25 september 2023

The First Hack I Ever Saw

Roughly twenty years I ago I saw my first hack. And by "hack", I mean "hack" as in something involving computers and someone's digital assets being compromised. Coincidentally, it is also how I learned the Alt+Tab keyboard shortcut.

Me and my friends (whom I shall call Alice and Mallory) were gathered around the classroom computer in elementary school. I don't really know why we had a computer in our classroom, noone was ever using it for studying. Alice was sitting at the keyboard and I was sitting on a chair behind her. Mallory was standing next to the computer, facing me and Alice. It was between classes and we were chatting casually about everything and nothing. Even though she was not supposed to, Alice decided to check her messages on the social network that was all the rage among the kids back then. The computer was already running so she just opened a web browser and navigated to the login page of the application.

Being a somewhat inexperienced computer user (as most twelve-year-olds were in the early 00s), she was looking down at the keyboard while she was typing. As Alice was just about to enter her password, Mallory's hand quickly and unnoticably shot out and pressed Alt+Tab, ever so smoothly and without pause or hesitation in the conversation we were having. An MSN Messenger chat window that someone had left open came into focus. Unclear whose it was (also not relevant in this story) but Alice's password ended up right there in the text buffer of the chat window, in cleartext. Before Alice hit Enter, Mallory swiftly pressed Alt+Tab and circled back to the web browser, where the password field was still awaiting input. Alice hit Enter and looked up at the monitor. She saw the usual prompt along the lines of "password cannot be empty, please try again". With a shrug and a facial expression that said "Computers, eh? Whatcha gonna do?", she complied and logged in, successfully this time.

After checking her messages, Alice, being a good girl, logged out of her account and went out to play with her friends, leaving me and Mallory alone at the computer. With emphasis, Mallory circled to the MSN chat window using the keyboard and looked at me in triumph. I didn't understand at first what I was looking at, a chat window with some nonsensical text not yet sent, but Mallory explained: it was her password. He showed me his Alt+Tab trick and verified that his hack had worked by logging in on her account. In many ways, it was a very good hack; Alice was unaware that she had been compromised and apart from the password string in the MSN Messenger text buffer (which Mallory cleared after memorizing the password) there were no indicators of compromise for anyone to find. The only flaw in Mallory's attack was to disclose it to me. Otherwise, her execution was perfect. Fortunately for Mallory, and unfortunately for Alice, I'm blowing the whistle twenty years after the fact.

Alice ended up defamed before all her friends. Something I could have prevented, where it not for my cowardice. Ultimately, word got out that Alice's account had been hacked. She changed her password, won her reputation back and went on with her life. Last time I saw her she had a kid on her hip and looked well enough. She didn't recognize me. That was ten years ago. I don't think this incident had any significant impact on her life in the long-run, but I am still disapointed in myself because in my first brush with cyber security, I failed to do the right thing. I should have told her about it immediately. Since then, I've learned a thing or two about cyber security and I'm now commited to helping out whenever I can, for whatever that's worth to twelve-year-old Alice.

~zluudg@TTBP

25 september 2023

The First Hack I Ever Saw

Tags