I executed a brilliant hack when I was 15 years old. That was the autumn of 1994, more than 20 years before writing this on my quad core phone in the comfort of my sofa. It’s now 9:00 p.m., raining. My ten-month daughter is sick and has just come to sleep in the room next to me. Writing this had me wonder what she might think of the technology that was available when I grew up—if or when I tell her this story. Will she feel it is as ancient as I felt about the tech my parents used when they grew up in the ‘50s and ‘60s, with black and white TVs and crude telephones? Probably.
1994 was essentially the pre-Internet era. Yes, the Internet existed but it hadn’t appeared in my bubble and even if I had known about its existence I probably would not have found the 1994-era Internet interesting. My friends and I wanted to use the computer for a sole purpose: play games and run applications that allowed us to create things, even if only virtually.
The best way to get new games was to call up another computer, a BBS, with your modem connected to your landline and download them. When we started calling BBS’s in 1991, there were plenty of different software powering them, but at the end of the BBS era, which (unbeknownst to us) was 1994, the most popular ones had all switched to one system called PCBoard.
PCBoard had one amazing feature: it had apps, or PPEs, short for PCBoard Programming Executable. Any part of PCBoard could be tweaked, rewritten, moved or deleted entirely. Interactions with BBS’s were usually dull, boring affairs but with PCBoard and its apps they became alive. In 1994, animations, tiny games, and new UX paradigms greeted us as we dialed up a BBS instead of the walls of black and white text we were used to in 1993. Colors shifted. Objects moved. Text blinked. It was glorious. We were living in the future.
One popular app was a “message of the day” app that allowed a visitor signing out of a particular BBS to leave a message for the next person signing in. One early Wednesday morning I wanted to download the app to play with it. In the description something blew my mind: the package included the source code along with the compiled app. It seemed like they were giving away their hard work! With documentation on constructing apps scarce, I was amazed at their generosity. So, I did what most aspiring hackers would do given an unprecedented opportunity to learn: I skipped school.
As an absent schoolboy, I downloaded the ZIP-file at the fastest speed known to man: 3 kb / s.
The app was divided into two parts, one to run during sign-in and another during sign-out. Both were much smaller than I imagined; each one was no more than 100 lines of code including comments. One of the things I had been interested in was how apps stored information between sessions. Searching through the code, I found the algorithm to be simple: when a message was left, its contents were written to a text file on the hard drive.
When the next user logged in the file was read from the hard drive and its contents displayed on the screen. Interestingly, the app allowed users to not only include text but also a set of now-standardized codes, called ANSI-codes, that made text change color or blink. This was a popular feature and people took pride in leaving colorful, blinking messages that tickled the eye.
It was like leaving a graffiti tag for the next user but instead of wielding a spray can you wielded the power of code.
To make things easier on the developers (presumably), the way the app displayed the text to the next user was just to execute the text file instead of reading it in and printing it out. The code looking something like this:
Exec was one of the few commands in this arcane language, called PPL, short for PCBoard Programming Language, that I knew of. This was because one of the first things I, and probably most people exploring setting up their own BBS, had done was to implement a custom welcome screen. This was accomplished by including an image like the one above and, to spice things up, download an app that would make the text or image move, bounce or change color. To make this all work I had learned the hard way you had to run exec(“welcome.ans”) because a simple println(“welcome.ans”) didn’t actually run any of the apps or interpret any of the ANSI-codes, it just displayed it all as text as if you opened the file in a text editor. Think of it as opening an HTML-file in a browser versus opening it in a text editor.
My teenage mind realized that this meant the departing visitor couldn’t just leave text for the next incoming user but also make an app start.
People were competing to push ASCII/ANSI art to the limit in their messages and since I wasn’t much of a designer this presented me with an opportunity to innovate. Unfortunately that motivation wasn’t enough. To run an app inside a graphic file you had to supply the full path, preceded by an exclamation mark, like so: !C:\myapp.ppe. There was no way of knowing which apps were available and even if I did know which apps were installed I couldn’t execute them without knowing where they were located.
I packed up my things, jumped on my bicycle and headed for school. A few hours into lectures another thing struck me: there was one directory on PCBoard that I *did* know the path to, since it was the same default directory on all installations: the path to where those files uploaded from users ended up before they were sorted and categorised. The path was something like this:
The only way you could change the directory was by installing PCBoard on another hard drive in which case it ended up in D:\PCBoard\Upload or even E:\PCBoard\Upload depending on how many hard drives the BBS had. But PCBoard always had to be directly under the root directory and the uploaded files always need to be in the “Upload” directory which needed to be a subdirectory to the PCBoard directory. I had noticed this when we installed PCBoard at my friends computer a few weeks earlier.
