Ghost in the Wires_ My Adventures as the World's Most Wanted Hacker - Kevin Mitnick [39]
Then I stood there between the two phones with a receiver held up to each ear.
I told the woman who answered in Nashua that I worked at DEC too, then asked where the computer room was and got the phone number for operations.
When I called that department, I used the name of someone in development and asked if operations supported the “Star cluster” group of VMS systems that were used by VMS development. The DEC employee said yes. I then covered that mouthpiece with my hand and spoke to Lenny through the other one, telling him to dial the modem number.
Next I told the operator to type in a “show users” command to show who was logged in. (If you were in the process of logging in, as Lenny was, it would show this by displaying “ VMS User Processes at 9-JUN-1988 02:23 PM Total number of users = 3, number of processes = 3 Username Node Process NamePID Terminal GOLDSTEIN STAR Aaaaaa_fta2: 2180012D FTA2: PIPER STAR DYSLI 2180011A FTA1: The “ I then asked the operator to type in a “spawn” command: spawn/nowait/nolog/nonotify/input=ttg4:/output=ttg4: Because she wasn’t keying in usernames or passwords, she didn’t think anything about what I was asking her to do. She should’ve known what a spawn command did, but apparently operators rarely used it, so evidently she didn’t recognize it. That command created a logged-in process on the modem device that Lenny was connected to in the context of the operator’s account. As soon as the operator typed in the command, a “$” prompt appeared on Lenny’s terminal. That meant he was logged in with the full privileges of the operator. When the “$” showed up, Lenny was so excited that he started shouting into the phone, “I’ve got a prompt! I’ve got a prompt!” I held Lenny’s phone away from my head and said calmly to the operator, “Would you excuse me? I’ll be right back.” I pressed that phone against my leg to mute the mouthpiece, picked up the other phone, and told Lenny, “Shut up!” Then I went back to my call with the operator. Lenny immediately checked to see if security audits were enabled. They were. So rather than setting up a new account for us, which would have raised suspicions by triggering an audit alarm, he just changed the password on a dormant account that had all system privileges. Meanwhile, I thanked the operator and told her that she could log out now. Afterward, Lenny dialed back up and logged in to the dormant account with his new password. Once we had compromised VMS development, our objective was to get access to the latest version of the VMS source code. It wasn’t too difficult. When we listed the disks that were mounted, one of them was labeled “VMS_SOURCE.” Nothing like making it easy for us. At that point, we uploaded a small tool designed to disable any security audits in a way that wouldn’t trigger an alarm. Once the alarms had been disabled, we set up a couple of user accounts with full privileges and changed a few more passwords on other privileged accounts that hadn’t been used in at least six months. Our plan was to move a copy of the latest version of the VMS source code to USC so we could maintain full access to the code even if we got booted off the Star cluster. After setting up our new accounts, we also went into the email of Andy Goldstein. He had been a member of the original VMS design team at Digital and was well known throughout the VMS community as an operating-system guru. We knew he also worked with VMS security issues, so we figured his email would be a good place to look for information about the latest security issues DEC was trying to fix. We discovered that Goldstein had received security bug reports from a guy named Neill Clift. I quickly learned that Clift was a grad student at Leeds University in England, studying organic chemistry. But he was obviously also a computer enthusiast with