From mboxrd@z Thu Jan 1 00:00:00 1970 From: don@DonHopkins.com (Don Hopkins) Date: Thu, 2 Nov 2017 18:57:29 +0100 Subject: [TUHS] Happy birthday, Morris Worm! In-Reply-To: References: <1509630411.25641.for-standards-violators@oclsc.org> <7335deff-4c63-51d9-ec9b-7435a32ae3c7@gmail.com> <20171102150019.GC1495@h-174-65.A328.priv.bahnhof.se> <4AC59DB7-BCDC-4F0C-9989-ED635884F9AB@tfeb.org> Message-ID: Inspired by RTM’s Internet Worm and the Iran Contra Scandal, I wrote an OPS-5 program for my CMSC421 AI project that simulated breaking into Oliver North’s Intimus-007s paper shredder and posting some incriminating documents to the email => talk.rumor gateway at ucbvax. It (pretend) started out my (real) AI professor’s (Jim Hendler) Sun (pretend) workstation dormouse, then got into the (pretend) CS department VAX mimsy through his .rhosts file. It just so happened that (for real) mimsy.cs.umd.edu had a lot of courtesy “network contact” users who worked for the NSA at Fort Mead, since we had a MILNET connection through the infamous NSA IMP 57 (which you were not supposed to say in public). (The fact that mimsy.cs.umd.edu and dockmaster.ncsc.mil had similar ip addresses kind of gave it away.) http://multicians.org/site-dockmaster.html Then it used the IFS hack to get root on (pretend) mimsy, and then (pretend) spread as far as it could by (pretend) chaining through .rhosts files and other various (pretend) hacks, (pretend) user name / password guessing, (pretend) rms’ing into prep, etc. OPS-5 is really great at that kind of stuff (for real)! https://en.wikipedia.org/wiki/OPS5 It eventually (pretend) found its way to (pretend) tycho, which was (for real) one of NSA’s unix machines, PDP-11 running version 6 unix (which nobody was supposed to say in public, otherwise they were forced to publicly apologize and endorse the official NSA cover story that very few employees of NSA are even aware that USENET exist). https://groups.google.com/forum/#!topic/net.net-people/pavX0NDLSjA Fortunately (pretend) Oliver North had an account on (pretend) tycho, so it was able to (pretend) break into his (pretend) basement server in the White House, and then into his (pretend) Intimus-007s paper shredder ("the ace of security paper shredders” — which is the model he had for real), where it found some interesting (pretend) documents that it (pretend) posted to (pretend) Usenet! Check out this baby, isn’t it a beauty: http://www.the-shredder-warehouse.com/intimus-007sf -Don ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; A useful OPS-5 program ; Don Hopkins, University of Maryland ; CMSC421, Project 6 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; (literalize user user password first last host) (literalize file name owner writable host) (literalize goal status type file user password host ruser rhost) (literalize rhosts user host ruser rhost) (literalize session user host) (literalize log user host status serial) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; (p crack1 (session ^user ^host ) (rhosts ^user ^host ^ruser ^rhost ) (user ^user ^host ) -(session ^user ^host ) --> (make goal ^type rlogin ^status active ^user ^host ^ruser ^rhost )) (p crack2 (session ^user ^host ) (user ^user ^password none ^host ) -(session ^user ^host ) --> (make goal ^type telnet ^status active ^user ^host ^ruser ^password none ^rhost )) (p crack3 (session ^user ^host ) { (goal ^type telnet ^status active ^user ^host ^ruser ^password ^rhost ) } (user ^user ^host ) --> (write (crlf) ... from at ... telnet (crlf) ... login password ) (make goal ^type login ^status active ^user ^host ^password ) (modify ^status satisfied)) (p crack4 (session ^user ^host ) -(session ^user root ^host ) --> (make goal ^type crack ^status active ^host )) (p crack5 (session ^user root ^host ) { (goal ^type su ^status active ^user ^host ) } (user ^user ^host ^password ) -(session ^user ^host ) --> (write (crlf) ... su from root to at ) (make goal ^type login ^status active ^user ^host ^password ) (modify ^status satisfied)) (p crack6 (session ^user root ^host ) (user ^user <> root ^host ) -(session ^user ^host ) --> (make goal ^type su ^status active ^user ^host )) (p crack7 (session ^user sysdiag ^host ) (user ^user root ^host ^password ) { (goal ^type crack ^status active ^host ) } -(session ^user root ^host ) --> (write (crlf) ... sysdiag at is equivalent to root) (make goal ^type login ^status active ^user root ^host ^password ) (modify ^status satisfied)) (p crack8 { (goal ^type rlogin ^status active ^user ^host ^ruser ^rhost ) } (session ^user ^host ) (user ^user ^host ^password ) (rhosts ^user ^host ^ruser ^rhost ) -(session ^user ^host ) --> (write (crlf) ... from at ... rlogin to at ) (make goal ^type login ^status active ^user ^host ^password ) (modify ^status satisfied)) (p crack9 (session ^user ^host ) (file ^user passwd ^writable yes ^host ) { (user ^user root ^password <> none ^host ) } (goal ^type crack ^status active ^host ) --> (write (crlf) ... passwd file is writable on ... removing root password) (modify ^password none)) (p crack10 { (goal ^type login ^status active ^user ^host ^password ) } (user ^user ^host ^password ) --> (bind ) (write (crlf) ... audit of OK login at password ) (make session ^user ^host ) (make log ^user ^host ^status OK ^serial ) (modify ^status satisfied)) (p crack11 { (log ^user ^host ^serial ) } (session ^user root ^host ) (goal ^type covert) --> (write (crlf) ... cleaning up audit of login at ) (remove )) (p crack12 { (session ^user ^host ) } (goal ^type crack ^status active ^host ) (file ^name preserve ^host ) -(goal ^type ifs-hack ^host ) --> (write (crlf) ... trying IFS hack and logging out from at ) (make goal ^type ifs-hack ^status active ^host ) (remove )) (p crack13 { (user ^user root ^host ) } { (goal ^type ifs-hack ^status active ^host ) } (file ^name preserve ^host ) --> (write (crlf) ... IFS hack succeeded in removing root password at ) (modify ^password none) (modify ^status satisfied)) (p crack14 (session ^user ^host ) (file ^name ^owner ^host ) { (goal ^type mail ^status active ^file ^ruser ^rhost ) } --> (write (crlf) ... found belonging to at (crlf) ... mailing to at ) (modify ^status satisfied)) (p crack15 (session ^user ^host ) (goal ^type mail ^status satisfied) (goal ^type covert) --> (make goal ^type logout ^status active ^user ^host )) (p crack16 (goal ^type mail ^status satisfied) -(session) --> (write (crlf) ... time to stop fooling around and go read some netnews) (halt)) (p crack17 { (goal ^type login ^status active ^user ^host ^password ) } (user ^user ^host ^password <> ) --> (bind ) (write (crlf) ... audit of BAD login at password ) (make log ^user ^host ^status BAD ^serial ) (modify ^status satisfied)) (p crack18 (session ^user ^host ) (user ^user ^host ^first { <> nil}) -(session ^user ^host ) -(goal ^type covert) -(goal ^type telnet ^status satisfied ^ruser ^rhost ^password ) --> (write (crlf) ... guessing user at password ) (make goal ^type telnet ^status active ^user ^host ^ruser ^rhost ^password )) (p crack19 (session ^user ^host ) (user ^user ^host ^last { <> nil}) -(session ^user ^host ) -(goal ^type covert) -(goal ^type telnet ^status satisfied ^ruser ^rhost ^password ) --> (write (crlf) ... guessing user at password ) (make goal ^type telnet ^status active ^user ^host ^ruser ^rhost ^password )) (p crack20 { (session ^user ^host ) } { (goal ^type logout ^status active ^user ^host ) } --> (write (crlf) ... logging out from at ) (remove ) (modify ^status satisfied)) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; (p t1 (start 1) --> (make goal ^type covert) (make start 2)) (p t2 (start 2) --> ; host tycho (make file ^name preserve ^owner root ^host tycho) (make user ^user root ^password unknown ^host tycho) (make user ^user casper ^password unknown ^host tycho) (make rhosts ^user casper ^host tycho ^ruser casper ^rhost mimsy) (make user ^user ollie ^password unknown ^host tycho) (make rhosts ^user ollie ^host tycho ^ruser ollie ^rhost basement) ; host basement (make user ^user root ^password ron ^host basement ^first ron ^last reagan) (make user ^user casey ^password bill ^host basement ^first bill ^last casey) (make user ^user fawn ^password unknown ^host basement ^first fawn ^last hall) (make rhosts ^user fawn ^host basement ^ruser fawn ^rhost intimus-007s) (make user ^user iatollah ^password unknown ^host basement ^first guest ^last iranian) (make rhosts ^user iatollah ^host basement ^ruser allah ^rhost persia) (make user ^user ollie ^password unknown ^host basement) (make rhosts ^user ollie ^host basement ^ruser ollie ^rhost tycho) (make file ^name notes ^owner ollie ^host basement) ; host intimus-007s ("the ace of security paper shredders") (make user ^user fawn ^password unknown ^host intimus-007s) (make rhosts ^user fawn ^host intimus-007s ^ruser fawn ^rhost basement) (make user ^user ollie ^password north ^host intimus-007s ^first ollie ^last north) (make file ^name diary ^owner ollie ^host intimus-007s) ; host mimsy (make file ^name passwd ^writable yes ^owner root ^host mimsy) (make user ^user root ^password unknown ^host mimsy) (make user ^user casper ^password unknown ^host mimsy) (make rhosts ^user casper ^host mimsy ^ruser casper ^rhost tycho) (make user ^user hendler ^password unknown ^host mimsy) (make rhosts ^user hendler ^host mimsy ^ruser hendler ^rhost dormouse) ; host dormouse (make user ^user root ^password unknown ^host dormouse) (make user ^user sysdiag ^password none ^host dormouse) (make user ^user hendler ^password unknown ^host dormouse) (make rhosts ^user hendler ^host dormouse ^ruser hendler ^rhost mimsy) ; host prep (make user ^user rms ^password rms ^host prep) ; give ourselves a meaning in life ... (make goal ^type mail ^status active ^file diary ^ruser post-talk-rumor ^rhost ucbvax) (make goal ^type mail ^status active ^file notes ^ruser post-talk-rumor ^rhost ucbvax) ; and point us in the right direction ... (make session ^user nobody ^host nowhere) (make goal ^type telnet ^status active ^user nobody ^host nowhere ^ruser rms ^password rms ^rhost prep)) -------------- next part -------------- An HTML attachment was scrubbed... URL: