Date: Sun, 1 May 88 13:33:11 +0100 From: Brian Randell Subject: Prestel Hacking The most celebrated "telephone hacking" court case in Britain so far involved penetration of British Telecom's Prestel viewdata service. Legal history seemed to have been made when the perpetrators were convicted of having committed forgery! However the Appeal Court threw out the conviction, and this decision has just been finally confirmed by the House of Lords. Thus in Britain, at any rate, it seems that new laws will be needed to cope with such activities. On April 28, the Guardian carried a lengthy article, written by one of the hackers. It is given here, in its entirety (without permssion), for the editor to hack out those parts which are most likely to be of interest to the RISKS readership. [Why should PGN have a British Telecom-like monopoly on bad puns!] Brian Randell HACKERS LET OFF THE HOOK Steve Gold explains what really happened in the Prestel case, resolved by the the Lords last week: "The first inkling I had that there was a world ready to be dialled up was when British Telecom installed international direct dialling in my home town, Sheffield, back in 1971. I soon discovered that you could dial certain codes and, subject to a slight deterioration in call quality, not incur any charges. This cost me dear. In May 1975, along with several other Sheffield students, I was fined (pounds)100 for placing national and international telephone calls without payment. Several years later, in 1983, I bought a computer. And while I was fiddling away with my Sinclair Spectrum, East Midlands Allied Press was busy negotiating with British Telecom to launch a microcomputing service on Prestel: Micronet 800. Initially the service was available to users of the Acorn BBC micro, but soon Micronet and Prestel launched a Sinclair Spectrum hard-wired modem, the Prism VTX5000. In August 1984 I bought one for (pounds) 74.95. I was equipped to use Prestel, but Prestel was boring. While waiting to be [admitted to Micronet 800, I discovered that, if you sounded plausible enough, you could gain editing rights to unrouted pages on the Prestel database. These pages were known as the prestel Scratchpad. A friend and I joined forces and developed a software editor for the Spectrum/VTX5000 combination and, much to Prestel's incredulity, began to use it to edit Prestel pages offline and upload them to the database. Before long, Micronet 800 hired us to edit pages on their database. In the summer of 1984, an electronic acquaintance (we had never met) told me that he'd discovered a simple ID of ten 2s and a password (1234) which gained admission to Prestel without paying. That was Robert Schifreen, and the ID was a Mr G. Reynolds, whose profile on Prestel identified him as a member of BT staff. He was entitled to look at areas on the database not normally accessible to members of the general public. Those pages contained the nucleus of how Prestel worked, right down to the telephone numbers of Prestel computers we'd never even heard of. One of these "development computers" had an unusual log-on frame: it welcomed modem users with, and prompted them to enter, their ID and password. It had a series of numbers on its log-on frame which both Robert and myself recognised as a Prestel ID and password. Keying in these numbers resulted in the user logging on (that is, gaining admission to the database) as the system manager. The system manager could do things with Prestel that no other user could do. this included interrogating the user files to obtain IDs and passwords by the cartload. Thus, at the press of a few keys, the system manager could obtain information that enabled him or her to log on as any other subscriber on the system. Also, using information-provider IDs and passwords, it was possible to alter or amend pages. We had hacked Prestel at the highest level. However, power brings responsibility, and since we were both active contributors to the Micronet database, we approached Micronet's staff to show them. Micronet duly contacted Prestel, who were made aware of the incredible loophole in their security. Prestel strove to protect the integrity of their database. Changing everyone's ID on the database was not worthwhile, in its opinion. Information providers - high-ranking subscribers who rented their own pages - were seen as a high risk, since anyone using their IDs and passwords (obtained using the system manager ID) could alter or delete pages at will. So within a matter of days, Prestel changed the information-provider passwords. But they made a mistake. Instead of changing them completely, they merely transposed the access and editing passwords! Since Robert and I were editors on the system (using Micronet-supplied IDs) we were notified that our original passwords of (say) ABCD and 1234 had turned into 1234 and ABCD. After a phenomenal process of deduction, we applied the same transposition to a selection of information-provider passwords in our possession. They worked. Fortunately for BT, information providers realised the crassness