Back when we were all 12 or 13, Chron, The Locust, and I were a bunch of warez puppies. Of course, it was called being a 'rodent' back then. Anyway, we'd frequently get our Apple ][ warez , and they'd have some group name in a splash screen before the game. The games would boot up, "Cracked By..." proudly displayed for the world to see.
Back then, software was mostly passed around by trading disks. We'd have get-togethers where we'd all bring a computer, and boxes and boxes of disks, and make disk copies all night. This was the peak of the copy-protection era, so piracy usually took a little work. One would have to have the right disk copying program, or the right patch, or know which halftracks to grab. Consequently, the cracker (this is copy-protection cracker, mind you. Considered an admirable skill) would then get to blaze their name on the disk for all the leeches, like ourselves, to see. We thought these guys were really cool.
Clearly, we needed to form a group. Thievco was born.
We'd amuse ourselves with replacing the graphics files on our favorite games, or modify the BASIC loader file to bload a Thievco screen first, and then give the modified disks out to our friends.
At some point when I was 13, I got my first modem. It was a Novation Applecat. I read through the docs, and managed to install it myself in slot 2 of my Golden ][ (an Apple ][+ clone from Taiwan. It was only $600 at the time when real ][+'s were $1200.)
I was vaguly familiar with the concept of BBS's. I'd seen the guy who I'd bought the Golden ][ from using them... which is why I wanted the modem in the first place. I got a BBS number from somewhere, and fired up the Catfur disk that came with the modem. I have no recollection of which BBS it was or who the Sysop was. I created an account, and ended up chatting with the Sysop at one point. He was very helpful and patient, and took his board in order to fire up his copy of Catfur, and send me a better term prog. It might have been ASCIIExpress, I can't remember. I think that's one of the only times I ever got to use the proprietary 1200 BAUD half-duplex feature of the Applecat, which was normally a 300 BAUD modem. I believe I also picked up some more BBS numbers from his sign-off.
I happily spent the next month calling boards in New York (from California) and calling AE lines for the hour-something it took to download a 143K disk image. Until Mom got the phone bill. Whoops, $200. I guess calling other area codes wasn't such a good idea.
No problem. The next month, I was very careful to stay within my area code, 415. This was back when nearly all of the SF Bay Area was 415. What used to be 415 is now 415, 510, 925, 950... anyway... Of course, I was on more often now... I was starting to keep up with some of the discussion boards. Next phone bill arrives, $200 again. Whoops. I guess it's time to investigate the difference between a local call, and local-toll.
Don't ask me how, but I managed to keep the modem, and get my own phone line installed. I think I had some of my own money with which to pay back Mom.
So, now I can be on-line most of the time, and I don't have to wait until 10:00 P.M. when the house phone won't be tied up.
By now, I've got accounts on a number of local BBS's, as Blue Boar of Thievco. So what? What's Thievco? Well...nothing, really. Just the three of us.
I had a computer, modem, and my own phone line. So, I started a BBS.
Welcome to The Thievco Main Office.
I can't remember the name of the program I started with.. It was obviously one of the Applecat BBS progs, since back then most host-to-modem communication was proprietary. I ran it on my Golden ][ with a green composite screen, the Applecat in slot 3 (I'd managed to bend a pin in slot2 at one point) and one 143K floppy drive. I had room for a few text files, a handful of forums, and user e-mail. The BBS program was a mixture of BASIC and assembly (modem drivers were in Assembly) so I was able to make modifications pretty easily. In fact, now that I think about it, we didn't think there was anything unusual about the fact that someone had written a commercial quality program, and distributed it for free in source-code form. Hmm. Anyway, so I made some mods, such as the k00l!!!11!! spinning cursor.
