How Allan Scherr Hacked Around the First Computer Password

← Back to Stories (view on slashdot.org)

How Allan Scherr Hacked Around the First Computer Password

Posted by timothy on Friday January 27, 2012 @02:11PM from the used-his-onion dept.

New submitter MikeatWired writes "If you're like most people, you're annoyed by passwords. So who's to blame? Who invented the computer password? They probably arrived at MIT in the mid-1960s, when researchers built a massive time-sharing computer called CTSS. Technology changes. But, then again, it doesn't, writes Bob McMillan. Twenty-five years after the fact, Allan Scherr, a Ph.D. researcher at MIT in the early '60s, came clean about the earliest documented case of password theft. In the spring of 1962, Scherr was looking for a way to bump up his usage time on CTSS. He had been allotted four hours per week, but it wasn't nearly enough time to run the detailed performance simulations he'd designed for the new computer system. So he simply printed out all of the passwords stored on the system. 'There was a way to request files to be printed offline by submitting a punched card,' he remembered in a pamphlet (PDF) written last year to commemorate the invention of the CTSS. 'Late one Friday night, I submitted a request to print the password files and very early Saturday morning went to the file cabinet where printouts were placed and took the listing.' To spread the guilt around, Scherr then handed the passwords over to other users. One of them — J.C.R. Licklieder — promptly started logging into the account of the computer lab's director Robert Fano, and leaving 'taunting messages' behind."

61 of 89 comments (clear)

Min score:

Reason:

Sort:

More on CTSS by Anonymous Coward · 2012-01-27 14:17 · Score: 5, Interesting

CTSS is notable for a lot of things. Like having the first e-mail, and the first spam.
http://opinionator.blogs.nytimes.com/2011/06/19/did-my-brother-invent-e-mail-with-tom-van-vleck-part-one/
The first documented hacking occurred earlier, to make certain networking-esque programs work.
PRIVACY IS THEFT! by Jeremiah+Cornelius · 2012-01-27 14:17 · Score: 1

Or something like that.

--
"Flyin' in just a sweet place,
Never been known to fail..."
submitter maths fail by RalfM · 2012-01-27 14:27 · Score: 1

Twenty-five years after the fact?
Try fifty...

--
The trouble with the world is that the stupid are cocksure and the intelligent are full of doubt.
-Bertrand Russel
1. Re:submitter maths fail by MightyYar · 2012-01-27 14:31 · Score: 5, Informative
  
  I know I shouldn't tell someone with a 5-digit id to RTFA, but here I go anyway... FTFA:
  
  Scherr left MIT in May 1965 to take a job at IBM, but 25 years later he confessed to Professor Fano in person. “He assured me that my Ph.D. would not be revoked.”
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
2. Re:submitter maths fail by martin-boundary · 2012-01-27 15:40 · Score: 4, Funny
  
  He assured me that my Ph.D. would not be revoked
  
  Uh, uh. But now the DHS knows what he did...
3. Re:submitter maths fail by houstonbofh · 2012-01-27 15:47 · Score: 1
  
  But it was before they wrote any computer crime statutes, so he is good.
4. Re:submitter maths fail by 93+Escort+Wagon · 2012-01-27 16:34 · Score: 4, Insightful
  
  I know I shouldn't tell someone with a 5-digit id to RTFA, but here I go anyway... FTFA:
  
  Scherr left MIT in May 1965 to take a job at IBM, but 25 years later he confessed to Professor Fano in person. “He assured me that my Ph.D. would not be revoked.”
  Okay, so to sum up:
  Slashdot just posted a 25-year-old story.
  