of Prestel's attempt to plug its security and changed their own passwords, thereby barring normal (but unauthorised) access to Prestel editing facilities to Robert and myself. But amazingly, Prestel had left a trapdoor for us to use. The high-speed update ports, by which information providers could edit their pages in bulk, required only an editing password. Most information providers kept their own editing password, believing that their access passwords had been changed. After noting a little judicious editing, Prestel was faced with the awful truth: it's security division had said that the hacker problem had been resolved, yet pages were being changed again under their noses. Prestel finally changed its information-provider IDs and passwords, thereby plugging the gap. And that seemed to be that. We had told Prestel (via Micronet) about the security lapse. We'd also had a little fun at Prestel's expense. Prestel recognised what we had done, and that we hadn't done anything stupid such as altering or deleting pages on the database. The incident passed into history, or so we thought. During October and November, Prestel placed a telephone tap on Robert's north London home telephone line. After monitoring his activities they found he was frequently calling a Sheffield number (he was comparing notes with me). By January 1985, they thought they had enough information to prosecute us both. Had we know about it, we would have expected a prosecution under the Theft Act - for theft of (minute amounts of) electricity. But Prestel and BT were worried about computer-hacking. IDs and passwords were being exchanged at an alarming rate. Prestel IDs (as passwords) were assuming the same level of security as train numbers. ID spotters (apprentice hackers) were hanging around on Prestel, using the message boards (chatlines) to exchange passwords. BT logged Robert sending me an electronic mail message (using someone else's ID and password). The message contained the ID and password of that account. BT later produced that message in court as confirmation of our hacking activities. Unknown to BT (and Robert) however, I had already obtained this particular ID and password from the Prestel chatlines. I already knew that these particular details were passing around dozens of users. Prestel had problems. Hordes of youthful users were staging multiple log-ons. One particular group even boasted of its intention to "clock' an account one weekend. Like car mileometers, Prestel accounts had a rolling tally of the charges on an account. These went up to (pounds) 9,999.99, at which point the meter would roll over to zero and start again. The chatline boasters intended continually to access chargeable areas of the database until the (pounds) 10,000 mark was broached. Such pointless activities took place often in 1985. Prestel thought they had tracked two major hackers in Robert and myself. In fact they had latched onto two journalists who were compiling a dossier of online security breaches. The real hackers were - and are - still at large. On Tuesday March 26, two groups of police officers and BT staff simultaneously raided my house in Sheffield and Robert's house in north London. We were both driven to Holborn police station in London and held overnight and throughout most of the following day. It was with some amazement that I discovered in the course of my interview with Detective Inspector John Austin and BT security chief Ron Aston, that I had been arrested for hacking. Up to that point I had suspected that someone - probably an online acquaintance - had committed a major bank robbery. We were subsequently charged with committing a number of offences contrary to the Forgery Act 1981. Forgery is, we were told, a serious offence and can carry a prison sentence of ten years. Ten years - just for breaking into Prestel, and telling them what we had done! Rather than printing dud fivers in our kitchens we had "forged" an area of Ram (random access memory) in the Prestel computer - using our modems over the telephone line - which existed for about one fortieth of a second before being wiped clean. Could BT provide the instrument (the area of Ram) in court, the judge asked. No, since the area of Ram was etherial. It was, in fact, an area of the program known as the user segment. Our guilt or innocence hinged on how an electronic signal was interpreted by the court. We were convicted and fined, but the case came up for appeal in July last year. The three Appeal Court judges - presided over by Lord Justice Lane - mulled over the arguments. Several weeks later, Lord Lane announced he was quashing the conviction, calling the case a blatant attempt to mould the facts of the case to fit the scope of the Forgery Act. I was dismayed to discover that BT had applied to take the case further, to the House of Lords. But the highest court in the land concurred with Lord Lane's decision from the Appeal Courts that, if hacking was to be considered a crime, then a change in the law was required. We are free, but the issue remains unresolved."