It wasn't long before we learned of another new BBS in our local calling area, The Forbin Project. (Please note: This was NOT the Forbin Project BBS that the Procomm guys ran.) It became a sort of sister BBS to ours. There were a number of joint Thievco/Forbin Project events put on. The Sysops of TFP, The Intruder and Commander Zer0, became good friends of ours. Over the next few years, we had regular get-togethers to eat Pizza, go on Picnics, go to the movies, or go to the Laserium. We'd also occasionally attend an event put on by The Inner Circle, another local BBS in Berkeley. The Inner Circle folks were a bit older than most of us, so we weren't always welcome.
We'd collected a whole circle of BBS friends that were our primary peer group. We'd spend most weekends in the dumpsters of the high-tech companies of Silicon Valley.
One problem with running the BBS was that I'd tied up my computer. I'd occasionally take it down to play games.. frequently an Ultima.. at which point I'd just answer the phone voice and chat with whomever was on the other end of the line. Sometimes they'd just ask what was up with the board, and I'll tell 'em I was working on it, and to call back later. Sometimes we'd chat for a little while if it was one of the users I knew better. But, the board eventually got a little more popular, and it was getting to be less practical for me to just take it down. I needed a game machine.
Chron's first machine of his own was a C64, and I'd seen from using his that it was really a good little game machine. Prices had dropped to a pretty reasonable level for most 8-bit machines, so I was able to pick up a C64 and a 1541 for around $300-$400. This was, of course, a little embarrasing after participating in so many my-apple-is-better-than-your-commie (or atari, or whatever) wars.
Chron started a BBS (A Thievco Branch Office.. I can't remember the name) on his C64. He had a couple of drives, so he had the luxury of occasionally being able to slip a disk into the second one for one of his users to download. I had no space for games. I'd had to add a second drive for the message boards. I think he got a second C64 at some point to play on while his BBS was up.
Chron was a little more reckless in his phone use that I was. He wanted to be able to call around a little more. So, when I'd stay over at his house for the night, we'd call the White House and ask to speak to Reagan, or we'd call Information in different parts of the US and ask how the weather was.. Some operators got a bit snotty, but many were happy to chat. They didn't have much else to do at 1:00 A.M. +... Sometimes we'd call the local ANI number and try to get the address for some person we knew via some BBS that we wanted to screw with. It's not easy to pretend to be a PacBell tech when you've got a 16-year-old voice.
Chron got busted for MCI codes. I can't say it was too much of a shock... he was scanning them and using them from his home line. They presented a (unsigned) warrant at the door to his Dad, and came into his room and took everything that looked computer-related. The searched every drawer, the closet, etc.. Just for good measure, they took a beer and some porn they had found in his room, and left them in the middle of the floor. Then they invited his Dad in to "see if they got everything." His Dad was overly cooperative.. never challenged the suspicious warrant, never questioned what was going on, didn't argue when MCI & PacBell claimed $1600 in phone calls, and he just paid them. Chron never saw his equipment again, and I don't think he got charged. He was under 18 at the time. They never went after any of his friends. We weren't Uber-phreaks.. We couldn't take over a switch if our lives depended on it. The extent of our "boxing" consisted of playing a quarter-tone over the commie speaker and thinking it was cool. We exploited the absolutely pathetic authtication method that was used by MCI for long distance. (5 digits? Shared by every MCI customer?)
That put a bit of a cramp in his BBS. We got him some loaner equipment here and there, but he never tried to set up shop again. We spent most of the following months worrying that they woud come after the rest of us, or they would prosecute Chron, or they'd do something with the userlist from the BBS. I had a big magnet near my computer for a while after that.
But, they never did anything, and the Thievco Main Office lived on... At one point I had met a girl via my BBS that I would talk to onthe phone for the next couple of years, and eventually marry. I had started working a little here and there to pay for my phone line and equipment. I worked running backups and cleaning the computer room for a small local software company, I was a playtester for a few game companies, etc...