  --
  #DeleteChrome
5. Re:submitter maths fail by Zibodiz · 2012-01-27 18:35 · Score: 1
  
  What are you talking about? My mom was born in the early '60s, and everyone knows she's 25. Just ask her!
6. Re:submitter maths fail by pjt33 · 2012-01-27 21:43 · Score: 2
  
  If you think that's impressive, TFS also says that CTSS was built in the "mid-1960s", and Scherr stole the password file "in the early '60s", specifically "in the spring of 1962". Hacking into a system that hasn't been built yet is pretty impressive. I wasn't surprised when I checked the "editor" and saw that it was Timothy.
7. Re:submitter maths fail by osu-neko · 2012-01-27 22:14 · Score: 1
  
  I know I shouldn't tell someone with a 5-digit id to RTFA...
  Yeah, you should. These younger users are often hard of reading...
  
  --
  "Convictions are more dangerous enemies of truth than lies."
8. Re:submitter maths fail by rapidreload · 2012-01-28 01:24 · Score: 1
  
  He assured me that my Ph.D. would not be revoked
  Uh, uh. But now the DHS knows what he did...
  Allan Scherr: [holds up his doctorate] Ph.D immunity!
  [DHS slowly rolls its head on its neck, takes aim, and fires - his bullet goes through Allan's wallet, and then his head]
  DHS: It's just been revoked!
  
  --
  To all newcomers - people here are very close-minded and can't handle complaints about Linux. Keep this in mind.
9. Re:submitter maths fail by fotoguzzi · 2012-01-28 03:49 · Score: 1
  
  I know I shouldn't tell someone with a 5-digit id to RTFA, but here I go anyway... FTFA:
  
  Scherr left MIT in May 1965 to take a job at IBM, but 25 years later he confessed to Professor Fano in person. “He assured me that my Ph.D. would not be revoked.”
  Okay, so to sum up:
  Slashdot just posted a 25-year-old story.
  Actually, a 22-year-old story about an incident which took place 25 years previously. Something to tell your grandkids about.
  
  --
  Their they're doing there hair.
10. Re:submitter maths fail by hawk · 2012-01-29 11:23 · Score: 1
  
  You must be new around here . . . :)
  hawk
Re:what is a password? by pbjones · 2012-01-27 14:41 · Score: 4, Interesting

it's a route, the way to connect to your phone. A password is more like a key, if you have one then you can get into your whatever.
Worst password/pin. A telephone system at a major event many years ago, each journalist was given a unique 4 digit pin, they enter it and get dialtone and dial. Took about 10 seconds for them to workout that they could just pump in 4 digit codes until they got dial tone and they were then using other peoples accounts. Or the Video store software that stored passwords in plain text in a file called PW.TXT.

--
There was an unknown error in the submission.
Re:Rant (-5 insightful) by UnresolvedExternal · 2012-01-27 14:50 · Score: 1

All your mod points are belong to me!
Re:Rant (-5 insightful) by Anonymous Coward · 2012-01-27 14:51 · Score: 5, Informative

http://xkcd.com/301/
Re:what is a password? by Quince+alPillan · 2012-01-27 14:57 · Score: 2

....or the crippleware my high school used on Windows 98 to prevent unauthorized users from modifying anything. Except, it allowed the user to set the wallpaper from Internet Explorer, but not the display console.
Fun ensued when the students set the goatse man as the wallpaper and the teachers couldn't change it because they didn't have the password.
I quickly learned that the password was stored in plain text in the registry (that I could view, but not edit) and would change the wallpaper back to a blank background.
Re:Rant (-5 insightful) by Anonymous Coward · 2012-01-27 15:01 · Score: 1

Yeah, a nerve among people who can't stand smug idiots.
I wish he hadn't published this... by Alien+Being · 2012-01-27 15:10 · Score: 4, Funny

The next thing you know, cardpunches will be declared to be terrorist tools.
1. Re:I wish he hadn't published this... by dbc · 2012-01-27 15:55 · Score: 3, Funny
  
