Viewdata Systems
Viewdata, or videotex, has had a curious history. At one stage, in
the late 1970s, it was possible to believe that it was about to take
over the world, giving computer power to the masses via their
domestic tv sets. It was revolutionary in the time it was developed,
around 1975, in research laboratories owned by what was then called
the Post Office, but which is now British Telecom. It had a
colour-and-graphics display, a user-friendly means of talking to it
at a time when most computers needed precise grunts to make them
work, and the ordinary layperson could learn how to use it in five
minutes.
The viewdata revolution never happened, because Prestel, its most
public incarnation, was mismarketed by its owners, British Telecom,
and because, in its original version, it is simply too clumsy and
limited to handle more sophisticated applications. All information is
held on electronic file cards which can easily be either too big or
too small for a particular answer and the only way you can obtain the
desired information is by keying numbers, trundling down endless
indices. In the early days of Prestel, most of what you got was
indices, not substantive information. By the time that viewdata sets
were supposed to exist in their hundreds of thousands, home
computers, which had not been predicted at all when viewdata first
appeared, had already sold into the millionth British home.
Yet private viewdata, mini-computers configured to look like
Prestel and to use the same special terminals, has been a modest
success. At the time of writing there are between 120 and 150
significant installations. They have been set up partly to serve the
needs of individual companies, but also to help particular trades,
industries and professions. The falling cost of viewdata terminals
has made private systems attractive to the travel trade, to retail
stores, the motor trade, to some local authorities and to the
financial world.
** Page 86
The hacker, armed with a dumb viewdata set, or with a software
fix for his micro, can go ahead and explore these services. At the
beginning of this book, I said my first hack was of a viewdata
service. Viditel, the Dutch system. It is astonishing how many
British hackers have had a similar experience. Indeed, the habit of
viewdata hacking has spread throughout Europe also: the wonder- fully
named Chaos Computer Club of Hamburg had some well-publicised fun
with Bildschirmtext, the West German Prestel equivalent
colloquially-named Btx.
What they appear to have done was to acquire the password of the
Hamburger Sparkasse, the country's biggest savings bank group.
Whereas telebanking is a relatively modest part of Prestel --the
service is called Homelink--the West German banks have been a
powerful presence on Btx since its earliest days. In fact, another
Hamburg bank, the Verbraucher Bank, was responsible for the world's
first viewdata Gateway, for once in this technology, showing the
British the way. The 25-member Computer Chaos Club probably acquired
the password as a result of the carelessness of a bank employee.
Having done so, they set about accessing the bank's own, rather high
priced, pages, some of which cost almost DM10 (£2.70). In a
deliberate demonstration, the Club then set a computer to
systematically call the pages over and over again, achieving a
re-access rate of one page every 20 seconds. During a weekend in
mid-November 1984, they made more than 13,000 accesses and ran up a
notional bill of DM135,000 (£36,000). Information Providers, of
course, are not charged for looking at their own pages, so no bill
was payable and the real cost of the hack was embarrassment.
In hacking terms, the Hamburg hack was relatively trivial-- simple
password acquisition. Much more sophisticated hacks have been
perpertrated by British enthusiasts.
Viewdata hacking has three aspects: to break into systems and become
user, editor or system manager thereof; to discover hidden parts of
systems to which you have been legitimately admitted, and to uncover
new services.
Viewdata software structures
An understanding of how a viewdata database is set up is a great
aid in learning to discover what might be hidden away. Remember,
there are always two ways to each page--by following the internal
indexes, or by direct keying using *nnn#. In typical viewdata
software, each electronic file card or 'page' exists on an overall
tree-like structure:
** Page 87
Page
0
|
---------------------+----------------------- ...
1 2 3 4 5 6 7 8
|
------------+-------------------------------- ...
31 32 33 34 35 36 37 38
|
------------------------+-------------------- ...
351 352 353 354 355 356 357 358 3-digit
| node
-------------+------------------------------- ...