Then.. I finished high school. I was 17. I had run TMO for over four years, and racked up I don't remember how many thousand calls. Back then, what caller number you were was one of the first things to scroll past your screen, much link the counters on web sites now. But, I was header for college, the bane of BBS's everywhere. I posted my goodbyes and thanks to everyone..let those stay for a week or two, and retired it.
I can remember how quiet my room was without the computer running. That Golden ][ had run nearly non-stop for all that time, in the same room I slept in, and I had gotten used to the sounds. Even when I would keep the speaker off, I could still hear the relays close when I got a call, followed by the drives going. Anyone who spent a lot of time in front of an Apple will have those various sounds burnt into their brain. I bet I could play the boot sound of an Apple ][ over the PA at Defcon, and half the people there could instantly identify it.
I checked out the green-screen, and there was the waiting-for-call screen burnt deep into the monitor. I packed up the diskettes, packet up my hardware, and headed off for college.
The TMO BBS never went back up. I spent a year at a four-year college, got married the next year, put school on the back-burner, started working full-time, had kids, grew up.
I wasn't the only one. The Forbin Project went down when CZ went to college. The Inner Circle went down when the Sysop graduated from college. All my BBS friends scattered in different directions and went off and had lives.
You have to realize that all of the above WAS my teenage years. This wasn't something I did on the side, or as just a hobby. I'm a computer geek through-and-through. On average, I've spent probably 10 hours a day in front of a computer since I was 12. I knew my friends because of the BBS. I met my wife via my BBS. I make my living now because of skills I learned starting back then.
My 10-year wedding anniversary is next month. I'll be 29 by then. After living in the same house since we got married, we recently moved. Prepatory to that, I cleaned out the garage. I sold a van-load of obsolete hardware to a surplus electronics store. The load included a Golden ][ with an Applecat, related disk-drives and expansion cards, and a phosphor-burned green screen. There was a 1541 disk drive... some Thievco member's old (real) Apple ][+ that had been cannibalized, a bunch of 8-bit computer books (Beneath Apple DOS, 1541 programmer's manual, Central Point manuals....) As well as tons of XT and 286-class IBM compatible hardware, an Osbourne, some dead printers... too much junk. I think I got $50 for the whole load.
I have no idea why I kept the old 8-bit hardware for so long. It hadn't been on in 10 years. I guess I wanted to make sure that any possible monetary value was completely depreciated out of it. Still, I couldn't help but be a little depressed when I got rid of it.
Geeze. I'm starting to sound really pathetic.
Jump to the present. I have been working in the networking field for over 8 years now. I've always had an interest in computer security, and in the last several years, I've managed to steer my career and leverage my networking skills so that now I'm one of the people who runs the Corporate Information Security department for a large software company. I'm getting paid great, getting to do exactly what I want, and loving every minute. I get paid to go to Defcon. I run the firewalls, get T3 Internet links to play with, have a large security budget, and as many machines as I need.
So why dredge up Thievco again? Why does Thievco.com exist?
Ever since I discovered the web a few years ago, it has been clear to me that this is the new BBS.. this is where folks build their communities now. I don't mean to denegrate the Internet, or Usenet, or e-mail, or IRC, or whatever your favorite IP-based thing is. I'm not one of those people who thinks the Internet IS the Web. I hope I'll make that abundantly clear with my work in the future. Suffice it to say that the Web part of the Internet is how you're going to reach the world. The Web is the killer app that has however many million people connecting to the Internet.
This is how I get to hang with the hackers.
Ok.. so I've been dragging my butt... I "discovered the web" four years ago. Why Thievco, why now?
Because of what I do for a living, and my professional associations, I have.... a situation. I take the security of my company (my day job) seriously. I'm a smart guy, I pay attention, and I think I know what it takes to really keep up on security issues. I subscribe to the appropriate mailing lists, I go to Defcon, I listen to the Hack Stars talk to each-other after a presentation, or in the elevator.
And what did I find out? We're screwed. The Hack Stars know, in their respective areas of expertise, how to waltz right through the security mechanisms.
