1997-09-13 - Nuke ‘em ‘till they glow (8)

Header Data

From: Adam Back <aba@dcs.ex.ac.uk>
To: cypherpunks@cyberpass.net
Message Hash: 03156fce22ceb0dfad3e85de7bb1c8484e902035abbf519dad744a3ac25b0ceb
Message ID: <199709132310.AAA00898@server.test.net>
Reply To: N/A
UTC Datetime: 1997-09-13 23:17:05 UTC
Raw Date: Sun, 14 Sep 1997 07:17:05 +0800

Raw message

From: Adam Back <aba@dcs.ex.ac.uk>
Date: Sun, 14 Sep 1997 07:17:05 +0800
To: cypherpunks@cyberpass.net
Subject: Nuke 'em 'till they glow (8)
Message-ID: <199709132310.AAA00898@server.test.net>
MIME-Version: 1.0
Content-Type: text/plain




My contribution to the collaborative future fiction: "The True Story
of the InterNet" by Bubba Rom Dos, et al. 

Enjoy,


Adam
--
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`



The True Story of the InterNet

Part III

Chapter 8

Nuke 'em 'till they glow

Jonathan decadently lounged on the worn sofa swigging Bubbas special
reserve straight out of the bottle.  He burped and tossed the empty
bottle to join the pile of kipple heaped in the corner -- an antique
pentium-II 400 with it's case off, a huge heap of hydrocubes, a couple
of busted flatscreen monitors, some empty pizza boxes.

Leaning against the wall lay Bubba Rom Dos, snoring quietly, and
clutching a half empty bottle of his special reserve.

Jonathan lay back trying to brainstorm a direction to explore to find
an exploitable bug in the Hewlett-Packard Fabasoft faba-code verifier.
He was fast running out of ideas.

The desire to find an exploit had arisen earlier that day when Bubba
Rom Dos had tossed him a hydrocube which contained a particularly
interesting deskfab 6 file.  The file was named "nuke.fab".  He
couldn't rightly see where Bubba could have come into possession of
the file, but Bubba wasn't too forthcoming on the subject, so Jonathan
had contented himself with examining the contents of the 'cube.  He
had quickly become engrossed with the contents.

Jonathan had a selection of bootleg PICS fabrication policy files,
ranging from `under 18 months' (for construction of soft cudly toys
with no easily swallowable parts) up to `military grade IV' (good for
things like Forestry Commision SWAT team issue rocket launchers, and
stealth helicopters etc, if you had a 10m3 volume fabricator and a few
GigaWatts on your electricity meter).  A good indication that the file
was the _real thing_ was that it failed the faba-code verifier with
even military grade IV PICS fabrication rating policy file -- the
verifier refused to 'fab the file because it rightly diagnosed that it
would result in the formation of fissionable material!

(How Jonathan came to be in possession of a military grade IV PICS
fabrication policy file is a story for another time).

Now Jonathan also had a hacked fabber -- it was hacked to completely
by-pass the PICS policy file rating system.  This in itself was
supposed to be impossible, but Jonathan had found that you could
replace the FAPI module signature verifying key embedded in the
flipper policy chip by placing a piece of sticky tape over pin 5 of
the smart card contact and brute forcing the LEAF field which for some
reason seemed to only use a measily 16 bit checksum, which took all of
half an hour to brute force.  You'd have thought they would have
learned and increased the checksum size after Matt Blaze brute forced
the clipper chip LEAF in the tessera cards.  But in fairness,
Jonathan's attack had one extra wrinkle: the sticky tape.  Normally
the flipper chip wrote a count of how many smart cards with failed
checksums were inserted, and alerted the forces of darkness after 3
false tries, but the sticky tape took care of that.  Jonathan supposed
the designers had not considered that someone might place sticky tape
over pin 5, the pin which was used to signal an insertion of the smart
card.

With that hack completed and the flipper policy chip instruction code
manual which the cypherpunks had obtained dumpster diving in the
Mykotronics dumpster, he was in business.  He had then blown a new
EPROM with a `customized' firmware, the policy chip accepted the
`Circle of Eunuchs' FAPI module signature on the hacked EPROM, because
there was now nestling comfortably at the heart of the NSA designed
`tamper-proof' fabber flipper chip a DSS key which read:

	Circle of Eunuchs <coe@dev.null>

The original key had read:

	NSA FAPI signature key <dirnsa@nsa.mil>

So much for NSA security, Jonathan chuckled at the rememberance of
that exploit.

