Slashdot Mirror

← Back to Stories (view on slashdot.org)

Was This the First Denial of Service Attack?

Posted by timothy on from the read-the-disclaimer-about-calling-first dept.

An anonymous reader writes "Way back in 1974, Dave Dennis, then aged 13, decided to try out the -ext- TUTOR command on the PLATO system at the University of Illinois, and see if he could cause all the terminals of other users to go offline. It worked. And he never got caught. Of course, the powers that be eventually caught on and fixed the -ext- command so terminals by default didn't automatically receive -ext-'s sent from other locations."

10 of 166 comments (clear)

  1. So they could receive commands!? by Darkness404 · · Score: 5, Insightful

    So, let me get this right. You could more or less get a list of addresses, and they would accept commands without question if you just typed in the commands and the right address? Sounds like the worst security system ever.

    --
    Taxation is legalized theft, no more, no less.
    1. Re:So they could receive commands!? by Anonymous Coward · · Score: 5, Insightful

      So, let me get this right. You could more or less get a list of addresses, and they would accept commands without question if you just typed in the commands and the right address? Sounds like the worst security system ever.

      Yeah, but this was 1974, when overly-trusting users used commands to do USEFUL things, rather than cause mischief (or shove adverts in front of you)!

    2. Re:So they could receive commands!? by Ethanol-fueled · · Score: 2, Insightful
      From the summary:

      And he never got caught.

      If he did get caught he'd get a smirky, eye-rolling verbal warning instructing him to stay away from the terminal. Nowdays a kid would be taken into custody and charged with violating computer crime and terrorism laws.

      FBI and/or DHS interrogations would follow, then he'd be forced to turn snitch and lure other kids(er, "marks") into "hacking" the system, to avoid a decade or more of federal prison.

    3. Re:So they could receive commands!? by Sycraft-fu · · Score: 2, Insightful

      Computer security was poor back in the day. Since computers were expensive, scarce things that were generally not connected to others, it wasn't a big deal. You knew everyone who had access, if someone caused trouble they'd get in trouble. Even once the Internet, or rather ARPANET back then got started, security was extremely lax. If you look at some of the low numbered ports you'll discover they ware things like "chargen" which just sends a random string of characters out. You can see how this would be a bad idea currently, but it could be a useful tool to make sure a system and link were working.

      As with most things, people learn from experience. As computers become more common and networks larger, security got better by necessity. Things got broken in to, so the problems were fixed. Go with that for a couple decades and we now have systems with multiple privilege levels, hardware enforced memory access limits, virus scanners, firewalls, etc, etc.

      A good deal of security in the world is born out of necessity and experience. Bad things happen, so security is designed to stop them from happening.

    4. Re:So they could receive commands!? by mysidia · · Score: 5, Insightful

      They were crypted... why would you need to hide a strong password that was crypted? Shadow'ed passwords are an ugly hack.

      Also, if you restrict "shadow" passwords so only root can see them, then suddenly every program that needs to perform authentication must be setuid root...... this is a security risk. In that era, possibly a much larger security risk than the risk of a strong password being cracked.

      The problem wasn't failing to use shadow passwords. It was (1) UNIX users who set weak passwords, and (later), an (2) explosion in computing power, making it easier to attempt to crack the passwords.

      Also, the reverse-engineering of the original DES-based crypt binaries allowed inefficiency that was intentionally contained in the algorithm to slow it down (making use for cracking improbable), to be removed, after years of study.

      The DES-based crypt() algorithm was optimized into fast-crypt which was orders of magnitude faster, and actually made password cracking feasible. If a harder cryptographic algorithm would have been used -- then matters could be very different.

      The latter bit they should have seen coming. The explosion in computing power was by no means a certain development, it wasn't an immediate issue at the time.

  2. Re:Was it a DoS exactly? by nedlohs · · Score: 3, Insightful

    "Denial of Service". It's the damn name.

    One way is to flood the system, but there are plenty of other ways. The one mentioned for example.

  3. Re:Was it a DoS exactly? by Fallon · · Score: 4, Insightful

    What does DoS stand for? Denial of Service. Getting everybody kicked off the system certainly sounds like denying them access to that computer service to me. Just because a DoS is usually performed by a network flood of some kind doesn't mean that's the only way to do it. Heck an idiot tripping over the power cord to the server is technically a DoS if people loose access.

  4. Re:Seems fitting by Dachannien · · Score: 3, Insightful

    As a card-carrying pedant

    Did you make it yourself, or is someone issuing those?

  5. Re:Seems fitting by algormortis · · Score: 2, Insightful

    Surprised? How long have you been a /. member for? I've been a member for just a year and I already feel emasculated by all the kids who improve upon a technology before they stop wetting their beds.

  6. Re:Exactly by pspahn · · Score: 2, Insightful

    Accessing the personal records is often the goal, is it not?

    Sure, having access to passwords and stuff is nice, but it's kind of just the stepping stone towards finding the real information.

    --
    Someone flopped a steamer in the gene pool.