By standardising the directory it was easy to create apps that handled the uploaded files, which there were plenty of apps for. There were apps that presented the most recently uploaded files to the BBS owner, ran a virus scan on them or added an info file to inform visitors of where the file originated. In case someone uploaded it to another BBS there would be a note, a commercial if you will, for the previous BBS’s it had passed through. Packages often would have several different files added as they were transported across countries and borders to the local BBS’s in Stockholm, Sweden that we frequented.
I froze as I made the connection. I could write an app, upload it, leave a message that executed it, log out, quickly log in again and have the app run on the remote BBS. I felt powerful. I had no idea what I would use my newly found power for, but I knew I had to try it to see if it worked.
At this point I should also mention that there was no such thing as process isolation or user ownership on the now-ancient DOS operating system known that powered PCBoard: all files could be accessed by all users and all processes running on a machine. If you ever thought Windows had bad security, think again.
That night I read through the documentation of the PPL language used to design the apps to see what kind of apps I could write. After a while I saw the following command:
Yes. You read that right. PCBoard had a built in debugging function that printed every single user’s username and password in plaintext. Today, this feature could only be described as a Class 1 Vulnerability but the PCBoard developers probably found this to be a pretty handy feature in case the BBS’s owner wanted to help one of his forgetful friends.
I installed PCBoard on the family’s Intel-powered Compaq machine and created a few dummy accounts. I proceeded to write a small app that only ran that single function. Execute. Usernames and passwords of my newly created accounts flashed on my screen. I knew I shouldn’t use this for anything nefarious but deep down I knew I wouldn’t be able to stop myself from doing so.
Most BBS’s had only one phone line. They could only support one user at the same time, so it was common that the BBS’s owner was sitting in front of his computer actively watching what you were doing. If you were being slow, or not using your time productively, like uploading new games, you were viewed as blocking the line for other users and the owner could take the role of Judge Dredd and disconnect you without warning.
This meant that if I were to attempt this it had to be done at a time when there was little risk of the owner sitting in front of his computer. I decided to wait until Saturday night.
The days passed and on Saturday morning I literally jumped out of bed. I sat the alarm for 3:00 a.m. the next morning.
Saturday felt long. The hours dragged on and when I went to bed my body was pumping with adrenaline. I couldn’t sleep, and at 2:50 a.m. I turned off the alarm and got out of bed full of energy in a way that only a 15-year old with a plan can be.
I wrote a new script that included the function to print all usernames and passwords, compiled it into a PPE and called up the BBS of my choice.
All week I had worried that the BBS’s owner would delete the vulnerable app. This was a very valid concern. New apps were appearing almost daily and it was common for BBS owners to switch things out every now and then to ensure the BBS felt fresh or just replace an old version of an app as newer versions were released. I logged on and was greeted with a message left by the last user a few hours ago. The app was still there.
I uploaded my file and proceeded to log out. The prompt appeared asking me to leave a message for the next user.
My shaking hands typed “!C:\PCBoard\Uploads\test.ppe”. I double checked that I had typed it correctly and hit enter. The BBS disconnected me. I dialed in again, logged on and was greeted with the message “Application Execution Error” before being sent to the BBS’s main menu. My heart sank.
This was a big BBS so I figured it wasn’t impossible that it had multiple hard drives and that the owner had installed PCBoard on another hard disk. It wasn’t likely since most commonly the C: drive ran the system software and the other hard drives were just used for storage of the files served by the BBS. But it was worth a shot.
I signed out, and as the familiar prompt appeared I typed in “!D:\PCBoard\Uploads\test.ppe”, replacing the C: with D: to indicate the second hard drive.
Once again I chose the BBS’s name from my computer’s dialing software. Invisibly, small electrical currents indicating a string of zeroes and ones were passed through the serial port which connected the modem to the computer. The other BBS picked up and the familiar sound of the modems negotiating speed echoed in the damp cellar room. After thirty seconds of the noise which I had heard so many times I was once again greeted with the login screen.
This time I was more relaxed and remembered to turn on screen capture. Everything that appeared on the screen was now written to a text file on my hard drive. I went through the standard login sequence and as I came to the part where the message of the day was supposed to be it looked like my screen had exploded.
The screen was filled an unending flow of usernames and passwords neatly listed in two columns. I saw my own password flashing in front of my eyes. I saw the owner’s password in light-grey ASCII characters against the black background of the curved CRT screen. My heart raced. The modem’s lamps blinked furiously. I signed out and typed in an innocent message of the day to remove all traces of what the screen capture had just saved to my hard drive.
It was 3:26 a.m. on a Sunday morning in the autumn of 1994. For a few minutes, the world’s greatest hacker lived in a suburb of Stockholm, sitting on an old office chair in a damp cellar room next to a garage.
(There is an epilogue to this story, but that will have to be in another post.)