Anyway, for amusement value, and 1.3 MegaWatts of electricity later
(the cowboy had given him a hacked power board account -- phree
electricity, wheee!), Jonathan's industrial grade Hewlett-Packard
deskfab 9GSII fabber had produced a nice matt black suitcase.

Jonathan watched the instructional 3d-mpeg file included on the
hydrocube, and spent a good hour in awe playing with the controls on
the suitcase.  Satiated with knowledge now that he knew how to operate
all of it's modes, he was lying comatose on the sofa wracking his
brains trying to overcome the next hurdle -- how to construct the
perfect way to nuke washington DC.  His plan so far was to spam each
of the `targets' with a word99 macro virus (thanks Bill Gates) in a
document describing his `SFr 10,000,000 campaign contribution' which
automatically spooled a mildly modified "nuke.fab" for fabrication,
and turned off the fabbers status leds through a Hewlett-Packard
firmware bug.  Jonathan had all this down pat.

(The modification to "nuke.fab" in case you were wondering was to put
the suitcase in detonate with no bypass mode, with an initial count
down of 30 seconds).

The problem was -- all those congress-critters were bound to be
running on a PICS fabrication rating below
`national-security-emergency', and so the faba-code verifier would
refuse to load the code.  Worse still the non-hacked HP deskfab models
after mandatory GAF (Goverment Access to Fabbers) was introduced would
narc out the owner to the Feds within minutes, thereby alerting the
dark forces as to what the plan was.

The wall clock now read 3.30am.

Jonathan dozed off to sleep dreaming of glow-in-the-dark
congress-critters.

...

"fifty-eight ... fifty-seven ... " 

Jonathan woke grogily to see a group of people huddled over a
suitcase.  In the middle of the group was Bubba Rom Dos grandiosely
counting down, in between swigging from his bottle of special reserve
and pressing buttons randomly on the suitcases control panel.
Priscilla and Alexis were peering closely at the pretty flatscreen
status display, making sage comments as to what the buttons might do,
for all the world as if they were playing a video game.

Jonathan came to his senses and screamed at the top of his lungs:

	"Nooooo!" 

and sprang to his feet.  He almost fell over again as the effect of
moving that quickly so soon after waking up hit him, his head
swimming.

All heads turned to face him.

"Yaieeeeeeee!" yelled Jonathan, as he rudely barged his way to the
suitcase control pannel, and began franticallly pushing buttons.

After a short panic attack, he calmed down sufficiently to notice that
the display read "no override".  Having absorbed the entire
instruction 3d-mpeg, Jonathan knew what that meant.  The LCD display
read 50 seconds.

Bubba swigged another gulp of his special reserve, and said innocently
"What's the problem?"

Jonathan looked fit to explode, his pulse was racing and his head hurt
horribly, "It's a nuke!" he screamed hoarsely, "and you've just armed
it, and I can't disarm it, and you've got ..." his eyes tore to the
display "45 seconds until you're vapourised."  Priscilla was already
running for the door screaming.

Bubba belched loudly, and looked slightly ill.  Alexis gulped and said
"What now?".

Bubba tosssed the empty bottle of special reserve on to the growing
pile of kipple in the corner, and pulled a fresh bottle from inside
his rain mac.

"Lets think rationally here" said Bubba, calmly, pouring himself a
shot of special reserve, "can't you um disable it, or um, un-fabricate
it or something".

A flash of inspiration hit Jonathan, seeping through his slowly waking
brain (he was not a morning person).

He flashed a grin to Bubba and walloped him hard between the
shoulder-blades shouting, "You're a genius!"  Jonathan then hugged
Alexis lifting her off the ground.

Bubba looked puzzled but pleased.  Alexis looked a little worried.

Jonathan looked at the display pannel on the suitcase "35 seconds".
`No problem' he thought.  He slammed the suitcase shut and practically
threw it in to the HP deskfab 9GSII fabrication bay, and slammed the
door shut.

Then he grabbed the keyboard, and began typing at around 100 wpm.

After a deathly long pause where the terabyte hydro drive light
flickered intermittently, the fab drive hummed to life.  The lights
dimmed with the sudden increase in power consumption.  A few seconds
later the drive light blinked out, and the deskfab fell silent.

"That," said Jonathan, stabbing the screen

-rw-r--r--   1 jon      users   7516192768 Oct  4 10:12 tmp00001.fab

where the words `tmp00001.fab' were emblazoned in green writing on a
black background, "is an armed nuke".


