OddThinking

A blog for odd things and odd thoughts.

HAL BBS Backdoors

Twenty years ago, in the hey-day of 300 baud modems, I never actually hosted a BBS. I couldn’t afford a spare phone line, nor a spare Commodore 64.

I did however, play around with HAL BBS – some very simple BBS software.

There was a rumour out on the web out there that HAL BBS wasn’t to be trusted – it had two backdoors built into the software. It was compiled BASIC, so it wasn’t easy to view the source, but I had a bash at finding those backdoors.

The first one was fairly easy to guess. Every user was assigned a number, which they used, in combination with a password to log in. I think it was the login page prompt that had the clue. It had a prompt like: “Enter user number (0-254):”

The maximum user id was 254. Doesn’t that sound suspicious? Sure enough, there was a mysterious user 255 defined in the database, with full privileges. A simple password change on user 255 closed that hole.

The second security hole was much tougher. I searched labouriously through the hard-coded strings inside the compiled code. One string raised a flag. It looked something like "N:SCORCHED EARTH,A0". I don’t remember the exact phrase in the middle, but it was 16 characters that would cause dread in the mind of any sysop.

But it wasn’t just that phrase; it was where it was placed. In the middle of what looked very much like a 1541 Disk Drive NEW command. If that string was sent to the disk-drive along the command-channel, the result (many minutes later) was a freshly formatted 5 1/4″ floppy. The entire 170 KB of storage gone! (Don’t laugh, this was very serious! That’s a lot of messages.)

I changed the string to "S:CANARY XXXXXXX,A0" and created a file with that name on the disk. Now, it wouldn’t format the disk, but merely delete the canary file, so the sysop could (eventually) notice something was up.

I still wanted to know the trigger – where was the easter-egg that caused this destructive force to be unleashed?

The BBS was named after HAL 9000, the computer in Arthur C. Clarke‘s 2001. In the sequel, 2010, a special remote control triggering device is installed to deactivate HAL.[Ref]

Heywood Floyd: The control’s in my compartment. Little red calculator? You’ve seen it. You put in nine ‘9s’. Take the square root, and then hit ‘Integer.’

I figured that was a key clue, and I tried dozens of combinations to try to trigger the backdoor. I never had any luck.

This morning, I was thinking about this. I realised that, although I hadn’t noticed – or even thought about this for two decades – this issue has actually been gnawing at my insides the entire time.

I decided to include my plea to the web. I am hoping the long-tail of the web will answer me this question in less that 20 more years: Does anyone know how this HAL BBS backdoor was triggered?

It is safe to tell me; I promise not to actually run it on any Commodore-64-based primitive BBS systems still running. Honest!

5 CommentsCategories: Based On A True Story,Doubleplus Geek
Tags: bbs, commodore 64, hacking, security

Comments

  1. I think I’d better switch my BBS software over to Blue Board (by Martin Sikes, if I recall the author’s name correctly) before someone else gets some wild ideas! 😉

  2. As I recall HAL was also available on a Commodore 64 Cartridge. I wish I could find one of those. I ran the BBS off of an SX-64 in the Kansas City area in 1986-87. I was using it as part of the master’s thesis project while attending the Nursing Anesthesia program and KUMC.

  3. I can’t remember the details (like the password), but I used a BASIC decompiler on it, so I could customize it as desired. When looking through the source code, I don’t remember noticing user 255 or the format command (hopefully I found them and just forgot), but I definitely remember seeing a hardcoded password (actually, maybe that was user 255’s password) that gave sysop access. I left the code, but changed the password. (i found this thread searching for the password, but at least now I know the software’s name.)

  4. PS: I just downloaded HAL BBS 1.0 from http://www.zimmers.net/bbs/ and am looking through it with TextEdit (Notepad), and I see long strings of text, which appear to be a shareware doantion request, followed by installation instructions, and in there, it clearly mentions the user 255 after installation: “T THIS POINT, DELETE USER 255″…”WHICH WAS USED TO DIMENSION THE”. I didn’t see SCORCHED EARTH, but I found “HAL-9000″…”EARTH”. (I wasn’t expecting to see anything, but maybe this was an uncompiled version, with viewable source code.)

  5. …OK, forget the first comment; I used a different BBS program (no idea which, and don’t feel like downloading all of them).

Leave a comment

You must be logged in to post a comment.