3531 3532 3533 3534 3535 3536 3537 3538
|
-------------------------------------------+-- ...
Top pages are called parents; lower pages filials. Thus page 3538
needs parent pages 353, 35, 3 and 0 to support it, i.e. these pages
must exist on the system. On Prestel, the parents owned by
Information Providers (the electronic publishers) are 3 digits long
(3-digit nodes). Single and double-digit pages (0 to 99) are owned by
the 'system manager' (and so are any pages beginning with the
sequences 100nn-199nn and any beginning with a 9nnn). When a page is
set up by an Information Provider (the process of going into 'edit'
mode varies from software package to package; on Prestel, you call up
page 910) two processes are necessary--the overt page (i.e. the
display the user sees) must be written using a screen editor. Then
the IP must select a series of options--e.g. whether the page is for
gathering a response from the user or is just to furnish information;
whether the page is to be open for viewing by all, by a Closed User
Group, or just by the IP (this facility is used while a large
database is being written and so that users don't access part of it
by mistake); the price (if any) the page will bear--and the 'routing
instructions'. When you look at a viewdata page and it says 'Key 8
for more information on ABC', it is the routing table that is
constructed during edit that tells the viewdata computer: 'If a user
on this page keys 8, take him through to the following next page'.
Thus, page 353880 may say 'More information on ABC....KEY 8'. The
information on ABC is actually held on page 3537891. The routing
table on page 353880 will say: 8=3537891. In this example, you will
see that 3537891 i9 not a true filial of 353880--this does not
matter; however, in order for 3537891 to exist on the system, its
parents must exist, i.e. there must be pages 353789, 35378, 3537
etc.
** Page 88
P R E S T E L
PRESTEL EDITING SYSTEM
Input Details -
Update option o
Pageno 4190100 Frame-Id a
User CUG User access y
Frame type i Frame price 2p
Choice type s
Choices
0- * 1- 4196121
2- 4196118 3- 4196120
4- 4196112 5- 4196119
6- 4196110 7- *
8- 4190101 9- 4199
Prestel Editing. This is the 'choices' page which se s up the frame
before the overt page - the one the user sees - is prepared.
These quirky features of viewdata software can help the hacker
search out hidden databases:
* Using a published directory, you can draw up a list of 'nodes' and
who occupies them. You can then list out apparently 'unoccupied'
nodes and see if they contain anything interesting. It was when a
hacker spotted that an 'obvious' Prestel node, 456, had been unused
for a while, that news first got out early in 1984 about the Prestel
Micro computing service, several weeks ahead of the official
announcement.
* If you look at the front page of a service, you can follow the
routings of the main index--are all the obvious immediate filials
used? If not, can you get at them by direct keying?
** Page 89
* Do any services start lower down a tree than you might expect
(i.e. more digits in a page number than you might have thought)? In
that case, try accessing the parents and see what happens.
* Remember that you can get a message 'no such page' for two
reasons: because the page really doesn't exist, or because the
Information Provider has put it on 'no user access'. In the latter
case, check to see whether this has been done consistently--look at
the immediate possible filials. To go back to when Prestel launched
its Prestel Microcom- puting service, using page 456 as a main node,
456 itself was closed off until the formal opening, but page 45600
was open.
Prestel Special Features
In general, this book has avoided giving specific hints about
individual services, but Prestel is so widely available in the UK and
so extensive in its coverage that a few generalised notes seem
worthwhile.
Not all Prestel's databases may be found via the main index or in
the printed directories; even some that are on open access are
unadvertised. Of particular interest over the last few years have
been nodes 640 (owned by the Research and Development team at
Martlesham), 651 (Scratchpad--used for ad hoc demonstration
databases), 601 (mostly mailbox facilities but also known to carry
experimental advanced features so that they can be tried out), and
650 (News for Information Providers--mostly but not exclusively in a
Closed User Group). Occasionally equipment manufacturers offer
experimental services as well: I have found high-res graphics and
even instruction codes for digitised full video lurking around.