"Now, where was I?" mused Jonathan, and then remembering, rounded on
Bubba, "Uh yeah, just where exactly did you find nuke.fab?"

Bubba made an expansive gesture with his hands, and poured himself
another shot.  Throwing back the shot, Bubba said: "I got it off the
web,", and began searching through the pockets to his rain mac,
eventually pulling a scrumpled scrap of paper from his pocket, and
handing it to Jonathan.  "A kindly elderly gentleman with a 9mm uzi
gave me this address," he explained.  Jonathan looked at the badly
scrumpled scrap of paper, and was just able to make out:

	http://jya.eternity/cryptome/nuke.fab

Jonathan looked puzzled, the initials "jya" looked vaguely familiar to
him from his reading of old cypherpunks posts.  Ah, yes, it was that
Architect guy, John Young, who kept getting into trouble over hosting
materials that the feds didn't like.  So he was using the eternity
service now.


Now the panic was over Jonathan resumed his position on the couch,
allowing himself to recover from the previous nights hacking session.

"Say Bubba," Jonathan said with his eyes closed, "do you have any
ideas of how to by-pass the Fabasoft faba-code verifier on an HP
deskfab?"

Bubba finished his mouthful of strong spirits, "Huh?  Wassat you say?"

Jonathan explained to Bubba and Alexis the events of the night before
and of the plan to nuke washington DC, and party-way through Priscilla
returned, looking a bit sheepish for deserting them at such a crucial
time.

"So," said Alexis, "You used the deskfab to copy the armed nuke, hence
disabling it?"

"Sure, that's a standard function", said Jonathan, "it's a bit like a
3d photocopier, only you can set it to unfabricate the object being
copied at the same time."

"Well," pressed Alexis, miles ahead of Jonathan, and not needing the
mini-lecture on deskfab functionality, "couldn't you copy a deskfab?"

Jonathan opened his eyes from his inert position on the couch.  "Uh, I
dunno, yeah I suppose so...."

Then Jonathan saw the light, a second time that day: "Heh, yeah,
okay!" he enthused, "that's a cool idea Alexis."


Alexis and Jonathan excitedly started unplugging the deskfab from the
unix box.  

"Carry these," said Jonathan and thrust upon Bubba a laptop, the
hydrocube containing tmp00001.fab, and a bundle of interface leads.
Jonathan and Alexis proceeded to lug the desk fab out back, and down
into the basement.  Bubba and Priscilla followed puzzled as to what
the excitement was.

In the basement was an ancient looking Sun unix box.  The screen was
one of those huge glass tube affairs.  Beside it sat what looked like
a refridgerator with clunky looking dials on it.

Jonathan powered up the Sun box.  Suprisingly enough it actually
booted, and 10 minutes later, after an agonisingly slow process where
it went through checking (fscking) all it's ancient hard drives, which
wirred and clicked noisly, it came up, and the prompt said:

Welcome to toad.com

login:

Without hesitation, Jonathan logged in as `gnu', and immediately typed
in a password.  He was in.  Bubba and Priscilla exchanged glances.
Jonathan explained, "I shoulder surfed the password when John logged
in when I was at the physical cypherpunks meet in my grandpas study
all those years ago."

"This," he said patting the minifridge sized machine humming noisily
in front of them, "is his old machine, `toad.com', old home to the
cypherpunks list."

Next Jonathan lugged his deskfab into the refrigerator affair, which
apparently was an antique deskfab, sat the lap top on top of it, and
hooked the laptop up to the deskfab, and inserted the tmp00001.fab
hydrocube into the laptops hyro drive.  Then he wandered off in search
of a portable power source.  He came back lugging an emergency power
module `liberated' from the electric company at some point in the
past.

He hooked-up the power module to the HP deskfab.

"Now," said Jonathan, "the timing on this is a bit delicate", I think
there's only around 20 seconds left on the nuke.

Jonathan set the laptop on time delay to instruct the deskfab to
refabricate the primed nuke with 20 seconds left to pop time, but not
to start doing that for around 1 minute.  Then he slammed the
refrigerator sized fabricator door shut, and began typing in earnest
on toad.com.  The refrigerator started humming, and toad.com's drive
started buzzing frantically.

"Gee I hope the transfer rate on these mechanical drives is good
enough to copy it before it fabricates the nuke", opined Jonathan.

Jonathan started typing again.  "Shit! we're gonna run out of space!"
he said.  And started typing frantically rm -rf'ing anything that
could be rm -rf'ed without stopping the machine.  He rm -rf'ed
/usr/src, and /usr/spool/ and a bunch of other stuff.  He made it with
half a gig or so spare, and who knows how few seconds to spare.