  A card punch launched from a trebuchet could do some serious damage. They are big and heavy.
  Tell you what, though, the chad is an *outstanding* terrorist tool :) Going through the student keypunch room with a garbage bag, emptying all the chad bins, gets you enough annoying confetti to last a long time. Go through somebody's closet, and put chad in every pocket of everything he owns. Months later he will still be picking the stuff out. Sprinkle it liberally into the pages of various books. And 2 or 3 handfuls in the bed is always a winner.
  My sister the artist still laments the passing of card punches. Back in the days of card punches she was into paper mache, and the chad makes excellent paper mache, and is zero labor. Just chuck a few handfuls into the paste and get to work.
2. Re:I wish he hadn't published this... by datavirtue · 2012-01-27 18:26 · Score: 1
  
  I just got a visual of Osama bin Ladin crouched down in a cave sheepishly holding a punchcard up to a camera and mouthing the words "Fuck you."
  
  --
  I object to power without constructive purpose. --Spock
3. Re:I wish he hadn't published this... by datavirtue · 2012-01-27 18:27 · Score: 1
  
  Oh.... the pedantry
  
  --
  I object to power without constructive purpose. --Spock
4. Re:I wish he hadn't published this... by ceoyoyo · 2012-01-28 05:11 · Score: 1
  
  I once saw the cab of a pickup entirely stuffed full of them....
Re:what is a password? by bartoku · 2012-01-27 15:13 · Score: 1

While the registry trick was a nice find, why not just use Internet Explorer to set the wallpaper to something else?
Re:Rant (-5 insightful) by UnresolvedExternal · 2012-01-27 15:13 · Score: 1

Hats of to you AC; and with an XKCD reference no less!
Re:Rant (-5 insightful) by Ethanol-fueled · 2012-01-27 15:17 · Score: 1

Being serious here - On what date was that cartoon posted?
Re:what is a password? by wierd_w · 2012-01-27 15:35 · Score: 1

Sadly, when I was a tyke in HS, we were the last pre-internet generation.
However, hilarity *did* ensue when I showed the other gifted kids how to change the desktop pictures and system sounds on the native powermacs the school was using.
Never did I ever imagine the inventiveness that schoolkids could invoke from something as horrible as clarisworks.... never in a million years. It was like graphitti in a newyork subway. Every workstation in the school was vandalized in a different and unique way.
It wasn't long afterward that some serious lockout smackdowns happened.
... and not many people know that by goldaryn · 2012-01-27 15:45 · Score: 1

Robert Fano's password was hunter2. True* fact.
1. Re:... and not many people know that by PhunkySchtuff · 2012-01-27 17:16 · Score: 1
  
  but that just shows up as *******
  
  --
  Specialist Mac support for creative pros, Melbourne
So... by Anonymous Coward · 2012-01-27 15:47 · Score: 1

"Taunting Messages"... so he was anonymous and did it for the lulz?
Re:'hacking' by houstonbofh · 2012-01-27 15:48 · Score: 1

Bitter much?
Spreading the guilt by Dan+East · 2012-01-27 15:48 · Score: 3, Funny

Back in high school our band performed at EPCOT, and that night, to keep all the kids in their hotel rooms, the chaperones put tape on each door. If a student left their room, then the tape on the outside of the door would be broken loose and they would get in trouble. However there was a fatal flaw. Late that night when we were sneaking around the hotel, we simply removed the tape from a dozen other rooms.

--
Better known as 318230.
1. Re:Spreading the guilt by black6host · 2012-01-27 16:07 · Score: 1
  
  Back in high school our band performed at EPCOT, and that night, to keep all the kids in their hotel rooms, the chaperones put tape on each door. If a student left their room, then the tape on the outside of the door would be broken loose and they would get in trouble. However there was a fatal flaw. Late that night when we were sneaking around the hotel, we simply removed the tape from a dozen other rooms.
  An excellent example of how when we pay attention to the obvious, someone else has a different interpretation of obvious. A cause of many a security breach, I'm sure.
Re:'hacking' by jimmydevice · 2012-01-27 16:24 · Score: 1

You sound like a slashdot type girl-in-training.
Re:Penis by Anonymous Coward · 2012-01-27 16:54 · Score: 2, Informative

Warning! Your password is too short.
Why is a password not a route by j-stroy · 2012-01-27 17:18 · Score: 1

A phone number could be considered a "key" to a specific phone
Re:Rant (-5 insightful) by datavirtue · 2012-01-27 18:23 · Score: 2

It is true. /. has taken a nose dive in intelligence. Just look at me, my karma has shot through the roof. Back in the day I couldn't get a word in edgewise.