In theory, what you find on one Prestel computer you will find on
all the others. In practice this has never been true, as it has
always been possible to edit individually on each computer, as well
as on the main updating machine which is supposed to broadcast to all
the others. The differences in what is held in each machine will
become greater over time.
Gateway is a means of linking non-viewdata external computers to
the Prestel system. It enables on-screen buying and booking, complete
with validation and confirmation. It even permits telebanking, Most
'live' forms of gateway are very secure, with several layers of
password and security. However, gateways require testing before they
can be offered to the public; in the past, hackers have been able to
secure free rides out of Prestel....
** Page 90
Careful second-guessing of the routings on the databases including
telesoftware(*) have given users free programs while the
telesoftware(*) was still being tested and before actual public
release.
Prestel, as far as the ordinary user is concerned, is a very
secure system--it uses 14-digit passwords and disconnects after three
unsuccessful tries. For most purposes, the only way of hacking into
Prestel is to acquire a legitimate user's password, perhaps because
they have copied it down and left it prominently displayed. Most
commercial viewdata sets allow the owner to store the first ten
digits in the set (some even permit the full 14), thus making the
casual hacker's task easier. However, Prestel was sensationally
hacked at the end of October 1984, the whole system Iying at the feet
of a team of four West London hackers for just long enough to
demonstrate the extent of their skill to the press. Their success was
the result of persistence and good luck on their side and poor
security and bad luck on the part of BT. As always happens with
hacking activities that do not end up in court, some of the details
are disputed; there are also grounds for believing that news of the
hack was deliberately held back until remedial action had taken
place, but this is the version I believe:
The public Prestel service consists of a network of computers,
mostly for access by ordinary users, but with two special-purpose
machines, Duke for IPs to update their information into and Pandora,
to handle Mailboxes (Prestel's variant on electronic mail). The
computers are linked by non-public packet-switched lines. Ordinary
Prestel users are registered (usually) onto two or three computers
local to them which they can access with the simple three-digit
telephone number 618 or 918. In most parts of the UK, these two
numbers will return a Prestel whistle. (BT Prestel have installed a
large number of local telephone nodes and
(*)Tefesoftware is a technique for making regular computer programs
available via viewdata the program lines are compressed according to
a simple set of rules and set up on a senes of viewdata frames. Each
frame contains a modest error-checking code. To receive a program,
the user's computer, under the control of a 'download' routine calls
the first program page down from the viewdata host, runs the error
check on it, and demands a re transmission if the check gives a
'false' If it gives a 'true', the user's machine unsqueezes the
programmes and dumps them into the Computers main memory or disc
store. It then requests the next viewdata page unfil the whole
program is collected. You then have a text file which must be
Converted into program instructions. Depending on what model of
micro you have, and which telesoftware package, you can either run
the program immediately or expect it. Personally I found the
telesoftware experience interesting the first time I tried it, and
quite useless in terms of speed, reliability and quality afterwards.
** Page 91
leased lines to transport users to their nearest machine at local
call rates, even though in some cases that machine may be 200 miles
away). Every Prestel machine also has several regular phone numbers
associated with it, for IPs and engineers. Most of these numbers
confer no extra privileges on callers: if you are registered to a
particular computer and get in via a 'back-door' phone number you
will pay Prestel and IPs exactly the same as if you had dialled 618
or 918. If you are not registered, you will be thrown off after three
tries.
In addition to the public Prestel computers there are a number of
other BT machines, not on the network, which look like Prestel and
indeed carry versions of the Prestel database. These machines, left
over from an earlier stage of Prestel's development, are now used for
testing and development of new Prestel features. The old Hogarth
computer, originally used for international access, is now called
'Gateway Test' and, as its name implies, is used by IPs to try out
the interconnections of their computers with those of Prestel prior
to public release. It is not clear how the hackers first became aware
of the existence of these 'extra' machines; one version is that it
was through the acquisition of a private phone book belonging to a BT
engineer. Another version suggests that they tried 'obvious' log-in
pass-numbers--2222222222 1234--on a public Prestel computer and found
themselves inside a BT internal Closed User Group which contained
lists of phone numbers for the develop computers. The existence of at
least two stories suggests that the hackers wished to protect their
actual sources. In fact, some of the phone numbers had, to my certain
knowledge, appeared previously on bulletin boards.
