%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
%%   HARRY HACKALOT PRESENTS>>>>>>>>>>>>>>>>>>>>>                            %% 
%%                 "Defense Data Network Blues"                              %% 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
             Another Famous G-file by HARRY HACKALOT!!!!!!!!!!!!!!!!!!! 
  
- - - - - - - - - - - - - - - A T T E N T I O N - - - - - - - - - - - - - - - 
 The following phile consists entirely of UNCUT,UNEDITED,TRUE downloads from 
the National Defense Data Network. Names have been changed to protect the 
innocent. I, Harry Hackalot, take FULL responsibility for contents of this file 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
  
  
 Well, as we log on the the National DDN (Defense Data Network) we pause to  
notice some messages posted by our hero, "guy", in regard to the trial of a 
couple of UCLA hackers who broke into the network a year ago........ 
  
(NOTE: Something went wrong with my terminal program's buffer,so I only got the 
last couple of lines of the first message. It is a list of all the sites 
penetrated by the hackers. Crystal is the one the Wargames kid got into) 
  
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
  
  
ps  The list of sites penetrated includes: 
  
nosc-cc         purdue          rand-relay      nrl-css/aic     bbn-unix 
mitre-bedford   cornell         nta-vax         uwisc/crystal   csnet-sh 
ucb-vax/ingres/calder/medea/cad                 isi-vaxa/elvira/xorn 
sri-unix        ucla-ats/locus/cs/vax           su-shasta/diablo/navajo 
  
pps  As of 8/31/83, we have been logging all activity originating at UCLA, and 
     going out thru FTP and TELNET.  (ie, we 'bugged' ftp and telnet to record 
     all bits going/coming)  We therefore have a pretty good record of what the 
     bandits were doing.  (Yesterday I turned over 4000 (yes thousand) pages of 
     ftp/telnet logs to the DA)  We have also been doing CSH commmand history 
     logging.  If you would like more gory details about activity relating to 
     you site, please give me a call. 
  
----------------------------------------------------- 
Date:  31 Oct 1983 11:02:45 PST 
From: guy @ UCLA-LOCUS 
Subject:  Re: HACKER ROUNDUP - WITNESSES NEEDED 
In-reply-to:  Your message of 31 October 1983 10:29 EST. 
Text:  
I just got off the phone with ..........., the deputy DA prosecuting 
the case.  He says that since we have talked with all the folks we expect 
to be using, there's no problem in telling all the site administrators what's 
been going on.  If any new evidence/sites turn up, we're interested, but it is 
doubtful that it would be used in this particular case. 
  
Note especially that we're only filing charges against one of the two guys, 
and if more info turns up on the second, that would be VERY useful.  The two 
key first names are 'ron' and 'kev', short for Ronald and Kevin.  These guys 
have a habit of changing their UNIX 'full name' to at least be their first 
name, if not their last name as well. (they have been known to use a 
fictitious surname on-line.)  We're filing against Ronald, initially. 
  
They were active at UCLA from August 1 through Sep 22, when they were served 
search warrants, and their toys confiscated.  One had a Commodore, the other 
a TRS color computer.  Both had cassettes, neither had floppys or printers. 
Both had 300-baud modems.  Both had UNIX manuals--one had a two volume set 
from Bell system III; the other had the Yates book.  One had also purchased 
UCLA CSDept documents on using UNIX. 
  
We know that a third person was involved, and that accesses to UCLA continued 
briefly even after the equipment was confiscated.  Other sites have also 
noticed that some activity is still occurring. 
  
richard 
  
ps 
  
I suspect that this note, with excerpts from the others, are what you want   
to publish to the liasons/administrators.  Also note, that due to the wonder 
of transparent gateways, ANY host accessible directly by ftp/telnet is a     
potential victim.  Not to mention anyone with a dial-in.  Our bandits used   
(fraudently) both MCI-type long-distance dialing codes, as well as dial-out 
facilities from various penetrated systems.                                 
  
          -------------END OF FORWARDED MESSAGE(S)------------- 
   
  
  
------------------------------------------------------------------------------- 
  
 WOW! The kids broke in with a TRS-80 Color Computer and a Commodore! 
Anyway, those super-intelligent TAC guys left a tutorial on how to log on to 
the system..... This should help any hackers interested in hacking out their 
own P/W's & logon accounts........... Here it is........ 
  
------------------------------------------------------------------------------- 
  
TACACS, the access control system for MILNET TAC's, requires you to  
login before a connection to a host may be completed. The login process 
is automatically started with the first @open (@o) command you issue.  
There is also a new @logout (@l) command to logout. Otherwise, the  
functioning of the TAC is essentially unaffected by the access control  
system. 
  