--
I object to power without constructive purpose. --Spock
First keylogger? by djchristensen · 2012-01-27 18:38 · Score: 5, Interesting

I'm sure not the first time it happened, but while in college in the mid '80s, the computer lab was set up with 68k-based evaluation boards to use for embedded systems programming assignments. The boards had two serial ports, one to the ASCII terminal and another to the Sun server. The boards normally operated in a transparent pass-through mode when they weren't being used, and a hot-key was used to access the board directly.
We realized that we could easily install code to look for "login:" and "password:" coming from the server and catch the replies and save them in memory. We'd check back towards the end of the day and harvest the results. We were on very good terms with the head of the CS department, so when we told him about our little exploit and proved it with his password, he was more amused than anything else.
We didn't keep or use any of the passwords, but thinking back on it, it could have been quite lucrative to sell them to a certain group of CS students who were quite prone to cheating. Those were the ones that you could put their assignment printouts together (I worked as a TA for a while) and hold them up to the light to see they were identical except for the variable names. One of them also set fire to the pile of final assignments that had been left on the floor outside a professor's office in a 100+ year old building, figuring if nobody's assignment got turned in, the professor couldn't grade them (yeah, too dumb to realize all those programs were still on the server). That was a very narrowly avoided tragedy. Ah, memories.
1. Re:First keylogger? by audubon · 2012-01-28 03:48 · Score: 1
  
  At my university during the early '80s, each student's VAX-11/780 username and password both consisted of the student's Social Security number. When exam results were posted on the bulletin board, they were listed by SSN.
2. Re:First keylogger? by mannd · 2012-01-28 12:02 · Score: 1
  
  On the Dartmouth Time Sharing System GE-200 series computer, I wrote a program that emulated the login using BASIC. I left it running on teletypes for users to login to. When the user hit Enter a control character was printed which turned off the teletype (I forget what control character that was) and the data was saved in a file. This was in 1969. I collected a bunch of user names and passwords just for fun. I think it was a fairly early password stealing program. Hopefully statue of limitations has run out by now.
  
  --
  Sig expected Real Soon Now.
By 1970, the FBI was arresting hackers by Anonymous Coward · 2012-01-27 18:57 · Score: 3, Interesting

When I was attending a small techical college which had government contracts, one student got passwords to several research accounts and used them for homework and for the primitive games of the time. He started with guessing simple ones and shoulder surfing. After a couple of catch-and-release sequences, he seemed to self-destruct. He started running CPU and memory intensive do-nothing programs to deliberately tie up the computer. He was finally arrested, expelled, tried, convicted, and jailed.
He was sure proud he could do it. He was sure resentful that computer time wasn't free.
1. Re:By 1970, the FBI was arresting hackers by reynaert · 2012-01-28 08:16 · Score: 1
  
  Computer crimes used to be prosecuted as "theft of electricity".
Re:what is a password? by EETech1 · 2012-01-27 19:45 · Score: 1

