Yesterday I signed up to an online MOOC course (Cyberwar, security and surveillance). After watching the material for the first week it was time for an assignment. To edit a wiki page on the history of the internet, related to security. Because this has been somewhat of a hobby for me for many years I was delighted and started to insert nostalgic material into the wiki. Without further ado, here are the entries I supplied, as is. Videos and images added afterwards.
alt.2600 was the main newsgroup for hackers during the 1980s and early 1990s. The number 2600 came from a tone frequency (2600 Hz) that could be used to trick telephone switching systems to think the call was over, leaving an open carrier line which could be exploited to provide free long-distance and international calls. The number was made famous by Captain Crunch, aka John Draper, who according to legend found a a toy whistle in a box of Cap’n Crunch breakfast cereals. The whistle allegedly produced a tone close enough to trick telephone switches and John Draper started giving out whistles to friends and family. Others built electronic devices generating the same tone. One famous device of this kind was called the Blue Box. Wiring and soldering diagrams for different kinds of blue boxes was frequently posted to the newsgroup and built by hobbyists (called phreakers or phreaks). One famous phreaker (and friend of John Draper) was Steve Wozniak, co-founder of Apple Computer Inc. The boxes evolved over time to, among other things, generate DTMF tones. Later the legendary underground magazine 2600: The Hacker Quarterly was formed by members of this newsgroup.
Documentary about phreaking:
Bulletin Board Systems were used before the general public had access to the internet. A BBS had one or more telephone numbers associated with it to which you could call in using a computer and telephone modem together with a terminal program. Once connected the user was typically presented with an ansi-graphic loginscreen and a menu from which the user could upload/download files among each other, exchange messages etc. Today internet forum software (like phpBB, vBulletin etc) has made BBS:es more or less obsolete.
Further reading: Wikipedia: Bulletin_board_system
See also. BBS the Documentary:
Buffer Overflow Attacks
One of the first bugs that were noticed on the internet was buffer overflows. It was made famous through the article Smashing The Stack for Fun and Profit by Aleph One in the Phrack electronic fanzine. If a user could send indata to a program which was larger than the program expected, the buffer allocated for holding the indata would be overflowed. This led to a subtle, but critical, problem. Namely, the overflowed data would overwrite the return address (stored on the stack) so when the current subroutine was finished and the instruction pointer would read its next address from the stack, it would jump to the wrong address in memory. This is called controlling the instruction pointer. Normally this would lead to a crash. But through different techniques the attacker could make the program jump to an address where code was stored that the attacker had supplied (for instance on the stack itself if the stack was executable, in an environment variable, or even in a known address of some routine in the c library of the operating system). Such code that the attacker first injects and then jumps to is typically called shell code.
Recently operating systems have begun to take counter measures against these attacks. Like randomizing the stack and the libc routine addresses in memory (using memory mapping of modern CPU:s). The perhaps most effective counter measure is to mark memory pages as either writable or executable, but never both. Recent CPU:s have hardware support for this and it makes buffer overflow attacks much harder because if the stack is not executable then the attacker can not both inject code on the stack and then execute it. But not impossible. A technique called ROP chaining defeats this counter measure. In short a ROP gadget is an executable part of the program itself that the attacker can jump to if he/she controls the instruction pointer. By zig-zag jumping through ROP gadgets in the program (chaining ROP gadgets) an attack may still be successful even if all known counter measures are applied.*
Further reading: Wikipedia: Buffer Overflow
* Another counter measure is canaries. It is a technique applied by some compilers that tries to detect buffer overflows on the fly (more precisely, tries to detect if the return pointer has been overwritten). The name is taken from old time mining, when canary birds were used to detect if the air was bad inside a mine. Canaries makes it more difficult to exploit a program, but not impossible. A little bit like stack randomization.