Here is a sample of the login dialog (the user input is underlined): 
  
(a) PVC-TAC 111 #: 01                This is the last line of the TAC 
                                     herald, which the TAC uses to 
                                     identify itself.  When you see the 
                                     herald, the TAC is ready for your 
                                     command. 
  
(b) @o 26.2.0.8              The user inputs the command to 
    -------------------              open a connection plus the 
                                     internet address of the host to 
                                     which he wishes to connect, 
                                     followed by a Carriage Return. 
  
(c) TAC Userid: SAMPLE.LOGIN Here the TAC prompts the user for 
                -------------------- his Userid.  The user enters his 
                                     ID exactly as shown as shown on 
                                     his TAC Access Card, followed by 
                                     a Carriage Return. 
  
(d) Access Code: 22bgx4467   Again the TAC prompts the user, 
                 -----------------   who responds by entering his 
                                     Access Code as shown on his TAC 
                                     Access Card, followed by a 
                                     Carriage Return. 
  
(e) Login OK                         The TAC validates the ID/Access 
    TCP trying...Open                code and proceeds to open the  
                                     requested connection. 
  
HELPFUL INFORMATION: 
  
When entering your TAC Userid and Access Code: 
  
- A carriage return terminates each input line and causes the next 
  prompt to appear. 
  
- As you type in your TAC Userid and Access Code, it does not matter 
  whether you enter an alphabetic character in upper or lower case. 
  All lower case alphabetic characters echo as upper case for the 
  Userid. 
  
- The Access Code is not echoed in full-duplex mode.  An effort is 
  made to obscure the Access Code printed on hardcopy terminals in 
  half-duplex mode. 
  
- You may edit what you type in by using the backspace (Control-H) 
  key to delete a single character. 
  
- You may delete the entire line and restart by typing Control-U. 
  A new prompt will appear. 
  
- While entering either the TAC Userid or Access Code, you may type 
  Control-C to abort the login process and return to the TAC command 
  mode. You must interrupt or complete the login process in order to 
  issue any TAC command. 
  
  
IF YOU HAVE A PROBLEM WITH TAC LOGIN: 
  
Should the login sequence fail (as indicated by the response "Bad 
login"), examine your Access Card carefully to ensure that you are 
entering the ID and Access Code correctly.  Note that Access Codes never 
contain a zero, a one, a "Q" or a "Z", since each of these characters 
may be mistaken for another character.  If you see what appears to be 
one of these characters in your access code, it is really the letter "O" 
(oh), or "G" (gee), the letter "L" (el), or the number "2" (two). 
  
If you have followed all of the above steps as indicated, and if you  
are sure you are entering your ID and Access Code correctly, and you  
still cannot login, call the Network Information Center at (415)  
859-3695 or (800) 235-3155 for help. 
  
AFTER LOGGING IN: 
  
Your TAC port will remain logged in as long as you have an open 
connection.  If you close the connection, you will have ten minutes in 
which to reopen a connection without having to login again. If you do 
not reopen a connection within ten minutes, the TAC will attempt to hang 
up your port, and will automatically log you out. 
  
WHEN YOU ARE FINISHED: 
  
Always logout using the "@l" command. Typing "@r" has no effect on your 
logged in status. 
  
-------- 
  
If you now wish to login to the TAC, leave the TACNEWS program by  
typing "quit" at the next prompt.  This will return you to the TAC, and 
you may then begin the login sequence with the "@o" command to the TAC. 
  
[15 Feb 1984] 
  
---------------------------- End of Issue ---------------------------- 
  
Well, that's about it for this issue.... Maybe another file will be coming soon 
, but who knows? Anyway, I'll show you how I (tried to) log off this very 
advanced UNIX system. (Hah!) 
  
TACnews> QUIT 
Killed Job 27, User TACNEWS, Account QUERY, TTY 110, at 14-Sep-84 14:42:03 
 Used 0:00:02 in 0:06:51 
Closed 
Host closing connection 
@LOGOFF 
Can't 
@BYE 
 Bad 
LOGOFF 
@OFF  Bad 
@goodbye 
 Bad 
@BYE 
 Bad 
  
  
(I now take my phone off the hook and push the 1 button 10 times) 
  
NO CARRIER 
  
  
copyright 1984 
Hackalot Publications 
New York,New York headquarters. 
Divisions in : Chicago 
               Boston 
               L.A. 
               Denver 
               Dallas 
and of course, San Francisco. 
  
   /////////////////// 
   // T             // 
   //   H           // 
   //     E         // 
   //               // 
   //        E      // 
   //          N    // 
   //            D  // 
   /////////////////// 
done 
done