{"id":881,"date":"2008-12-09T11:03:33","date_gmt":"2008-12-09T00:03:33","guid":{"rendered":"http:\/\/www.somethinkodd.com\/oddthinking\/?p=881"},"modified":"2008-12-09T11:03:33","modified_gmt":"2008-12-09T00:03:33","slug":"hal-bbs-backdoors","status":"publish","type":"post","link":"https:\/\/www.somethinkodd.com\/oddthinking\/2008\/12\/09\/hal-bbs-backdoors\/","title":{"rendered":"HAL BBS Backdoors"},"content":{"rendered":"

Twenty years ago, in the hey-day of 300 baud modems<\/a>, I never actually hosted a BBS<\/a>. I couldn’t afford a spare phone line, nor a spare Commodore 64.<\/p>\n

I did however, play around with HAL BBS<\/a> – some very simple BBS software.<\/p>\n

There was a rumour out on the web<\/strike> out there that HAL BBS wasn’t to be trusted – it had two backdoors built into the software. It was compiled BASIC, so it wasn’t easy to view the source, but I had a bash at finding those backdoors.<\/p>\n

The first one was fairly easy to guess. Every user was assigned a number, which they used, in combination with a password to log in. I think it was the login page<\/strike> prompt that had the clue. It had a prompt like: “Enter user number (0-254):”<\/p>\n

The maximum user id was 254. Doesn’t that sound suspicious? Sure enough, there was a mysterious user 255 defined in the database, with full privileges. A simple password change on user 255 closed that hole.<\/p>\n

The second security hole was much tougher. I searched labouriously through the hard-coded strings inside the compiled code. One string raised a flag. It looked something like \"N:SCORCHED EARTH,A0\"<\/code>. I don’t remember the exact phrase in the middle, but it was 16 characters that would cause dread in the mind of any sysop.<\/p>\n

But it wasn’t just that phrase; it was where it was placed. In the middle of what looked very much like a 1541 Disk Drive NEW command. If that string was sent to the disk-drive along the command-channel, the result (many minutes later) was a freshly formatted 5 1\/4″ floppy. The entire 170 KB of storage gone! (Don’t laugh, this was very serious! That’s a lot of messages.)<\/p>\n

I changed the string to \"S:CANARY XXXXXXX,A0\"<\/code> and created a file with that name on the disk. Now, it wouldn’t format the disk, but merely delete the canary file, so the sysop could (eventually) notice something was up.<\/p>\n

I still wanted to know the trigger – where was the easter-egg that caused this destructive force to be unleashed?<\/p>\n

The BBS was named after HAL 9000<\/a>, the computer in Arthur C. Clarke<\/a>‘s 2001<\/a>. In the sequel, 2010<\/a>, a special remote control triggering device is installed to deactivate HAL.[Ref<\/a>]<\/p>\n

Heywood Floyd: The control’s in my compartment. Little red calculator? You’ve seen it. You put in nine ‘9s’. Take the square root, and then hit ‘Integer.’<\/p><\/blockquote>\n

I figured that was a key clue, and I tried dozens of combinations to try to trigger the backdoor. I never had any luck.<\/p>\n

This morning, I was thinking about this. I realised that, although I hadn’t noticed – or even thought about this for two decades – this issue has actually been gnawing at my insides the entire time.<\/p>\n

I decided to include my plea to the web. I am hoping the long-tail of the web will answer me this question in less that 20 more years: Does anyone know how this HAL BBS backdoor was triggered? <\/p>\n

It is safe to tell me; I promise not to actually run it on any Commodore-64-based primitive BBS systems still running. Honest!<\/p>\n","protected":false},"excerpt":{"rendered":"

There was a rumour out on the web<\/strike> out there that HAL BBS wasn’t to be trusted – it had two backdoors built into the software. It was compiled BASIC, so it wasn’t easy to view the source, but I had a bash at finding those backdoors.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_s2mail":"","footnotes":""},"categories":[23,28],"tags":[322,320,321,90],"class_list":["post-881","post","type-post","status-publish","format-standard","hentry","category-based-on-a-true-story","category-doubleplus-geek","tag-bbs","tag-commodore-64","tag-hacking","tag-security"],"_links":{"self":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/posts\/881","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/comments?post=881"}],"version-history":[{"count":2,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/posts\/881\/revisions"}],"predecessor-version":[{"id":883,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/posts\/881\/revisions\/883"}],"wp:attachment":[{"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/media?parent=881"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/categories?post=881"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.somethinkodd.com\/oddthinking\/wp-json\/wp\/v2\/tags?post=881"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}