On the one hand, our staff were pretty knowledgeable. For example, they physically isolated the fileserver and admin workstation from the rest of the Econet before performing management operations, precisely because they knew passwords were in the clear on the wire.
On the other hand, I wrote the membership software for the school computing society. Since members had accounts on the SJ Research file server, this dumped out scripts to create and remove users, which I then had the sysadmin run. They claimed they reviewed the scripts before running them and I'm quite sure they did the first few times. I bet they got careless after a while, though. Conversely, I was
trustworthy, so it was all OK. (-8
Meanwhile, there was a small dedicated group of us that took anything and everything apart. We did
write a hacked version of NETMON which only looked for *I AM commands. Indeed, we got to the point where we'd taken apart NETMON and NFS enough that we knew in principle how to make a hacked NFS which ran from sideways RAM and silently logged *I AM commands in the background while you were innocently doing something else.
(Incidentally, the "*I AM :" mechanism was entirely client-side. It prompted for the password then sent a normal *I AM command, password included, over the wire.)
But we never bothered deploying that. Far simpler was just to go round a loop peeking &3E0-&3FF from each machine to get their keyboard buffers, including the most recent 32 keystrokes. 32 keystrokes from each machine on the network fitted quite neatly in one MODE 7 display.
A thing I wrote out of morbid curiosity, then hid away because some things belong dead was a hacked NFS which allowed you to change your station number. But I went one step further with *JAM and *UNJAM commands. *JAM would cause a line jam on the Econet, unjamming only when I wanted to send or receive. This meant you hijack another station's file server login and lock them out from interfering with whatever you chose to do.
One of my friends wrote an entertaining utility ROM for the BBC Micro which could molest an Archimedes over the Econet. Particularly, it could hack various video games. If you were feeling nice, a player might suddenly find they had a lot more lives in Zarch; if not, well, they probably didn't really want all that fuel after all.
My nastiest hack, though, was an Econet worm. Every running copy of it repeatedly tried to infect every other computer on the Econet. If you power-cycled a machine, it would get re-infected more quickly than you knew how to prevent. Your only hope was to power cycle with your network lead unplugged and happen to have memorised "A%=19:X%=0:Y%=9:!&900=&FF05:CALL&FFF1" to protect yourself. The only way to completely kill the worm was to switch off every infected computer simultaneously.
Needless to say, I wrote that on a rainy afternoon when the fileserver was down and the room was practically deserted.
Knowing I was playing with fire, I was quite careful to make sure people couldn't get a copy of it. Infection was a two-part process: the payload was obfuscated, and the critical section which infected other computers was garbage you had to EOR with the subsequent JSR immediate operation's argument block. Also, it put important code at &700, so if you protected yourself against JSR but not Poke you'd instantly destroy the payload if you were running BASIC.
Unfortunately, one of my friends used NETMON to see what was going on. With their machine protected, they wrote some code that:
- Re-enabled Poke
- Waited a few seconds
- Disabled Poke
- Copied &400-&7FF up into higher memory
- Hacked the JSR entry point to JMP into their code fragment
- Re-enabled JSR
- When the hacked JSR entry was called, collected the argument block into higher memory, disabled JSR and did *BASIC
Finally, they had what they needed to reverse-engineer the payload. Frankly, it would have been easier just to write their own worm!
I'd like to think that once they'd had the satisfaction of picking apart my protection they didn't then abuse my worm. Anecdotally, that may not have been the case. )-8