Surly Bastard Chronicles for May 5th 1999

Nothing is ever FoolProof(tm) because fools are so inventive

From the 'Sordid Tales of High School' department.
'Hacking Wimpy Macintosh Security Programs in A Few Easy Steps'

There is a truism that the weakness in any given security system is the people. That computers are so much better at being secure that it's not even funny. This is generally true, but not necessarily accurate for systems such as Windows (which is inherently insecure) and Macintosh (which never had any pretentions about security to begin with). The Mac system is not an inherently secure platform, in that it's rather difficult to prevent anyone able to sit down at the machine from doing whatever they bloody well please. This does not, however, stop people from trying.

At the high school in which I spent grades 10-12, we had a big ol' lab of nice Macintosh computers, a lot of old SE and Plus models, in addition to a brand new bunch of Performa somethingorothers. Nice machines. Great for playing games on. Except, of course, that there was a strict 'no-computer-games' policy. But, egads! How to prevent people from playing games (which they were doing) on these wonderful, shiny new computers, without having to have someone sit in there as a lab monitor?

The answer they chose was a software program called FoolProof(tm). I scoff. It was not a particularly well written program, but even then, it could have probably stymied me successfully if it hadn't been for the fact that it wasn't properly installed. Properly set up, FoolProof(tm) would have prevented someone from doing the obvious thing of going into the system folder and clobbering its nifty little files. Whups! Next time, read the manual... Being an enterprising young fellow, I not only whacked copies of FoolProof(tm) whereever I discovered them (and with un-secured AppleTalk, it was trivial to purge the entire school network), but I made copies of the FoolProof(tm) system 'cdev' ('control device', one of the two types of Macintosh system add-ons), plus the FoolProof(tm) Administrator that had foolishly been left on the hard drive.

Someone finally figured out that reading the manual would be a wise move, and security began to tighten. Clearly, more thoughtful methods of hacking would be required.

Having access to all the programs themselves, I popped open the source code editor in my favorite program, ResEdit(tm). This was a nifty feature that did a partial decompile of the binary source, at least enough so that you could see where all the loops, procedure calls, et cetera, were inside the code. Very helpful. And so I set down to hack.

It was not at all like a movie, instead it was me slooooowly looking through the binary, watching where the procedures went, what they were named, etc, until I had grasped what this program was doing. I then realized that the person who wrote it was an idiot.

A note to programmers out there: If you're going to write a program that checks passwords, don't make the procedure call have a handy little tag in the source that names it clearly as 'CheckPassword'. Verify that your compiler does not do this.

'Hm,' I thought. 'CheckPassword? Wonder what happens if I replace the procedure calls with NOPs.' (NOP is assembler for 'No Operation', in other words, 'do nothing'. It's useful for whiting out things in the source code because straight-out deleting them would change the checksums, the source length, etc, etc.)

What happened was that it no longer checked for the password and I could now run the program and access all administrative functions of the security software without having a clue what Mr. Password was. Whups.

A second note to programmers out there: Password checks should always be positive verification. The code in the FoolProof(tm) Administrator no doubt looked like this:

validPassword=true;
checkPassword(validPassword);
if (validPassword==false) { becomeSnarky(); }

In other words, don't write code that assumes the user is valid unless they behave invalidly.

Now, at this point, I *could* have been rather hideously evil. After all, I had a valid copy of the Administrator, which meant I could have locked out all the machines and changed the passwords (after all, the Administrator would assume I had already entered the valid old password... and if not, I could take out THAT check, too!). However, if I was too smart, it would be obvious who it was... so I bided my time, content to have the run of the network without anyone knowing.

Who says school never teaches you anything interesting?

Tomorrow: Comic books.

Rant 'o the day contains no additives, preservatives or small woodland creatures of any kind. Use only as directed. Do not expose to direct sunlight. Do not fold, spindle, multilate or remove identifying tags. Handle with care. Contains less than 3% milk fat by weight, not by volume. Squeeze the lemon.

THIS SPACE FOR RENT