At this first stage, the hackers had no passwords; they could
simply call up the log-in page. Not being registered on that
computer, they were given the usual three tries before the line was
disconnected.
For a while, the existence of these log-in pages was a matter of
mild curiosity. Then, one day, in the last week of October, one of
the log-in pages looked different: it contained what appeared to be a
valid password, and one with system manager status, no less. A
satisfactory explanation for the appearance of this password
imprinted on a log-in page has not so far been forthcoming. Perhaps
it was carelessness on the part of a BT engineer who thought that, as
the phone number was unlisted, no unauthorised individual would ever
see it. The pass-number was tried and admission secured.
** Page 92
After a short period of exploration of the database, which
appeared to be a 'snapshot' of Prestel rather than a live version of
it--thus showing that particular computer was not receiving constant
updates from Duke--the hackers decided to explore the benefits of
System Manager status. Since they had between them some freelance
experience of editing on Prestel, they knew that all Prestel special
features pages are in the *9nn# range: 910 for editing; 920 to change
personal passwords; 930 for mailbox messages and so ...what would
pages 940, 950, 960 and so on do? It became obvious that these pages
would reveal details of users together with account numbers
(systelnos), passwords and personal passwords. There were facilities
to register and deregister users.
However, all this was taking place on a non-public computer. Would
the same passwords on a 'live' Prestel machine give the same
benefits? Amazingly enough, the passwords gave access to every
computer on the Prestel network. It was now time to examine the user
registration details of real users as opposed to the BT employees who
were on the development machine. The hackers were able to assume any
personality they wished and could thus enter any Closed User Group,
simply by picking the right name. Among the CUG services they swooped
into were high-priced ones providing investment advice for clients of
the stockbroker Hoare Govett and commentary on international currency
markets supplied by correspondents of the Financial Times. They were
also able to penetrate Homelink, the telebanking service run by the
Nottingham Building Society. They were not able to divert sums of
money, however, as Homelink uses a series of security checks which
are independent of the Prestel system.
Another benefit of being able to become whom they wished was the
ability to read Prestel Mailboxes, both messages in transit that had
not yet been picked up by the intended recipient and those that had
been stored on the system once they had been read. Among the
Mailboxes read was the one belonging to Prince Philip. Later, with a
newspaper reporter as witness, one hacker sent a Mailbox, allegedly
from Prince Philip to the Prestel System Manager:
I do so enjoy puzzles and games. Ta ta. Pip! Pip!
H R H Hacker
Newspaper reports also claimed that the hackers were able to gain
editing passwords belonging to IPs, enabling them to alter pages and
indeed the Daily Mail of November 2nd carried a photograph of a
Prestel page from the Financial Times International Financial Alert
saying:
** Page 93
FT NEWSFLASH!!! œ1 EQUALS $50
The FT maintained that, whatever might theoretically have been
possible, in fact they had no record of their pages actually being so
altered and hazarded the suggestion that the hacker, having broken
into their CUG and accessed the page, had 'fetched it back' onto his
own micro and then edited there, long enough for the Mail's
photographer to snap it for his paper, but without actually
retransmitting the false page back to Prestel. As with so many other
hacking incidents, the full truth will never be known because no one
involved has any interest in its being told.
