"Well, no doubt you've noticed by now that relatively little permission seeking takes place with the researchers. It's much easier to ask forgiveness than permission. It's even easier if you don't get caught and have to ask forgiveness. In any case, it's our system, we won't begrudge you access if you have a clever way to get it."

"So. I wait for someone to log in as root, and I watch over their shoulder?"

Fullbeard rolled his eyes. "Yes, that would work, but that's not interesting! How long would you have access?"

Crewcut replied "Until I got caught?"

"No! Don't worry about getting caught. No one cares if you get caught. Not here. How long could you keep logging in as root?"

"Until someone changed the password?"

"That's right! That only does you any good until the password has been changed, and then you have to steal it again. What else?"

"Um. when I'm root, leave myself a special setuid program?"

"Now you're thinking! Once you've got root, leave yourself a back door! How long does that work?"

"Until someone notices it?"

"Well, yes. Or, what do we do on a regular basis that would remove your special program?"

"We reinstall the system."

"Right. So then what? Who installs the system?"

"I do, sometimes."

"So what could you do with that?"

"I could make sure my backdoor program is there every time. I could make it part of the build process!"

Fullbeard beamed at Crewcut and tapped his temple with a finger. "How would you like to see a trick?"

Inside Fullbeard's office, he handed Crewcut a hunk of two-by-four board, and a small cardboard box that rattled. Looking extremely puzzled, Crewcut looked into the box, and saw a bunch of wooden pegs. Along one edge of the length of two-by-four was a long row of holes, seemingly the same diameter as the pegs. Above each hole was a number, scrawled in pen, 0 through 18. Setting down the box, he extracted one, and verified that the pegs did indeed fit securely in the holes. He stared at the peg protruding about two inches from the board.

"So, let's do a little octal math, shall we?" said Fullbeard, turning to his terminal. He ran the ps command. "Which process is your shell, back at your cube terminal?" Staring over his shoulder at the list, Crewcut replied, "52."

"OK, so here's a test. Look at the memory address for process 52. Put that in the board in binary -- a peg equals one, a hole zero."

Looking back and forth from the screen to the board, he inserted pegs one at a time. Going from octal to binary was relatively easy, actually. When he was done, he held the board out towards Fullbeard to see.

"Good. OK, so what controls the rights of that process?"

Thinking for a moment, Crewcut answered, "the user ID number that owns the process."

"Right. And what memory address relative to the start of the process holds the UID?"

Crewcut just looked and shrugged. Turning, Fullbeard changed directories, and typed cat proc.h | more. Crewcut started counting words in his head. After a good minute, he announced "24 words in."

"OK, you sure?"

Glancing at the screen again to repeat the process, 20 seconds later he announced, "Yes."

"OK, then add 24 to the address on your board."

Crewcut got to work on his board. He started to pull pegs, and then thought twice, and set it down as is. He then placed a few extra pegs on table below the lower numbers on the board. Once he seemed satisfied that he had it right, he adjusted the pegs to match the new address. Fullbeard watched intently the whole time. When Crewcut presented the new peg configuration, Fullbeard raised his eyebrows, paused, and said, "You sure?"

Crewcut glanced at the board, then nodded. Smiling, Fullbeard nodded back.

In the computer room, board in hand, Crewcut stood in front of the 11/70. "Hang on a sec," said Fullbeard. He walked to the teletype console, which looked like a cross between a printer and a typewriter, and logged in. Before walking away fully, he reached to the side and pressed "return" a few more times, just to double check. The chunkchunk of the console feeding paper told him audibly that his shell was still alive. He joined Crewcut at the front panel.

"OK, so what address is on the stick?" he asked, taking the two-by-four from Crewcut's hands, and hefting it.

"The address of the UID of my shell process."

"Right. What value would it have if the UID were root?"

"Zero."

"Correct. So here's what we do. This is the halt switch, right?" he pointed at the halt switch. "When you bootstrap it, you punch in the address and hit this switch, right?" He pointed to the LOAD ADDR switch. "Then you punch in the value." He pointed to the DEP switch.

Seeing the light dawn in Crewcut's eyes, Fullbeard handed back the board and took a step back, folding his arms as if to make his hands unavailable to help. Feeling the pinpricks of sweat forming in his skin, Crewcut experimentally lined the stick up with the row of 18 switches, visually checking where each peg would hit its respective switch. After several checks, like a golfer lining up his shot, he reach to the right and flicked the ENABLE/HALT switch to the HALT position. Carefully but quickly, he lined the stick up with the ADDRESS/DATA switches, and flipped all the switches with corresponding pegs simultaneously. He hit the LOAD ADDR switch. He then rotated the board and used a flat edge to put all the switches back to the 0 position, and hit the DEP switch. Swinging the board to rest against his leg vertically like a used sword, he hit the CONT switch, and stepped back. An elapsed eternity of about seven seconds.

