Not exactly hacking, but other people made me remember it…

If you ran early software like a forum, often passwords/DMs/etc. weren’t encrypted in the database, so you could just look in your own database (or in the case of the perl-based forum I ran, the text files) and get people’s passwords and private messages. I remember my shock at seeing that when I was poking around the back end of my own forum, lol. Luckily for my users, I’m not an asshat, so I never got up to mischief with that. But I absolutely could have, and I know plenty of dudebros in IT who would/did.

I still operate today on the idea that once you interact with an online system, the admins of that system basically have everything you give them and there’s no privacy.

(Also, often if you, the user, “delete” something, usually what the system does is check a box for that data that is more or less a binary, “Is deleted? Y/N?”, and then shows/hides the data based on that flag being set. This is due to corporate customers crying if they delete something by their own fat fingers, but it means if you do intend to delete something, you should assume it’s not actually deleted, it’s just hidden from the view you, the user, have permissions to view. Of course this all depends on the specifics of the system you are interacting with, but I still default to assuming the “delete” function is just a flag that alters the view you see, not a true delete feature.)

Of course not speaking for experience. I’ve personally never broken the law.

But often when companies listed their contact information they’d have a phone line and a fax number. If those numbers were near each other, you could pretty much guarantee that there would be a phone number somewhere in that sequence, or just past it, that would let you dial into their network, often weakly guarded with default password on common user names.

While it could take a little while, I’m aware of people collecting company phone numbers and war dialling overnight to find the network service number. Once you spoke to a modem it would give you a telnet connection and there was hardly ever any form of rate control. The worst I’ve hear about was getting chucked off after three attempts. But you could just dial up again.

I’ve heard of many, many company secrets being found that way.

Angelina jolie was involved

Phone phreaking was where the fun was. Free phone calls, messing with other people’s boxes and stuff. When it was purely electric phone lines were easy to manipulate.

That and before PayPal credit card processing took weeks.

You could fake a credit card so easy and just get services until they tried to bill it.

The same techniques for social engineering are still the most effective ones.

Computers and systems get smarter.

People actually get dumber.

The temptation to say watch the documentary movie called Hackers but I can’t I good faith.

Lack of knowledge was the big problem before the internet. Late 80s, early 90s.

Take Phreaking.

Dialup BBSs (1200/75, 2400 or 9600 baud) were the primary source of dodgy files that I knew of. Some would have a secret area with various texts about hacking and quasi-illegal behaviour, including pornography of all flavours and of course the anarchists’ handbook. There were a few hacking and phreaking related stuff (getting free phone calls was huge then, given the cost of online activities - blackboxing, blueboxing, etc) and often required researching the types of PBX being used until you knew more than the people employed to run the things. To get access to this you’d need to suck up to the BBS owner, or prove your worth and “I’m not a law enforcement officer, honest” credits. Vouchsafing friends and others was another way, and there was cross-checking of you by sysops talking to each other.

The security on phone systems was laughable by modern standards, but at the time it was something very strongly guarded and if you found something, you made sure it stayed private. The phone companies helped by constantly denying anything was happening, but stakes were high. Legal consequences were high, but so were the rewards if you could get free calls.

Myself, I never did, but I always wanted to. Not having my monthly phone bills of hundreds of pounds would have been really nice…

When ADSL and always-on connections became available, phreaking stopped overnight.

Back in these days you’d install your distribution and stay there until the next major release. There were no online software repositiories for updates.

And exploits were plentiful. It was an easier time if you were up for mischief.

In 1999+ you could sniff people’s passwords in clear text right out of the air on public WiFi networks. tcpdump port 110 and just watch them roll in.

In the late 90’s you could use a floppy disk to boot nt and dump the password hashes of anybody who had logged in, then run them through a dictionary attack which would take a matter of minutes before learning that your company’s top employees used their favorite football team or cartoon character as their password without even appending some numbers to it. Dude with the football password even had the password emblazoned in his office wall.

One time in the 90’s I got to a password prompt and just held enter, and eventually was just let past the password prompt.

In X windows if you managed to kill the screensaver password entry box you were dropped back to the desktop, and people found ways to crash the screensaver by overrunning the password input buffer by pasting input repeatedly using common keyboard shortcuts. (Pretty sure this same exact bug exited in early Mac osx versions.)

My ISP would give you like 10 MB to build a personal website. You’d log in to the FTP server, and it would take you to your personal directory. From there, you could “cd …” and end up in the parent directory and access everybody’s data.

A few things I remember.

Nobody sanitised their inputs.

You could get through logins by making a database query check whether 1 = 1 instead of a password. You could put JavaScript into guest book fields to redirect people to whatever crazy site you wanted.

My university lecturer told me about a well known supermarket that built a shop front. They made it in such a way that you could change the numbers before they were submitted and it wasn’t validated on the back end. So free food.

Target sent credit card information to the back of the store unencrypted. Bluetooth didn’t need encryption because nobody can get that close. You could stop 50% of malware by changing the name of your windows directory. Security through obscurity was believed to work, every automated oil rig in the gulf was operating in the clear even into the 2000’s.

Wild times.

80s was all about the phones. And not much different than it is now.

If you want to know what hacking is like in the 80s watch Wargames and look up three dudes:

• Kevin Mitnick
• Mark Hess
• Katl Koch

If you want to know what hacking was like in the 90s watch Sneakers and look up

• Vladimir Levin
• Robert Tappan Morris

Money going online really changed the mood.

I recall a conference talk mentioning that the speaker (from a nordic country) told their friend to look at their online banking account, and then transferred them $-10. Either they were spotted or they disclosed it, I forget which, and luckily they were hired instead of jailed.

Not really hacking, but in the 90s you could usually just connect to a mail server and it would believe what you told it.

If you were careful you could just type an email directly: MAIL FROM, RCPT TO, etc.

I would write scripts at work to send spoof emails sometimes, you could put anything as the FROM address, like “info @ catfacts” or whatever.

Another “not really hacking” example is that when some companies first got an Internet connection, they would just allocate public IP addresses to everyone, no gateway or firewall. So you could browse any non-passworded smb shares just knowing the IP.

The connection between Cap’n Crunch, phone system hacking, and Apple is a pretty important part of early hacking history.