Hacking 2600 Magazine Authors

by Agent Smith

I've been reading 2600 Magazine for a long, long time.

One thing that's remained constant over the years is that people feel the need to identify themselves in the magazine.  Everyone's got to have a l33t nick name, shoutz out to their budz, something that their friends will recognize.  Sure, it's human nature to want to be known, to grab your 15 minutes of fame - but at what cost?

I work for a company that is large enough for some of you to recognize.  Call it "Metacortex."

And a while ago, I happened to spot a hack in the pages of 2600 that involved a weakness in my company's computer systems.  I thought to myself, "Well, it's always bad to see your company in 2600 but as it had nothing to do with my area (and did not directly involve outright theft from the company) I carried the thought no further.

A month or so later, my friend and coworker Jones came to me and said, "Did you see our company is in 2600?"  I answered yes, I had.

He pointed to the the2600one@hotmail.com address in the byline and said, "I'd like to try to find this guy, but how do you find someone who has a Hotmail address?"  Never one to shy away from a direct challenge (and wanting to show off in front of Jones), I pulled up Firefox.

First stop: Google, of course.  But the email address provided turned up nothing, as did a simpler search for [the2600one].

Other search engines came up short as well.  Hmm...  What about newsgroups?  Bingo!

Google groups turned up two matches and they both contained taglines that read very much like "I'm the2600one@hotmail.com, but you can reach me at neo2600 on AIM."

Now I was getting somewhere.  I had an alias that was much more likely to be "findable."  A search for neo2600 in Google Groups came up with several rambling posts, but it was a web search in Google that turned up some really good hits, including a Blogspot entry that referred to an AIM friend as neo2600.  That was directly linked to a Blogspot entry for neo_the_one himself.

Journals are a great place to dig.  People love to write about themselves.  On his user profile, I found he lived in Capital City, his birthday was March 11, 1962, and he had another email address: tanderson@famouscollege.edu

T. Anderson - could it really be that easy?

Phonedex.com showed me several dozen "T. Andersons" in Capital City, but there were too many to call.  I scratched my head for a minute, then thought about everything I'd seen.

His hack showed a fairly deep exploration of our company systems - too intimate for an ordinary member of the public.  What if it was written by a bored employee who had all the time in the world to explore the system?  A quick trip to the employee database revealed that we had an employee named "Thomas Anderson" working at our Capital City location and his birth date was March 11, 1962.  Game over.

Total time from idle curiosity to totally busted?  15 minutes.  Agent Jones was suitably impressed.

I was seriously thinking about calling Mr. Anderson at home and offering him a job on my team.  Someone who could dig in and find that info obviously has some talent and maybe I could use him as a penetration tester.

At least I could buy him a beer or something.  But my friend reminded me of a little problem: this guy identified a security hole at work, but he didn't tell anyone at work about it.

Instead, he wrote about it publicly in 2600 Magazine.  He had already proven himself untrustworthy.

The more I thought about it, the more pissed off I became.  My buddy finally said, "Let me call my friend in the security group."  One phone call later and they were drooling.  They'd been trying to find this guy for two months with no success!  They had me forward the details of my search to them.  They also told me not to make contact with Mr. Anderson as they still hadn't fully fixed the problem.

Mr. Anderson had violated very basic rules that every animal instinctively knows: don't shit where you sleep and don't bite the hand that feeds you.  So if you're thinking about posting a weakness at your place of employment, try turning it in to your security team first.

If you're afraid of repercussions, do it semi-anonymously via Gmail or Hotmail.  While I don't like the thought of busting someone for a bit of harmless hacking, I seriously hate disloyalty.

Thus began a new little hobby of mine.

How many 2600 authors could I identify or, more accurately, how many 2600 authors identify themselves?

If you play the home version of the game, you'll soon find out what I did: most authors aren't hiding themselves very well, especially the people who profess to be posting hacks about their own workplaces.

My advice to all you budding hack authors is this: First, if you find a weakness at work, don't tell 2600 about it until you've given your security people the chance to fix it.  You can still bag credit for the hack later, but at least you acted responsibly with it.

Finally, if you absolutely must sign your article with a disposable email address, for God's sake dispose of the email address.

As for Neo?  As with every security or law enforcement group, they'll never tell you how things turned out.

Of course, that didn't stop me from checking Neo's blog later, where he eventually posted an angry rant about the feds showing up at his door and his getting fired.  Cry me a river, Neo, you bit my master's hand.

Shouts to Agent Jones and Agent Brown.  You don't need to know who they really are, but I'm planning to buy them each a copy of this magazine and circle this article.

All names, aliases, dates, and places have been changed.  Not because I care about Neo, but because I really don't need you to backtrack this article to me and Metacortex.