We enjoyed them and thought you might, too.

Their unit handled personnel record and payroll entries. To ensure accuracy, each item was entered by two separate soldier-clerks, and the results were compared before the data was posted to the person’s record.

The revenge solution that the guys came up with was simple enough, Jim says. Two workers made identical entries telling the computer that the sergeant was dead.

That, of course, stopped his paycheck.

When payday came and the sergeant complained that he hadn’t received his check, “Standard procedures called for pulling out the paper file and having his paycheck created manually.” But that didn’t work, either. “For some unknown reason,” Jim wrote, tongue firmly planted in cheek, “his paper file could not be located anywhere. I have reason to believe that the file spontaneously combusted.” It’s not hard to figure out how Jim came to this conclusion.

With the computer showing that the man was dead and no hard-copy records on hand to show he had ever existed, the sergeant was out of luck. No procedure existed for issuing a check to man who did not exist. A request had to be generated to Army headquarters asking that copies of the papers in the man’s record be copied and forwarded, and for guidance on whether there was any authority for paying him in the meantime. The requests were duly submitted, with little expectation they would receive a quick response.

There’s a happy end to the story. Jim reports that “his behavior was quite different for the rest the days I knew him.”

It was, he says, a “pretty trivial hack” because the site was so poorly protected. He took advantage of that by a method he described in technical terms as “inserting a CGI that ran a bouncer [higher port not fire-walled] so I can connect to higher port and connect back to localhost for full access.”

MCA was then in a brand-new building. Yuki did a little Internet research, learned the name of the architectural firm, got to its Web site, and found little difficulty breaking into its network. (This was long enough ago that the obvious vulnerabilities have presumably been fixed by now.)

From inside the firewall it was short work to locate the AutoCAD schematics of the MCA building. Yuki was delighted. Still, this was just a sidebar to his real effort. His friend had been busy designing “a cute new logo” for the Jurassic Park Web pages, replacing the name Jurassic Park and substituting the open-jawed tyrannosaurus with a little ducky. They broke into the Web site, posted their logo (see Figure 11-1) in place of the official one, and sat back to see what would happen.

The response wasn’t quite what they expected. The media thought the logo was funny, but suspicious. CNet News.com carried a story¹ with a headline that asked whether it was a hack or a hoax, suspecting that someone in the Universal organization might have pulled the stunt to garner publicity for the movie.

Yuki says that he got in touch with Universal shortly afterward, explaining the hole that he and his friend had used to gain access to the site, and also telling them about a back door they had installed. Unlike many organizations that learn the identity of someone who has broken into their Web site or network, the folks at Universal appreciated the information.

More than that, Yuki says, they offered him a job — no doubt figuring he would be useful in finding and plugging other vulnerabilities. Yuki was thrilled by the offer.

It didn’t work out, though. “When they found that I was only 16, they tried to lowball me.” He turned down the opportunity.

Two years later, CNet News.com presented a list of their 10 all-time favorite hacks.² Yuki was delighted to see his Jurassic Pond hack prominently included.

But his hacking days are over, Yuki says. He has “been out of the scene for five years now.” After turning down the MCA offer, he started a consulting career that he’s been pursuing ever since.

According to our informant, David, one of the companies that tested the waters on this was Coca-Cola. Experimental Coke vending machines, David says, were hooked up to a Unix system and could be interrogated remotely for a report on their operational status.

Finding themselves bored one day, David and a couple of friends decided to probe this system and see what they could uncover. They found that, as they expected, the machine could be accessed over telnet. “It was hooked up via a serial port and there was a process running that grabbed its status and formatted it nicely.” They used the Finger program and learned that “a log-in had occurred to that account — all that remained for us was to find the password.”

It took them only three attempts to guess the password, even though some company programmer had intentionally chosen one that was highly unlikely. Gaining access, they discovered that the source code for the program was stored in the machine and “we couldn’t resist making a little change!”

They inserted code that would add a line at the end of the output message, about one time in every five: “Help! Someone is kicking me!”

“The biggest laugh, though,” David says, “was when we guessed the password.” Care to take a stab at what the password was that the Coke people were so sure no one would be able to guess?

The password of the Coke vending machine, according to David, was “pepsi”!

The helicopters were sent in groups of threes. Before the evolution of the Global Positioning System (GPS) for pinpointing locations, the three choppers provided cross-bearings that enabled the Intelligence people to plot the locations of each Iraqi Army unit, along with the radio frequencies they were using.

Once the operation began, the United States was able to eavesdrop on the Iraqi communications. Mike says, “US soldiers who spoke Farsi began to listen in on the Iraqi commanders as they spoke to their ground troop patrol leaders.” And not just listen. When a commander called for all of his units to establish communications simultaneously, the units would sign in: “This is Camel 1.” “This is Camel 3.” “This is Camel 5.” One of the U.S. eavesdroppers would then pipe up over the radio in Farsi, “This is Camel 1,” repeating the sign-in name.

Confused, the Iraqi commander would tell Camel 1 that he already signed in and shouldn’t do it twice. Camel 1 would innocently say he had only signed in once. “There would be a flurry of discussion with allegations and denials about who was saying what,” Mike recounts.

The Army listeners continued the same pattern with different Iraqi commanders up and down the border. Then they decided to take their ploy to the next level. Instead of repeating a sign-in name, a U.S. voice, in English, would yell, “This is Bravo Force 5 — how y’all doing!” According to Mike, “There would be an uproar!”

These interruptions infuriated the commanders, who must have been mortified at their field troops hearing this disruption by the infidel invaders and at the same time appalled to discover that they could not radio orders to their units without the American forces overhearing every word. They began routinely shifting through a list of backup frequencies.