I'm starting to make connections about the bits and pieces I hear from them. I'm starting to see problem areas that haven't really been publicised yet, and won't be the common attack for a year or more.
I'm starting to get a clue.
So...here's the situation I was talking about. I know something. If I'm going to be an honest security worker, I have to tell people about it. Someone is likely to be unhappy about it, such as the company that produces the product that I'm going to share information about. I work for a large software company. The company I work for often partners with other computer companies, including ones I may have infomation about.
I can't, while representing my day job in ANY capacity, publish this information. It can't come from my corporate e-mail address, it can't live on my company's web servers. It can't appear to originate from the IP addresses associated with my employer.
When faced with something they don't understand, people react badly. People don't understand computer security. It's not intuitivly obvious to many people why it's a good idea to get this information out in the open. They don't understand why it's important to give the details. They don't understand why we have to tell people that there is a problem at all. What do you mean we screwed up? Geeze! That's embarassing... let's hide it! On an emotional level, that's how people thing about security problems, even people who should know better. BTW, have you seen my first rant? :)
People really have to train themselves to respond correctly when faced with a security hole in their products. The correct response is "Thank you for finding a bug in our product that we should have spotted ourselves had we done ANY due dilligence in trying to make it secure." Not "They published WHAT? Who are these evil hackers? Why didn't they tell US so we could hush it up? Go call their ISP and have their site shut down before someone sees it!" Of course, the hacker probably mailed them about the problem weeks ago, and they ignored him.
The reality is that hackers get many more incorrect responses than correct responses. BTW, have you seen my first rant? :)
Obviously, I need some sort of alternate identity that isn't associated with my job at all. But wait, I already have one... one that is dear to me and that I already have a certain amount of love for.
It's very freeing to have a forum to present in again. Since I launched the site a few days ago, I've been up until 2:00 in the morning every night working on it.
Be afraid.
Welcome to Thievco.com
"Stealing your secrets since 1982."
BB
First off, let's get this business of the definition of "hacker" out of the way. How does Thievco define hacker?
Not cracker. Crackers break into systems. A cracker may have the skill set of a hacker or not. Usually not, since all the good hackers I know don't feel the need to break into systems without permission. Heck, there's plenty of folks that will pay them to break into systems they own. Notice that even the work "cracker" isn't clear, since that's what we used to call the guys who could crack copy protection.
Not script kiddies. They don't know enough about what they're doing. I'm pushing the term "lacker."
So what is a hacker? Go to the top of this page, and re-read it. Read what I've been doing since I was 12. That's a hacker. They don't have to have done it for years, they don't have to do it for a living, they don't have to be particuarly good at it. They have to be doing it to learn. It doesn't neccessarily have anything to with computers, networks, or security. Those just have a lot of draw for hackers. It's OK for hackers to be motivated by wanting to show up big companies that claim to sell secure products.
The problem is, the media is only interested in computer hackers, and only if it has to do with breaking security. The media doesn't want to report on Theo De Raadt who spends his days debugging BSD code so we can have a secure OS. They don't want to report on the kind of guy who wrote a BBS and gave out the source so I could run a BBS out of my bedroom. Now there's some REAL hackers.
Let's see how long it takes for someone to read this, pick out the fact that I did the smallest bit of phreaking, and decided that that is what hackers are all about and that we're all evil.
Ok, last item. I obviously got a bit nostalgic while writing this, so I'm going to abuse you attention even furthur, and ask for leads on folks in the BBS scene in the SF east-bay in the period 1982-1987. Looking for these folks:
Commander Zero, The Intruder, The Penguin, The Kingpin (not the one from the L0pht,) A Huge Janus, Baron GTS, EEKaMouse, Raistlin Majere,
I'm in contact with:
Me, Chron, The Locust, Sexy Sara, Luscious Lisa, Marge, DeDe
It's time for a reunion party.