The refrigerator-sized deskfab stopped humming, and the hum of the
contained HP fabber had stopped too as it had been rudely unfabricated
by the antique fabber.

Jonathan was pleased with himself now.

"That," said Jonathan, with a stabbing motion

-rw-r--r--   1 gnu      users   8589934592 Oct  4 10:42 donation.fab

where the words `donation.fab' were emblazoned on the clunky glass
screen, "is a freshly fabricated top of the range HP deskfab 9GSII,
which is just about to fabricate a suitcase nuke, which will pop a few
seconds after being fabricated".

"But will it pass the faba-whatsit verifier?" asked Alexis.

"Er are you sure this is a good idea?" asked Priscilla.

"Of course it is," said Bubba.

"That's a good question Alexis," Jonathan said ignoring the other
chatter, "I'm not real sure.  I think it should pass because, well,
the faba-code verifier isn't _that_ smart, right.  I mean to realise
that it will build a HP deskfab, which just happens to have freshly
downloaded instructions to build fissionable material patterned into
it's memory modules, I mean that's like solving the halting problem
right?"

Bubba cleared his throat, "If I might make a suggestion here", he
said, "now that the high falutin' theoretical stuff is out of the way,
the obvious thing to do is try it and see."

"A splendid suggestion", said Jonathan, begining to type once more,
"very good Bubba, the empirical hackers approach."

So Jonathan tried it, and saw.  He typed:

To: cypherpunks@cyberpass.net
Bcc: president@whitehouse.gov
Bcc: freeh@fbi.gov
Bcc: feinstein@congress.gov
...

Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_01BCB88F.57968E50"
Content-Transfer-Encoding: 7bit

This is a multi-part message in MIME format.

------=_NextPart_000_01BCB88F.57968E50
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit


Hello,

Please accept our campaign donation of SFr 10,000,000 in used swiss
francs.

Just double click on the enclosed attachment in your mail reader, and
it'll print out the donation file attached in an HP compatible fabber.
You'll need quite a large fabber, as SFr 10,000,000 is quite bulky.

Kind regards,

The Circle of Eunuchs

------=_NextPart_000_01BCB88F.57968E50
Content-Type: application/octet-stream; name="donation.fab"
Content-Transfer-Encoding: base64
Content-Description: donation.fab (DeskFab 6 Document)
Content-Disposition: attachment; filename="donation.fab"

AasdfAAzxcvAAA1234AA0M8R4KGxGudfghAApoiuAAASDFAertyAPgADAP7/CQAGAsdfgAwrtfAA
zxcvAAA1234AA0M8R4KGxGudfghAApoiuAAASDFAertyAPgADAP7/CQAGAsdfgAwrtfAAdfAAzef

[snipped to save space]

4AA0M8R4KGxGudfghAApoiuAAASDFAertyAPgADAP7/CQAGAsdfgAwrtfAAdfAAzefzxcvAAA123
------=_NextPart_000_01BCB88F.57968E50


Bubba, Alexis and Priscilla wandered back up stairs to wait and see,
whilst Jonathan sat working on a strategy of how to edit the
donation.fab file to get back his laptop, and the top of the range HP
deskfab 9GSII without also nuking himself.  He reckoned all he'd got
to do was edit out the memory module from the deskfab, by editing
donation.fab, and then he'd have it all back with out the nuke.

Jonathan become engrossed in the task at hand.

...

In a splendidly appointed, luxurious penthouse suite, rich in the
trappings of wealth and power, in the heart of Washington DC, a
bloated congress critter was eating well at the trough.  His whores
were attentive, dressing him for breakfast, and he had just been
bribed $1,000,000 by a telephone company special interest group to
throw a few billions in corporate welfare their way.

And that was just before breakfast, before he had even got out of bed!

Now it appeared he had something he should attend to urgently
something that had come on his `email address' what-ever one of those
was.  A minor aide bustled in.  The aide seemed quite excited, and
explained in fawning tones that a special interest group had mailed
him lots of Swiss Francs, SFr 9,000,000 in fact, but that there was
something strange...  there was no request for favors.  He said it was
just being printed out now, and perhaps there would be a note with the
money.

The congress critter, puffed contentedly on the hookah which one of
the whores had lit for him, hmm, yes he could see that this was going
to be a good day.

<Fade to blinding white light>






Thread