However, it is beyond doubt that the incident was regarded with the
utmost seriousness by Prestel itself. They were convinced of the
extent of the breach when asked to view page 1, the main index page,
which bore the deliberate mis-spelling: Idnex. Such a change
theoretically could only have been made by a Prestel employee with
the highest internal security clearance. Within 30 minutes, the
system manager password had been changed on all computers, public and
research. All 50,000 Prestel users signing on immediately after
November 2nd were told to change their personal password without
delay on every computer to which they were registered. And every IP
received, by Special Delivery, a complete set of new user and editing
passwords.
Three weeks after the story broke, the Daily Mail thought it had
found yet another Prestel hack and ran the following page 1 headline:
'Royal codebuster spies in new raid on Prestel', a wondrous
collection of headline writer's buzzwords to capture the attention of
the sleepy reader. This time an Information Provider was claiming
that, even after new passwords had been distributed, further security
breaches had occurred and that there was a 'mole' within Prestel
itself. That evening, Independent Television News ran a feature much
enjoyed by cognoscenti: although the story was about the Prestel
service, half the film footage used to illustrate it was wrong: they
showed pictures of the Oracle (teletext) editing facility and of
some-one using a keypad that could only have belonged to a TOPIC set,
as used for the Stock Exchange's private service. Finally, the name
of the expert pulled in for interview was mis-spelled although he was
a well-known author of micro books. The following day, BBC-tv's
breakfast show ran an item on the impossibility of keeping Prestel
secure, also full of ludicrous inaccuracies.
** Page 94
It was the beginning of a period during which hackers and hacking
attracted considerable press interest. No news service operating in
the last two months of 1984 felt it was doing an effective job if it
couldn't feature its own Hacker's Confession, suitably filmed in deep
shadow. As happens now and again, press enthusiasm for a story ran
ahead of the ability to check for accuracy and a number of Hacks That
Never Were were reported and, in due course, solemnly commented on.
BT had taken much punishment for the real hack--as well as causing
deep depression among Prestel staff, the whole incident had occurred
at the very point when the corporation was being privatised and
shares being offered for sale to the public--and to suffer an
unwarranted accusation of further lapses in security was just more
than they could bear. It is unlikely that penetration of Prestel to
that extent will ever happen again, though where hacking is
concerned, nothing is impossible.
There is one, relatively uncommented-upon vulnerability in the
present Prestel set-up: the information on Prestel is most easily
altered via the bulk update protocols used by Information Providers,
where there is a remarkable lack of security. All the system
presently requires is a 4-character editing password and the IP's
systel number, which is usually the same as his mailbox number
(obtainable from the on-system mailbox directory on page *7#) which
in turn is very likely to be derived from a phone number.
Other viewdata services
Large numbers of other viewdata services exist: in addition to the
Stock Exchange's TOPIC and the other viewdata based services
mentioned in chapter 4, the travel trade has really clutched the
technology to its bosom: the typical High Street agent not only
accesses Prestel but several other services which give up-to-date
information on the take-up of holidays, announce price changes and
allow confirmed air-line and holiday bookings.
Several of the UK's biggest car manufacturers have a stock locator
system for their dealers: if you want a British Leyland model with a
specific range of accessories and in the colour combinations of your
choice, the chances are that your local dealer will not have it
stock. He can, however, use the stock locator to tell him with which
other dealer such a machine may be found.
Stock control and management information is used by retail chains
using, in the main, a package developed by a subsidiary of Debenhams.
Debenhams had been early enthusiasts of Prestel in the days when it
was still being pitched at a mass consumer audience--its service was
called Debtel which wags suggested was for people who owed money or,
alternatively, for upper-class young ladies.
** Page 95
Later it formed DISC to link together its retail outlets, and this
was hacked in 1983. The store denied that anything much had
happened, but the hacker appeared (in shadow) on a tv program
together with a quite convincing demonstration of his control over
the system.
Audience research data is despatched in viewdata mode to
advertising agencies and broadcasting stations by AGB market
research. There are even alternate viewdata networks rivalling that
owned by Prestel, the most important of which is, at the time of
writing, the one owned by Istel and headquartered at Redditch in the
Midlands. This network transports several different trade and
professional services as well as the internal data of British
Leyland, of whom Istel is a subsidiary.
