Twenty years ago, in the hey-day of 300 baud modems, I never actually hosted a BBS. I couldn’t afford a spare phone line, nor a spare Commodore 64.
I did however, play around with HAL BBS – some very simple BBS software.
There was a rumour out on the web out there that HAL BBS wasn’t to be trusted – it had two backdoors built into the software. It was compiled BASIC, so it wasn’t easy to view the source, but I had a bash at finding those backdoors.
The first one was fairly easy to guess. Every user was assigned a number, which they used, in combination with a password to log in. I think it was the login page prompt that had the clue. It had a prompt like: “Enter user number (0-254):”
The maximum user id was 254. Doesn’t that sound suspicious? Sure enough, there was a mysterious user 255 defined in the database, with full privileges. A simple password change on user 255 closed that hole.
The second security hole was much tougher. I searched labouriously through the hard-coded strings inside the compiled code. One string raised a flag. It looked something like "N:SCORCHED EARTH,A0"
. I don’t remember the exact phrase in the middle, but it was 16 characters that would cause dread in the mind of any sysop.
But it wasn’t just that phrase; it was where it was placed. In the middle of what looked very much like a 1541 Disk Drive NEW command. If that string was sent to the disk-drive along the command-channel, the result (many minutes later) was a freshly formatted 5 1/4″ floppy. The entire 170 KB of storage gone! (Don’t laugh, this was very serious! That’s a lot of messages.)
I changed the string to "S:CANARY XXXXXXX,A0"
and created a file with that name on the disk. Now, it wouldn’t format the disk, but merely delete the canary file, so the sysop could (eventually) notice something was up.
I still wanted to know the trigger – where was the easter-egg that caused this destructive force to be unleashed?
The BBS was named after HAL 9000, the computer in Arthur C. Clarke‘s 2001. In the sequel, 2010, a special remote control triggering device is installed to deactivate HAL.[Ref]
Heywood Floyd: The control’s in my compartment. Little red calculator? You’ve seen it. You put in nine ‘9s’. Take the square root, and then hit ‘Integer.’
I figured that was a key clue, and I tried dozens of combinations to try to trigger the backdoor. I never had any luck.
This morning, I was thinking about this. I realised that, although I hadn’t noticed – or even thought about this for two decades – this issue has actually been gnawing at my insides the entire time.
I decided to include my plea to the web. I am hoping the long-tail of the web will answer me this question in less that 20 more years: Does anyone know how this HAL BBS backdoor was triggered?
It is safe to tell me; I promise not to actually run it on any Commodore-64-based primitive BBS systems still running. Honest!
Comment by Randolf Richardson on September 28, 2011
I think I’d better switch my BBS software over to Blue Board (by Martin Sikes, if I recall the author’s name correctly) before someone else gets some wild ideas! 😉
Comment by Gary Hedberg on June 3, 2013
As I recall HAL was also available on a Commodore 64 Cartridge. I wish I could find one of those. I ran the BBS off of an SX-64 in the Kansas City area in 1986-87. I was using it as part of the master’s thesis project while attending the Nursing Anesthesia program and KUMC.
Comment by George S. on March 8, 2015
I can’t remember the details (like the password), but I used a BASIC decompiler on it, so I could customize it as desired. When looking through the source code, I don’t remember noticing user 255 or the format command (hopefully I found them and just forgot), but I definitely remember seeing a hardcoded password (actually, maybe that was user 255’s password) that gave sysop access. I left the code, but changed the password. (i found this thread searching for the password, but at least now I know the software’s name.)
Comment by George S. on March 8, 2015
PS: I just downloaded HAL BBS 1.0 from http://www.zimmers.net/bbs/ and am looking through it with TextEdit (Notepad), and I see long strings of text, which appear to be a shareware doantion request, followed by installation instructions, and in there, it clearly mentions the user 255 after installation: “T THIS POINT, DELETE USER 255″…”WHICH WAS USED TO DIMENSION THE”. I didn’t see SCORCHED EARTH, but I found “HAL-9000″…”EARTH”. (I wasn’t expecting to see anything, but maybe this was an uncompiled version, with viewable source code.)
Comment by George S. on March 8, 2015
…OK, forget the first comment; I used a different BBS program (no idea which, and don’t feel like downloading all of them).