The radio-frequency sensing equipment aboard the U.S. Army copters was designed to defeat that strategy. The equipment simply scanned the radio band and quickly located the frequency that the Iraqis had switched to. The U.S. listeners were soon back on track. Meanwhile, with each shift, Army Intelligence was able to add to their growing list of the frequencies being used by the Iraqis. And they were continuing to assemble and refine their “order of battle” of the Iraqi defense force — size, location, and designation of the units, and even action plans.

Finally the Iraqi commanders despaired and forfeited radio communication with their troops, turning instead to buried telephone lines. Again, the United States was right behind them. The Iraqi Army was relying on old, basic serial telephone lines, and it was a simple matter to tap into any of these lines with an encrypted transmitter, forwarding all the traffic to Army Intelligence.

The American Army’s Farsi speakers went back to work, this time using the same methods they had used earlier for disrupting the radio communications. It’s funny to picture the expression on the face of some Iraqi major or colonel or general as a jovial voice comes booming down the line, “Hi, this is Bravo Force 5 again. How y’all doing!”

And maybe he might add something like, “We missed you for a while and it’s good to be back.”

At this point, the Iraqi commanders had no modern communication options left. They resorted to writing out their orders and sending the paper messages via trucks to the officers in the field, who wrote out their replies and sent the truck on its way back across the steaming, sandy desert to headquarters. A single query and response could take hours for the round-trip. Commands that required multiple units to act in coordination became nearly impossible because it was so difficult to get the orders to each involved field unit in time for them to act together.

Not exactly an effective way to defend against the fast-moving American forces.

As soon as the air war started, a group of U.S. pilots was assigned the task of looking for the trucks that shuttled messages back and forth between the known locations of the Iraqi field groups. The Air Force started targeting these communication trucks and knocking them out of action. Within a few days, Iraqi drivers were refusing to carry the messages among field leaders because they knew it was certain death.

That spelled a near-complete breakdown in the ability of the Iraqi command-and-control system. Even when Iraqi Central Command was able to get radio orders through to the field, the field commanders, Mike says, “were terrified about these communications because they knew that the messages were being listened to by the U.S. Army and would be used to send attacks against their location” — especially since, by responding to the orders, the field commander revealed that he was still alive, and could expect his response had allowed the Americans to pinpoint his location. In an effort to spare their own lives, some Iraqi field units disabled their remaining communication devices so they would not have to hear incoming communications.

“In short order,” Mike remembers with obvious glee, “the Iraqi Army collapsed into chaos and inactivity in many locations because no one was able — or willing — to communicate.”

But he wasn’t done. He didn’t like the way he thought the story must have sounded to us, and he went on, hoping to correct the impression.

These days, thanks to the Internet, it’s possible to sit down at a poker table electronically — playing from the comfort of your own computer, for money, against live players sitting at their computers in various parts of the country and the world.

And then along comes a hacker who recognizes a way to give himself more than a little advantage, by using a homemade bot — a robot — in this case, an electronic one. The hacker, Ron, says that this involved “writing a bot that played ‘mathematically perfect’ poker online while misleading the opponents into thinking they were playing against a real human player.” Besides making money on everyday games, he entered his bot in quite a number of tournaments with impressive success. “In one four-hour ‘free-roll’ (no entry fee) tournament that started with three hundred players, the bot finished in second place.”

Things were going great guns until Ron made an error in judgment: He decided to offer the bot for sale, with a price tag of $99 a year to each buyer. People began to hear about the product and folks using the online poker site he had targeted became concerned that they might be playing against robotic players. “This caused such an uproar (and concern by casino management that they would lose customers) that the site added code to detect the use of my bot and said they would permanently ban anyone caught using it.”

Time for a change in strategy.

In his original email about this adventure, Ron implied that his bots were still in use. Later, he wrote again asking us to say the following:

Still, online gamblers, you need to decide for yourselves. If Ron could do it, so can others. You might be better off hopping a plane to Las Vegas.

At the time of this incident, John was college senior majoring in Computer Science, and found an intern position at a local electric and gas company so that on graduation he’d have not just a degree but some experience. The company put him to work performing Lotus Notes upgrades for the employees. Each time he called someone to set up an appointment, he’d ask them for their Lotus Notes password so he could perform the upgrade. People had no hesitation in providing the information.

Sometimes, though, he would find himself playing voicemail tag and end up with a scheduled appointment but no opportunity to ask for the password in advance. You know what’s coming, and he figured it out for himself: “I found that 80 percent of the people had never changed their password from when Notes had been installed on their system, so my first try was ‘pass.’”

If that failed, John would drift around the person’s cubicle and take a little look-see for a Post-it note with all their passwords, generally stuck right in plain view on the monitor, or else hidden (if that’s an appropriate word) under the keyboard or in their top drawer.

And, if that approach still left him empty-handed, he had one more card to play. “My last line of attack was studying the personal items in their cubicle. Anything that would give a clue to children’s names, pets, hobbies, and the like.” Several guesses was most often all it took.

One time, though, was harder than usual. “I still remember one woman’s password was giving me a hard time until I noticed that every picture had a motorcycle in it.” On a hunch, he tried “harley” . . . and got in.

Tickled by the success, he started keeping track. “I made a game of it and got in more than 90 percent of the time, spending less than ten minutes on each one. Those that eluded me generally turned out to be simple information that I could have found with deeper research — most often, children’s birthdays.”

It turned out to be a profitable internship, one that “not only provided me with some resumé fodder, but also taught me how our first line of defensive against hackers is also our weakest: the users themselves and their password choices.”

And that seems like a powerful message to end with. If every computer user were to improve his or her passwords tonight — and not leave new passwords in some easy-to-find place — then tomorrow morning, we would suddenly find ourselves living in a much more secure world.

We hope that will be an action message for every reader of this book.