A viewdata front-end processor is a minicomputer package which
sits between a conventionally-structured database and its ports which
look into the phone-lines. Its purpose is to allow users with
viewdata sets to search the main database without the need to
purchase an additional conventional dumb terminal. Some view- data
front-end processors (FEPs) expect the user to have a full alphabetic
keyboard, and merely transform the data into viewdata pages 40
characters by 24 lines in the usual colours. More sophisticated FEPs
go further and allow users with only numeric keypads to retrieve
information as well. By using FEPs a database publisher or system
provider can reach a larger population of users. FEPs have been known
to have a lower standard of security protection than the conventional
systems to which they were attached.
Viewdata standards
The UK viewdata standard--the particular graphics set and method
of transmitting frames -- is adopted in many other European countries
and in former UK imperial possessions. Numbers and passwords to
access these services occasionally appear on bulletin boards and the
systems are particularly interesting to enter while they are still on
trial. As a result of a quirk of Austrian law, anyone can
legitimately enter their service without a password; though one is
needed if you are to extract valuable information. However, important
variants to the UK standards exist: the French (inevitably) have a
system that is remarkably similar in outline but incompatible.
** Page 96
In North America, the emerging standard which was originally put
together by the Canadians for their Telidon service but which has
now, with modifications, been promoted by Ma Bell, has high
resolution graphics because, instead of building up images from block
graphics, it uses picture description techniques (eg draw line, draw
arc, fill-in etc) of the sort relatively familiar to most users of
modern home micros. Implementations of NALPS (as the US standard is
called) are available for the IBM PC.
The Finnish public service uses software which can handle nearly
all viewdata formats, including a near-photographic mode.
Software similar to that used in the Finnish public service can be
found on some private systems. Countries vary considerably in their
use of viewdata technology: the German and Dutch systems consist
almost entirely of gateways to third-party computers; the French
originally cost-justified their system by linking it to a massive
project to make all telephone directories open to electronic enquiry,
thus saving the cost of printed versions. French viewdata terminals
thus have full alpha-keyboards instead of the numbers-only versions
common in other countries. For the French, the telephone directory is
central and all other information peripheral. Teletel/Antiope, as the
service is called, suffered its first serious hack late in 1984 when
a journalist on the political/satirical weekly Le Canard Finchaine
claimed to have penetrated the Atomic Energy Commission's computer
files accessible via Teletel and uncovered details of laser projects,
nuclear tests in the South Pacific and an experimental nuclear
reactor.
Viewdata: the future
Viewdata grew up at a time when the idea of mass computer
ownership was a fantasy, when the idea that private individuals could
store and process data locally was considered far-fetched and when
there were fears that the general public would have difficulties in
tackling anything more complicated than a numbers- only key-pad.
These failures of prediction have lead to the limitations and
clumsiness of present-day viewdata. Nevertheless, the energy and
success of the hardware salesmen plus the reluctance of companies and
organisations to change their existing set-ups will ensure that for
some time to come, new private viewdata systems will continue to be
introduced...and be worth trying to break into.
There is one dirty trick that hackers have performed on private
viewdata systems. Entering them is often easy, because high-level
editing passwords are, as mentioned earlier, sometimes desperately
insecure (see chapter 6) and it is easy to acquire editing status.
** Page 97
Once you have discovered you are an editor, you can go to edit
mode and edit the first page on the system, page 0: you can usually
place your own message on it, of course; but you can also default all
the routes to page 90. Now *90# in most viewdata systems is the
log-out command, so the effect is that, as soon as someone logs in
successfully and tries to go beyond the first page, the system logs
them out....
However, this is no longer a new trick, and one which should be
used with caution: is the database used by an important organisation?
Are you going to tell the system manager what you have done and
urge more care in password selection in future?
.bmp)
No comments:
Post a Comment