Useless [hacker|cracker|computer-criminal|*] Movie Trivia: The KGB, My Computer, and Me

Webspace Sponsored by:

This page (like others in the Useless Trivia space) exist to provide analysis and review of computer security in films. Reviews of usernames and passwords used in these films will be mentioned as they can be found and identified.

The KGB, My Computer and Me: Docmentary-Drama with some comedy

If you have read Clifford Stoll's book called "The Cookoo's Egg" then you have a more detailed accounting of the events leading up to the the resolutlion of the initial $0.75 accounting discrepency on the system accounting and use than what is found in this film. Originally aired in U.S. on the PBS (Public Broadcasting System) I found this to be informative, entertaining and enjoyable.

Information about this film (from the film):

Clifford starts working at LBL (Lawrence Berkeley Labs) because his Astronomer grant money runs out
Dave Cleavland (FIXME: Spell name) (described by Clifford Stoll as a real wizard) points out to Clifford a $0.75 discrepency in the resource accounting software report
List of "users" with "UID":
```
Caffre      65700
Stoll       92374
Rice        34840
Olsen       84500
Hutchinson  34509
Starr       79907
Vine        67008
Treppasso   59099
Carlson     24517
Norman      34257
Hunter
Benson      87459
Johnson     56739
Schlar      74578
```
Which does not really look like a password file, and the UID do not look like the common 16 bit UID often used in UNIX systems. (Several UID exceed the max size for unsigned 16 bit int.)
You will notice in the list that appears on the screen that we also see "Bensen" (mentioned later in the film.)
Clifford's solution to the $0.75 problem was to delete the "Hunter" account.
Second event: e-mail from "docmaster" about breakin attempt from LBL machines.
There is mention of password echoing not existing to avoid risk for shoulder surfing.
Account Sventek was used to attack docmaster.
Clifford makes a program to list users as they login and their tty. The movie shows some of these:
```
sykes tt14
chan  tt11
Sventek tt23
```
MOTD for LBL machine "Welcome to LBL" (see this on printer)

Film illustrates "security hole used to gain root access":

mail program allows delivery of mail to the system area
hacker makes a program that can be run by the system
hacker mails program to system i such a way that it will appear in a
specific location
That location was used by a cron job that would execute programs on a regular
basis (every 5 minutes.)

White Belnap (FIXME:spelling of name) bring in a Logic Analyzer to "sniff" session data on the line. We see a screen on the Logic Analyzer that shows incoming and outgoing data on the same screen. I would assume that characters that are inbound are one color (white on black) while outgoing characters are in inverse video (black on white). This explains the double entry of characters as characters are entered and then echoed back to the sender for display. (In this "session" below, "?" are used to specify "unprintble characters" while I use "#" to specify "CR" and "%" to specify "LF"
```
?ss??ssvveenntt?ekc##%
?##%/?^lR?ff?iin\ee
eIi?6^+//???hwoh?3k
??jxE+#zffiR?nnggeerr
nntt?eekV##%?oNi9 n

ki?Mnk?Yph Sle9tJ-#
-?_ld/cfam/sve9t?- 
????mM<Zw/cMh#%=n s
????????????,4]ty2d
```
It is not quite clear to me, but the username is obviously "sventek" in the stream above. Looking for a password, I do not see any obvious candidates. Ideal candidates would be white text on black background in sequence (not separated by inverse video characters), as password characters would not be echoed back to the caller. We see what looks like the word "fine" is typed and then later a "finger" command is issued.
The next character transmitted by the client (in this case) is a single "CR" (Carriage Return) which would suggest to me, that if this was a standard login, that the password was empty or blank for this demo. Even more likely, is that this demo did not include a session on the Logic Analyzer that was actually a login. (Notice we do not see the word "Login:" in the stream? Notice how we do not see the keyword "Password" in the stream?) Perhaps this is supposed to be an unathenticated rlogin...
Username "hunter" is used on a taken Army computer.
Account names used by hacker on other systems: "Hunter", "Hedges", "Jaeger" and "Benson" (these printed on screen.)
There are cases where, during the documentary, Clifford Stoll uses the word "password" to describe the username of an account

Phone Trace to Oakland (on screen data)

23  6312   MS
24  4473   MS
25  4732   MS
26 10471  9.6
:pstat 2533 h0 0
HOST 0 PORT ARRAY 0  1
: trace 2533

A printout with a whois on cia people showed:

Fischoff, J.  (JF27)          ISEOFF@A.ISI.EDU   (703)  351-3305
Gresham, D.L.  (DLG33)       GRESEAW@A.ISI.EDU   (703)  351-2957
Manning, Edward    (EM44)  MANNING@BBM.ARPA      (703)  281-6161
Ziegler, Mary  (MZ9)         MARV@WNS.ARPA       (703)  351-8249

KERMIT was referenced as a tool used to move files by the hackers.
We see Clifford uses a Macintosh Classic at home (Maybe Macintosh SE) and another screen session showing a login from sventek:
```
sventek  tt23
```

Ron uses a IBM PC or PC clone at home. (With what looks like MS-DOS or PC-DOS (note the "Abort, Retry, Ignore" on the screen.:)

Abort, Retry, Ignore?
:       SLOT 1 - IRC's X.75 Gateway
S1CORE  EQ      $A 360          :SLOT 1 CORE SIZE IN KB
NLUS    EQ      5               :NO. OF LU FOR SLOT 1
S1L0    M.REF(1,3)              :V.24  DNIC 2624    ITT
S1L1    M.REF(0,2)              :V.24
S1L2    M.REF(1,2)              :V.24
S1L3    M.REF(0,0)              :V.24 Card
S1L4    M.REF(???)              :????

Though there is no reference to "Honeypot" Cliff provides a system that is unpatched for the hacker to use and then provides phoney content desired by the hacker.
Dirk Broginski, and Peter Karl, Karl Koch (Hagbard), and Markus Hess (who according to the film, was the guy who broke into the LBL machines) who was a programmer from Hannover.
Pub in Germany where the group of ackers met: Kaiser Pub
Volker Ulak (FIXME: Spelling of name) meets with Clifford in the film near the end at the Kaiser Pub.
See my review of the film 23 - Nichts ist so wie es Scheint on the useless trivia page for a movie "based on many facts" from the same story, but from another side in Germany.
(C) 2006, 2005, 2004, 2003, 2002, 2001 Passwall.com. Copyright Information: Any of the above content that was created by me may be copied so long as each copy includes this copyright and links back to this site with reference to source and the content not be used for financial gain.
(C) 2006, 2005, 2004, 2003, 2002, 2001 of information included above with explicit credit to people other than me who have submitted documentation, additions, corrections. You will need to get their permission to use their included content.
I do not provide screenshots from movies, or downloadable movies for any films to avoid issues with Copyright infringement. It is my intention to legally provide news, information, trivia, and discussion about films and ensure content is not illegally reproduced. If you control Copyright to any of these movies and will extend to me permission is writing to capture screenshot images to be used on the web, please let me know!
If you have suggestions on additions, feel free to e-mail them to me. Please use valid e-mail addresses so I can reply to you. I like to offer credit to people for their submissions. When you provide your submission, please specify what name should be credited with the information provided and if you would like to have an e-mail link to your address or a URL to your home page.
Useless Trivia: Movie reviews with respect to computer security.