A Tale of Hacking, Before the Internet Existed

The letter said, "We have decided to suspend your use of the University Computers until this issue has been investigated." I was busted!

Back in those days, in the early 80s in the UK, there were no laws that could get you locked up or fined for hacking, luckily for me. I had to resit an exam to get my degree, but I didn't need a computer for that.

The hacking started in my first year, three years earlier. Within a week or two of starting as a freshman in late 1977, I'd learned and got bored with BASIC, the programming language we all needed to know.

In those days, personal computers (CBM Pet, TRS-80, or Apple II) cost a minimum of $1,500 and no one that I knew owned one. My computer access was only during the week via old teletypes or ancient VDUs in a computer building. We time-shared access to a creaking ICL 1904A mainframe that ran out of steam when just three people played the old BASIC Star Trek game. If you've got a copy of the David Ahl's Basic Computer Games book with all the game listings in BASIC, you'll find it listed there. I've still got my copy...

The 1904A mainframe ran an interactive service and was paired with another mainframe, an ICL 1906S that did all the serious work. This was typical of 1970s data processing with punched cards and jobs run in batches. You put the job cards in and two hours later came back for the printouts. Huge line printers spat out reams of printouts at high speed under the control of George, ICL's very own mainframe operating system.

This was a much more innocent time. When I started using it 1977, I was given account number BAFC1068 and didn't need a password at all to log into the interactive service on the 1904A. In the computing building that was located down a Victorian mews, we had a room with eight teletypes and VDUs that connected remotely to the big computer center that held the mainframes. The room also possessed a tatty manual that listed the available commands, all 20 of them. You could log in, edit files, run programs, etc.

Now out of curiosity, I figured that with two letters there could be a maximum of 26 x 26 = 676 commands and wrote a program to generate a text file of all 676. I then ran it as a batch file. Most lines produced "command unknown" errors but I hit gold and found ten unlisted commands. One, in particular, was CX, short for context and it altered your state as a user. CX LOGIN for example instantly logged you in without needing an account number or even doing a login.

As I found out a few days later, when I logged in with CX, you had no resources allocated and the first time I loaded the Basic Interpreter the computer crashed. Now it's not great when you blue screen a PC but doing it to a mainframe and causing a dozen people to lose all their unsaved work is definitely a bad ass thing to do.

Just to be sure that it wasn't me after it rebooted fifteen minutes later, I tried it again. After it crashed immediately again, I was convinced that yes it was me. They were actually quite nice about it when the phone call came a week later. "What exactly did you do last week?" I confessed and got told sternly not to do it again.

Around the same time, just before Christmas 1978 one of the Ph.D. students in the computer department thought it would be nice to put a Christmas ASCII ART scene on the front page of all printouts. Unfortunately, he botched it and it took £5,000 of operator time to repair the damage. Only an intervention by his professor saved him from being kicked off his postgraduate course.

With these activities going on, the decision to add passwords was made by the powers that be. With a looming deadline for automatic setting of passwords for anyone who hadn't set a password manually, I spent a mad week of lunchtimes between lectures logging into the 200 accounts that I had purloined (out of 2,000) and setting my passwords.

The same account gave you access to both the interactive service on the 1904A and batch jobs on the 1906S but most university users only used the batch service so I nabbed the interactive service accounts. I'd been lucky to find a big listing of accounts in one of the computing advisory offices dotted around the University. Why did I acquire them? Because each account came with a massive 20K of storage and a graduate student had bequeathed me a collection of ASCII ART and I needed three accounts to hold them all.

To avoid having 200 passwords the same (out of 2,000!) and not wanting to remember or write down 200 passwords I reversed the account name as the password. BAFC1068, for instance, became CFAB8601. It was easy to remember and way less obvious than 200 identical passwords. The computer center kept a paper listing of all the accounts and passwords so one in ten accounts having the same password might have appeared suspicious. My 200 accounts remained safe for almost two years though I probably never used more than ten.

Fast forward two years and just before my final exams and my eventual banning, I acquired an electronic copy of that password listing file.

In the computer center, they kept the password listing in a lockable cupboard. It was brought out for anyone who had forgotten their passwords. A friend had told me that the cupboard key was hidden in a pile of paperclips in a container on a desk. As the computer center stayed open late with minimum staff after 5 PM when no one was around I found the key, opened the cupboard, took out the listing, and obtained both the account which had the password file on disk and the password for that account.

I later copied the computer file into one of my accounts and wrote a program that searched the file for any account and printed the password. I had pwned the University's computers but my success was to be fairly short lived.

On the last day of the term just three weeks later, after exams had finished, the director of the computer center had been walking round and spotted some students playing games on the terminals there. He threw a tantrum about wasting resources, kicked them out of the building after giving them a telling off, and ordered an immediate investigation into who was using or abusing the system.

As it was my last day I'd been logging into accounts from a remote office. Knowing that I was leaving I had been covering my tracks, removing the password file, ASCII ART, etc. But I was the only one in that remote office that day so that's how they determined I'd been logged in using someone else's account and a week later the letter came.

As for me, I passed the resit exam and got my degree in Computing Science. My time as a hacker was over.