Glancing over his shoulder, he looked at Fullbeard expectantly. Fullbeard reached back across the console keyboard, and hit the return key a couple of times. Chunkchunk. "So far, so good."

Back at his cube, he also pressed return a couple of times, Fullbeard watching over his shoulder. Two more blank lines, a good sign. Finally, he typed id. 0.

Fullbeard clapped him on the shoulder, and walked back to his office, wearing the board on his shoulder like a huge chip.

Three Months Later

"So how would I go about making sure my backdoor was always there?"

"How do you get it there now?"

"I've got it in the build process. It's pretty slick, actually. Instead of a separate file, I've got it compiled right into the kernel."

"So what's the problem?"

"Well, there's no practical problem. So far, no one has noticed it. But anyone who happens to look at the build files might notice it. Any of you guys noticed it?"

"No one has said anything. But we don't need to look at the build scripts often. We're mostly working on the kernel source. Someone will notice it eventually, though."

"But there's no way to keep someone from looking through the source or build scripts specifically for a backdoor. I can't do any better, right?"

"Can't you?" The smile on Fullbeard's face told Crewcut that Fullbeard knew a way.

"But how? Everything is built from source, every time. I mean, no one is going to read it very often, but eventually someone will."

"Really? Is everything built from source?"

"Yes, everything."

"Even the compiler?"

"Yes, we build the compiler from source for each version."

"Ah, but you're not using source code to compile source code, are you? You're using binaries."

Half a light went on above Crewcut's head.

"But ... what good ... I mean, yeah, I can put the backdoor in the compiler instead of the build scripts, but that would only work once. I'd have to backdoor the compiler source, too, to keep it going."

"Do you remember me telling you about how we made the compiler?"

"Yeah, you made the first one in NB, and then compiled it with itself, and so on."

"So, to add a new feature, we made the compiler spit out a modified version of itself. In essence, you can never see the source code for the version of the compiler you're actually compiling with. The compiler is changing things behind your back." The other half of the light went on.

"You mean, when the compiler is compiling the compiler, you make it backdoor the compiler? And the backdoor makes the compiler backdoor the compiler?" Crewcut's head was swimming in a sea of recursion.

"Yep. Oh, and you also backdoor the compiler so that when it's compiling the kernel, it compiles in your root backdoor, too. Your backdoor only exists in source once when you write it. Once you've unleashed that binary version, the chain begins, and no can spot the change in any source code they write."

After a few moments of staring in amazement, Crewcut piped up again. "Won't it be possible to look at the binary code, maybe in a debugger, and see the change?"

"Sure, it's possible. But have you ever tried debugging the compiler? You'd be hard pressed to see the change. I don't know what it's doing half the time, and I wrote part of it! Of course, there are deeper levels, too. Maybe you modified the processor to be able to spot when it's running the compiler. How far down the rabbit hole do you want to go?"

Two Months Later

Muttonchops said, "So what happened to your Navy kid? He go back already?"

Fullbeard replied, "Yeah, his 'internship' is over. He's gone back home."

"Was he really a spook? What was he like?"

"He works for spooks, at least. I don't know if I'd call him one, exactly. I think we can count on one more install site that we'll never know about, though." He winked.

"So, did he 'get it'? They were after computer security information, right?"

"I'm not sure. He was a sharp kid. I kinda had to lead him a bit though, you know? Spell things out?"

"Yeah, I know what you mean. You gotta make them learn for themselves, though. It won't sink in unless they do the heavy lifting."

"Well, you know me, I can't help but show off a few good tricks."

"You didn't just hand it to him, did you?"

"Well, I made him work for it. A little. We've supposed to be showing them what we know, right? The higher-ups have said it shall be so."

"You didn't show him the compiler trick, did you?"

"Ha, well, I didn't show it to him."

"You told him!"

"Yeah, I told him. I'm not too worried about it, though. He doesn't know I've already done it, and he's never going to be able to do it himself. I watched him struggle for a couple of weeks with the compiler code before giving up. He doesn't have the discipline to learn it himself. He would have to enlist the help of some much sharper computer scientists to get anywhere."

Ryan Russell


Return to the Security DevCenter

Copyright © 2009 O'Reilly Media, Inc.