The Princess Hack
(With all respect to Rob Reiner.)
Internet, a Linux machine named Buttercup has been compromised by an attacker who uses the handle Hackini. A completely separate attacker, who uses the name Dread Pirate Hacker, also breaks into the same system.
Quickly, the attackers notice each other's presence. Using the "write" command, Hackini (H) and the Dread Pirate Hacker (DPH) chat with each other. Also, they use the ttysnoop program to monitor each other's keystrokes.
The following chat session ensues:
H: You're trying to hack what I have rightfully stolen!
DPH: Perhaps an arrangement can be reached?
H: There will be no arrangement!
DPH: Well if there can be no arrangement, then we are at an impasse.
H: I'm afraid so. I can't compete with your computing resources, and you're no match for my brains.
DPH: You're that smart?
H: Let me put it this way: Have you ever heard of Bellovin, Schneier, and Spafford?
DPH: Really? In that case, I challenge you to a battle of
wits. Look at these scripts, but do not execute them. The script GobletA is in your home directory, and GobletB is in mine.
(H views the programs using the "less" command.)
H: They look pretty innocuous.
DPH: One program is indeed innocuous. It merely waits for 5 seconds and executes the ls command. The second script, on the other hand, waits for 5 seconds, deletes the account of whomever runs it, and logs
him out of the system. Whoever runs the first script will maintain control of the machine. Whoever runs the second script will be shut out, allowing the other to keep control. First, you have to stop running TTYsnoop as
I swap around the goblet programs. Then, you can restart TTYsnoop and run this "GobletCheck" program to verify that the goblets are indeed as I have described. Then, our battle will begin.
H: I accept.
[H looks at
the GobletCheck script. It simply prints out the contents of GobletA and GobletB, in a random order. That way, H can make sure that one scripts contains the ls command, while the other contains the logout commands.
After reviewing the code in GobletA, GobletB, and GobletCheck, H then shuts down TTYsnoop, while the Dread Pirate Hacker moves the scripts back and forth. H restarts TTYsnoop and runs Tripwire to ensure that the ls
program hasn't been tampered with. After getting a clean bill of health from Tripwire, H runs GobletCheck. Sure enough, one program is simply just a pause followed by "ls", while the other deletes the account and logs
out its user.]
DPH: All right. Where is the poison? The battle of wits has begun. It ends when you decide and we each execute a program, and find out who is right...and who is gone.
it's so simple! All I have to do is
divine from what I know of you. Are you the sort of man who would put the poison into his own home directory or his enemy's?
Now, a clever man would put the poison into his own directory, because he would know that
only a great fool would reach for what he was given. I am not a great fool, so I can clearly not choose GobletA. But you must have known I was not a great fool, you would have counted on it, so I can clearly not choose
DPH: You've made your decision then?
H: Not remotely. You have logged in from Australia, and, as everyone knows, Australia is entirely peopled with criminals, and criminals are used
to having people not trust them, as you are not trusted by me, so I can clearly not choose GobletB.
DPH: Truly, you have a dizzying intellect.
H: WAIT TILL I GET GOING! Where was I? And
you must have suspected I would have known your login origin, so I can clearly not choose GobletA.
DPH: You're just stalling now.
H: You'd like to think that, wouldn't you? You've beaten my
difficult-to-crack password, which means you have access to vast computing resources, so you could've put the poison in your own home directory, trusting on your sheer computing horsepower to crack back in, so I can
clearly not choose GobletB. But, you've also bested my non-executable system stack, which means you must have studied, and in studying you must have learned that man is mortal, so you would have put the poison as far
from yourself as possible, so I can clearly not choose GobletA.
DPH: You're trying to trick me into giving away something. It won't work.
H: IT HAS WORKED! You've given everything away! I KNOW WHERE THE POISON IS!
DPH: Then make your choice.
H: I will, and I choose—What was that?! Who just logged into the system?
[As DPH runs the "who" command to see who is logged in, H swaps the contents of GobletA and GobletB.]
DPH: What? Where? I don't see anyone.
H: Well, I could have sworn I saw something. No
matter. Let's run our scripts: me from my home directory, and you from yours.
[H runs GobletA, and the DPH runs GobletB.]
DPH: You guessed wrong.
H: You only think I guessed
wrong! That's what's so funny! I switched scripts when your back was turned! Ha ha! You fool! You fell victim to one of the classic blunders! The most famous is never run an operating system with "." in the default
PATH, but only slightly less well-known is this: always check suspicious programs before running them!! Ha ha ha ha ha ha ha!
[Despite his laughter, H is suddenly logged off of the system. He has lost all access to the machine.]
1) How did DPH set up the system to win the challenge? Assume that Tripwire and the CheckGoblet script worked flawlessly.
2) How could H have detected the action you describe in your answer to Question 1?
3) How could the system have been configured so that the technique you described in Answer 1 won't work for either DPH
4) What tools can be used to implement your answers for Question 3?