The gifted kids getting to spend extra (un-monitored) time in the computer lab was a great idea. We were the only ones that could make it work anyways.
With practically no one having a computer, much less a clue how to use it, the teachers needed input on how to incorporate them into a class, so they let us have our way with it, to figure out what a student could do with it. Which lessons were fun, any thoughts on what a 6th grade kid could put in a database. How come this won't save. We were middle school IT department #1.
They gave us access to all the documentation, even the teachers editions to help figure out how it all worked. Networked Apple ][ GS with the school server and Appletalk network.
One of the girls came up with a diary, so part of what everyone did for computer class was keep a diary on your floppy disk, and we used to copy them over appletalk after the class would start working on something else:)
Miss Irene, My floppy drive is running, oh it stopped, never mind.
Thank goodness we RTFM and knew everything our new computer lab could do, and were given a few hours a day access to it with no one but ourselves to watch us.
Ahhh The Memories...
Of my entire middle school, still on a floppy in my firesafe! In a database:)
Which reunion will I bust that out at:)
Cheers!
Re:Hacked by bejiitas_wrath · 2012-01-27 19:48 · Score: 2

Is it true that if you type your password in a posting on /. it will be asterisked out?

--
liberare massarum ex ignorantia, clausa descendit molestie.
the login 2 step by bzipitidoo · 2012-01-27 19:55 · Score: 1

A while back I was curious about the origin of the customary way of logging in by first entering a user ID/name, then entering in your password. Where was this first done? Why that order? Why not ask for the password first, or ask for only the password? Maybe it used to be done differently? I knew of Multics, and thought there might be older OSes. A bit of searching turned up CTSS, and the source code. I looked at enough of the CTSS source to see that it did the login 2 step we all know.
What I'm not sure of is how it handled incorrect input. Haven't gone through the source enough to suss that out. I think if a nonexistent user ID was given, those early systems would not ask for a password, they would reject the input on the spot. Today, systems always ask for passwords before rejecting a login attempt, so that a cracker can't use the login to find valid user IDs.
User IDs were not supposed to be secret information suitable for use in authentication. You kind of needed to know them in order to send messages to other users. Now people are frequently advised to keep their usernames secret, and the username has degenerated into being part of the password.
CTSS may be the origin of the login 2 step that we still do today. That's a legacy I feel has been uncritically accepted for far too long.

--
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
1. Re:the login 2 step by Novus · 2012-01-27 20:36 · Score: 2
  
  The problem with using only passwords to log in is that you then have to prevent users from having the same password. This can lead to serious security implications as discussed in this article.
2. Re:the login 2 step by bzipitidoo · 2012-01-28 02:54 · Score: 1
  
  This is not a technically hard problem. The way they did it in that story you linked was terrible. Perhaps the simplest way to solve it is to have the system generate part or all of every password, instead of letting (or making?) users create their own passwords. Naturally, the system is programmed to make sure its part is unique.
  However, that solution might not be so good from a social point of view. I thought a half and half approach might work. The user makes their own password, however weak, and the system adds to it. And rather than a short string of gibberish, the system picks a few real words and short numbers to add to the password, something like "smith0001", which is easier for a person to remember, though writing it down is not discouraged. (Why did we ever have any system that limited passwords to no more than 8 characters, which forces the use of hard to remember gibberish to achieve strength?) A scheme like what I outlined could scale to millions of accounts without collision problems.
  
  --
  Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
Re:Rant (-5 insightful) by EETech1 · 2012-01-27 19:58 · Score: 1

That date seems about right...
I can't get off your lawn good sir, it seems your lawn's long gone, quite sure...
Re:what is a password? by pjt33 · 2012-01-27 21:46 · Score: 1

Do you have a floppy drive in that safe too? If not, rush out to the shops now.
And thus... by metacell · 2012-01-27 22:39 · Score: 1

To spread the guilt around, Scherr then handed the passwords over to other users. One of them — J.C.R. Licklieder — promptly started logging into the account of the computer lab's director Robert Fano, and leaving 'taunting messages' behind."
And thus, the first trolling was born.
Re:Hacked by Canazza · 2012-01-27 22:54 · Score: 2

yeah, it is, If I type in "God" it gets asterisked out for me, but when I log out it shows in clear text. It's an easy way to remember your password if you forget it! Just find one of your old posts that you typed your password into!

