In Internet’s earlier days, I reported a series of security vulnerabilities to vendors and even corporations, but this was at a time when the relationship between hackers and vendors and corporate tech customers were extremely strained. Sometimes a well-meaning hacker would try to help out a company pointing out a flaw, and the company would respond by calling law enforcement. As a result, many of us that reported vulnerabilities would resort to some rather insane methods of reporting. Here are a few examples.

I’ll skip some of the more obvious ones. Many hackers by night were system admins by day, so knowing that one of your hacker buddies worked at a large company that had a flaw was nice. You could simply tell them in some private chat, and often they’d report it up the chain and get full credit from their employer, so it was common amongst hacker friends to kind of watch out for each other this way which helped all of us. Things like that were common, at least in the circles I ran in. You get the idea.

Then there were vendors that were a little less forgiving, or extremely difficult to work with. I’ll give you an example of a company I’m sure you’ve heard of - Microsoft.

Microsoft

In the early 90s, Microsoft had started their Windows line and was getting into networkable products, they had a “sharing” system in their operating system that allowed one to share information between computers in peer-to-peer fashion. I worked at STIN as it was known back in the day as a field consultant for large travel agencies, and as a part of AMR at the time (the holding company of American Airlines) we were a big Microsoft customer and got to participate in a beta of an up-coming version with this new peer-to-peer file sharing feature called Windows for Workgroups.

With minimal exploring I tried out this new feature and even though I was told only a handful of companies were in the beta, I found thousands of systems I could peer attach to. In our internal beta there was only a few dozen, so naturally I started exploring. I found dozens of systems located in Redmond. Many had proprietary Microsoft source code loaded onto them, as they were developers’ workstations.

After I pointed this out to the STIN IT admins, they told me they reported it to Microsoft and the reply was a flavor of “thank you, but this is working as designed”. When I showed it to the STIN admins they said unless they fix it they were not going to recommend upgrades to the next version of Windows that included this. In the beta, there was no way to turn this off.

A bit more poking around on the Redmond systems remotely allowed me to figure out the mail clients on these Microsoft desktops as well as a bit about who the bosses of the developers were. Microsoft was using Microsoft Mail internally and since STIN was as well, I was able to figure out how to compose an email as a text file, upload it into the “outbox” directory of a Microsoft desktop using this “working as designed” feature of Windows for Workgroups. In it I stated that I was not a Microsoft employee, I could connect up to Microsoft desktops and download proprietary source code, and that they probably needed to correct things as I could also connect up to their customers. I did so anonymously, but was able to further prove this by providing some internal STIN material and said “I stole this from one of your customers, fix this or I tell them about it.” A week or so later the STIN admins told me that Microsoft said they “reassessed the feature” and the next version would correct the problem with more controls. By implicating STIN as a victim, they never assumed the intruder was also from STIN. They also never told STIN we were hacked.

Thankfully, Microsoft has improved over the years and is fairly painless to work with. I will state that this attitude was extremely common back in the day - Microsoft wasn’t unique in this, there were others just as bad. In general, the 90s were pretty rough with the commercial vendors.

Novell

Novell Netware was a frequent target of mine when it came to bug hunting, and while I did report things to them via email, their tone was becoming increasingly harsh towards hackers in general. There was one instance I was aware of that a pair of hackers from Europe had reported a flaw to them that was pretty severe, and instead of patching the flaw they hired the hackers as contractors. As a part of the contracting onboarding process they had to sign NDAs “for life”, at least according to what I was told. After a few short months the contract was terminated with the NDA intact. If they were to go public, Novell could come after them civilly. Chilling.

So I changed my tactics. I started reporting flaws to them via the telephone, in part to hide myself ever so slightly, and in part just to fuck with them. If you recall in a previous blog post I mentioned a Meridian Mail “zero day” I had. Well, guess what PBX system Novell had?

It did not take a lot of effort to figure out which extension to Novell went to their Meridian Mail voice mail system, and I could simply launch my key sequence that dropped me to a dial tone, and I’d dial the extension of the friendliest guy in Novell that I knew in security. On his internal work phone’s caller ID my number looked like a four digit extension, I’d identify myself to him and give him my bug info.

Nice Novell Guy: “Where are you?!?”

Me: “Well you know I live in Texas, but since you seem to want to go after hackers that report bugs to you I though I should start reporting bugs off the record. No written trace in an email.”

NNG: “Are you downstairs somewhere?”

Me: “Ah, the caller ID. This seems safer, to make it look like I’m inside your company.”

I really didn’t have to do this, as this nice guy was not responsible for the European hackers incident, in fact he found it embarrassing, but it was still a lot of fun to just fuck with The Man.

Local Television Station

There was a local television station that decided it would be way cool to take video files of various news stories from their local news broadcast, and load them onto their web server. As this was right around the 1999-2000 time frame they felt this was cutting edge stuff. Unfortunately they had severe problems with the security on this web server. Remember, a lot of companies ran their own web servers on bare metal and didn’t use cloud, which was in its early stages.

I found out about it when someone was posting dox info on another individual onto this web server, stating it was “all over the local news”. Oh my, how utterly hilarious of you. A quick probe or two revealed the security flaw. Don’t ask me what the flaw was, because in fact I don’t remember as it was trivial and there was probably more than one. I did know the pager number of a few of the reporters there, and as these were alpha numeric pagers, I sent them a link to a write-up I had uploaded to their server using the vulnerability. Later I even called one of the reporters using the old Meridian Mail trick since they were not taking care of the problem. The reporter apologized and stated the news room was trying to get the situation corrected, but were “running into difficulties”.

Later on, someone uploaded a shit ton of porn, erased all of the news video files, and the station responded by taking the site down. I have no idea who this was, as earlier when I had poked around I could see evidence of several intruders in the system. After they got the system back up, all of the old video files of news stories were gone. In fact, those copies never reappeared and I suspect they were in fact the only copies they had. I felt bad, as I was tempted to patch and fix things myself (I often did this on other systems I’d pwn), but thought it was too much work, considering the number of intruders.

Not unsurprisingly, the station never ran a news story on the porn hack. I still like the station, in fact they are my preferred local news station for live local weather events (thunderstorms, tornadoes, etc) to this day.

The Point

The main point here is that I did try to get things fixed, but I often bent the rules to either help get it fixed, or sometimes just for my personal entertainment. And I think it should be obvious, but I never told ANYONE about this lame little Meridian Mail zero day (I take that back, I might have told a few NMRC folk). By not talking about it in hacker circles or otherwise, I avoided tons of people exploiting it, abusing it, and causing the thing to get “patched” or some configuration option changed that mitigated it. I found it in the late ‘80s/early ‘90s and never spoke of it while the product existed. Meridian Mail ceased to be in 2006, so it was a good run.