Old School Hacking
/Back in the day, hacking was easy.
I recall when I started my career as a finance person in the 90’s that few if anyone password protected their computer. My boss and I were working late on a Sunday night preparing for a Monday morning meeting with the executive team. He found a typo on one of the summary documents that was going to get a lot of visibility. The analyst who had worked on that file had it saved on his desktop, was away for the weekend, and unreachable, so my boss went to his desk and turned on his machine.
Password protected. Dang it!
He came over to me and asked if I knew a way to get the file. “Do you have a screwdriver?” I asked. He looked at me quizzically but was able to find one in the janitor’s closet. I crawled under the guy’s desk, pulled out the tower, removed the casing, and popped the jumper. In the olden days, computers had two metal prongs on the motherboard that were bridged with a small metal pin. If you removed the pin and rebooted, the password was no longer required.
He looked at me with a combination of elation and fear.
Six months later I was promoted and working in the finance department of one of our plants. We had a similar situation arise, but my boss couldn’t find any tools. I thought about it for a moment. I printed off the directory of my system files and printed it, including the size of every file. I then changed my password and made it really long. I reprinted the directory of system files and looked for files that changed in size.
I found a file that contained my password. The problem was that it was encrypted. So I changed my password again, but this time I made it “abcdefg….” and included the entire alphabet. I went to the encrypted file and printed it off. I then wrote the alphabet below my new encrypted password and I now had a translation key (this was Windows 3.1, by the way).
I went to my coworkers computer, booted up to the line editor, and found his password file. I used my translation key and deciphered it.
My new manager looked at me with a combination of elation and fear. I now had a reputation.
Yet these were easy hacks. The jumper I had read about somewhere in one of the many computer magazines I devoured back then. The Windows 3.1 password trick was just logic.
A year later I was transferred back to the headquarters and the VP Finance’s admin sent an excel file out to the entire office, requesting that everyone enter their vacation schedule and send it back to her (the concept of sharing files on a central drive was still pretty new back then, so she was kind of old school). Ten minutes later she sent a panicked email out to the entire office saying that the file was infected with a virus. “Delete it immediately and if you opened it call IT immediately!” was her command.
I was in a series of meetings while all this was going on. I got back to my desk at lunch time and saw her emails. So, of course, I opened the file and studied it. The virus was very simple. Some VBA code embedded in the file, which would copy itself into any open excel files and it modified the default “new sheet” template so it would always open in the background in the future. This would allow it to continue to spread to any file I opened in the future.
I played with it for a while until I figured out the right steps to allow me to clear it from memory and save a version of the file without the macro embedded in it anymore. I then sent the file back to the VP Finance’s admin telling her that she could now safely share it. I was expecting elation and fear… but that isn’t what I got.
“I’ve spent all afternoon with an IT guru, I fail to see how YOU could have figured this out over lunch.”
Time well spent, clearly. A hacker’s efforts aren’t always appreciated.
When newspapers began to implement subscription programs for their content, they pinned their future financial well being on the paywall. One of the major newspapers in Canada is The Globe and Mail. I noticed that if googled the headline of an article it would show up in my google search results with a link. When I clicked on the link it would bypass the paywall and let me read the entire article.
So I could read the entire paper for free, just by googling one article at a time. I sent a letter to he editor, explaining the simple hack. After thirty days they had still not fixed the problem. So wrote the editor a second email. Thirty days later, still no fix. I gave it another week as I thought about who I should reach out to next. I toyed with the idea of sending a tip to their biggest competitor, the National Post. What a great headline that would make, I thought. I tested the trick again and by now they’d fixed it.
No message of ‘thanks’ by the way. Agh well, no one said hackers had to be appreciated.
Hacking today is far more sophisticated. Security is a major part of every ecosystem in the modern world and it takes far more work and knowledge to find vulnerabilities. At its root, however, old school hacking was about thinking different, being curious, and problem solving. That part hasn’t changed.