--
It pays to be obvious, especially if you have a reputation for being subtle.
J.C.R. Licklieder?!? by dtmos · 2012-01-28 00:32 · Score: 1

Um, no. J.C.R. Licklider.
I think the submitter copied the typo in the title of this blog. But really! It's not like he's some unknown guy.
Learn your history... by Gription · 2012-01-28 00:39 · Score: 5, Informative

J. C. R. Licklider is about the most important person in the development of the Internet. He worked in the Pentagon and had three different dedicated terminals to three different systems in his office and each had its different connection procedure. He asked the question of "Why can't these things be connected together?" (probably to save office space...)
He took his question across the hall and in 5 minutes had the funding to start what became the ARPAnet. He was as close as the computer world gets to an expeditionary explorer.
In other words: He funded the startup of the Internet.

For a really great read get a copy of "Where Wizards Stay Up Late: The Origins Of The Internet". Besides learning about the incredible minds that built the foundations, you can read a number of entertaining anecdotes. (Like AT&Ts refusal to believe that it was possible long after it was working!!!)
1. Re:Learn your history... by SteveFoerster · 2012-01-28 03:07 · Score: 2
  
  In other words: He funded the startup of the Internet.
  
  Well, he, my parents, and all the other American taxpayers at the time. But as government projects go, it does seem to have turned out rather well.
  
  --
  Space game using normal deck of cards: http://BattleCards.org
Re:what is a password? by Quince+alPillan · 2012-01-28 01:31 · Score: 1

Because you had to set the wallpaper to something with Internet Explorer. They wanted the background to be a solid blue. Typically, I would set the wallpaper using Internet Explorer to remove the offending image and then set it to blue afterwords.
Re:what is a password? by Sulphur · 2012-01-28 02:31 · Score: 1

Because you had to set the wallpaper to something with Internet Explorer. They wanted the background to be a solid blue. Typically, I would set the wallpaper using Internet Explorer to remove the offending image and then set it to blue afterwords.
The blue screen background of happiness.
Re:what is a password? by EETech1 · 2012-01-28 03:15 · Score: 1

Not in the safe, but in my box o goodies. Too bad you couldn't buy a good one for the last 10 years or so. Mine is fairly new, but I've seen plenty of them die under very light use. Just don't build them the same when you don't run them for 6 hours straight installing the OS from 49 different disks:)
I did try reading them in my old DOS box, and they still worked! I copied them into my circle of backups so I have the data in more than one place now!
Cheers
You might want to check this article out: by mallyone · 2012-01-28 03:19 · Score: 1

http://en.wikipedia.org/wiki/Troll_(Internet)
Re:Rant (-5 insightful) by colinrichardday · 2012-01-28 03:46 · Score: 1

The cartoon on 1/27/12 was numbered 1009. This means that that cartoon was 708 cartoons ago. There are three xkcd cartoons a week, which puts it 236 weeks ago. That is about four years and 28 weeks ago, which would put it roughly July of 2007.
Reminds me of an old IBM joke by Kupfernigk · 2012-01-28 03:49 · Score: 1

From the paper data days. Journalist visits IBM. As he ascends, the floors get more and more luxurious. On the ground floor are the helots in accounts keeping track of the piles of money. On the first floor are the punching and verifying rooms. On the second floor are the computer operators. On the third floor are the programmers. On the fourth floor are the analysts. On the fifth floor are the system architects. On the sixth floor are the computer scientists. On the 7th floor are the research fellows. On the 8th floor are the managers. On the 9th floor is the VP suite. On the 10th floor is the office of the chief executive. On the 11th floor is a penthouse suite. There is an enormous teak desk at which sits a man gazing into space. The journalist asks his guide "Who's he?". "He's the man that found a use for chads."

--
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
Re:what is a password? by Fancia · 2012-01-28 09:54 · Score: 1

Glad you backed them up. Floppies have a pretty short lifespan! Worries me when I see people keeping around old floppies assuming they'll be able to get the data off them later when they eventually want to.

--

Bít, zabít, jen proto, ze su liska!