5.4.07

I was a teenage hax0r d00dz!!!!11

My family gained internet access via AOL in 1994, when I was in 8th grade. At first, my internet usage was monitored pretty strictly, and I got to fart around only occasionally and only for brief periods. Having seen a story on the news about the evils of the internet, I knew that there were instructions for various nefarious deeds readily available online, and when my parents weren't home, I would print out instructions on how to blow things up. My classmates and I found these tutorials endlessly fascinating, though we never actually made the effort or took the risk of blowing off our fingers. At some point, some careless student got a stack of printouts confiscated, my parents were contacted, and my internet access was cut off. My parents canceled AOL.

In 9th grade, I regained internet access, this time through a local phone company. The same company ran a dialup BBS that several of my friends had been accessing for some time, but I had never been able to enjoy due to it being outside of my local calling area. Now, I was able to connect to the BBS via telnet. I created a free account and began using it to email my friends, chat with locals (mostly making fun of them anonymously), and hack monsters to bits on the MUD (multi-user dungeon) they had.

I read an article in a book about how to send email from a fake address. It was a simple matter of connecting to a certain port of basically any server and then manually typing in the commands that an email program would normally do for you. You told the computer you were somebody else, and then you got to send an email as whoever you wanted to be. I sent my friends a bunch of emails from people I wasn't, and I was thrilled by the power it gave me. I wanted more internet power.

I started poking my nose in places it didn't belong. I'd use FTP to connect to anything I could and just look around at what files were there. I connected to my internet service provider's domain and was able to download their password file. I didn't know exactly what to do with it, but a simple internet search taught me that I could run it through some software to pick out passwords. I did, and though it was slow going and I didn't let the program run all the way through, I still found a handful of passwords. A group of people had chosen 12345 for their password, and another had chosen 54321. Clever. I compiled my own word list file to check against the password file, using only words relevant to our area, like school mascots. The program ran through much more quickly this time, and brought me more passwords.

I didn't do anything with the passwords I found, but I wanted more, anyway. I decided to give brute force attacks a shot. In other words, I was going to try guessing passwords. I logged in to the BBS and started looking through people's public profiles. One kid was a Mortal Kombat fanatic, so I correctly guessed that his password was mk. I logged in, changed his password, and started playing around. He had paid for his account, so he had more access to things on the BBS than I did. I ended up reverting his password when his brother logged in and started talking to me. They actually weren't mad about it, and the kid whose password I stole told me he'd be smarter about making up passwords in the future.

Still unsatisfied, I decided to get sneakier. I made another free account on the BBS and named it PW-DATA. Then, I picked random people on the BBS and sent them an email that purported to be from the sysop (the "system operator" of the BBS).

Dear BBS user,

We've been experiencing some problems with our password database, and because of this, your account may be in danger of becoming inaccessible. Please send a message to PW-DATA containing only your password.

We apologize for the inconvenience.

Dwayne, the sysop

Within hours of beginning this, I had more passwords. I was surprised that less than half of the people who I sent messages to actually sent their passwords. Still, I was proud of myself.

One of people who sent me their password was a guy who I hated anyway, due to his being an obnoxious internet douche bag. When I got his password, I went through all of his emails. He had a lot of messages talking about the drugs he had and the drugs he was going to get. I also found a receipt from when he paid for his account. I took down his credit card information and used it to buy my own account. I sent him an email saying, "Don't fuck with me, I know things about you."

The account activation wasn't automated, and when I paid using his credit card, I didn't gain access to all of the things I was supposed to. I emailed the sysop, who activated my ill-gotten account. I finally had a paid account of my own.

A couple days later, I found that the account had been canceled, and the password for the guy's other paid account had been changed.

My password phishing account was still active, so I continued sending people email from the sysop asking for their passwords, and I continued getting passwords. For the most part, I didn't even log in to anybody's account, but I liked knowing that I could.

I sent my fake message to the kids from my school who used the BBS. They were, for some reason or another, all dirty, unpopular, and poor kids rumored to be inbred. I've never been able to understand why this was so. They came from different families, so it wasn't because they shared a computer. I knew very few people who were online at this point, but the poorest kids were among them. They were all too clever to fall for my ruse, though.

One of the kids, Aaron Smith, overheard me talking with a friend in gym class about my phishing endeavors. He told me that he was friends with the sysop, and that he knew it was me.

"It's fraud," he told me, "and it's a felony!"

I stopped phishing for passwords when Aaron told me the sysop was on to me. I never knew if the sysop actually knew, or if he only knew because Aaron overheard me and then told him it was me. I came home a few days after Aaron told me it was a felony, and my dad told me I wasn't allowed on the internet anymore. I guess Dwayne, the sysop, had called him. I was disappointed to have my internet access taken away, but relieved that I wasn't having charges pressed against me.

For the most part, I lost interest in such things after that. In 10th grade, I fooled around on MUSHes (sort of like MUDs without fighting), and figured out how to give myself complete God power over everything through a combination of social engineering and code manipulation. Other than that, the draw of secret knowledge and forbidden power was never strong enough to combat the fear of losing my internet access again.

1 comment:

Orhan Kahn said...

As droll as this sounds that was incredibly interesting. To have access to the internet in 1994 somehow impresses me. Good effort :)