Path: utzoo!utgpu!water!watmath!clyde!rutgers!ames!ucbcad!ucbvax!hplabs!sdcrdcf!ism780c!mikep
From: mikep@ism780c.UUCP (Michael A. Petonic)
Newsgroups: comp.misc
Subject: Re: Trojan Horse a Myth?
Message-ID: <8192@ism780c.UUCP>
Date: 10 Dec 87 09:42:16 GMT
References: <459@gtx.com> <405@tardis.cc.umich.edu>
Reply-To: mikep@ism780c.UUCP (Michael A. Petonic)
Organization: Interactive Systems Corp., Santa Monica CA
Lines: 30

In article <405@tardis.cc.umich.edu> shane@pepe.cc.umich.edu (Shane Looker) writes:
>I have a friend who wrote a Trojan horse login screen on a TOPS-20 system
>(or was it a TOPS-10?) several years ago.  A friend of his managed to collect
>a large number of logins and passwords before they caught him.

It's really simple to do.  In fact, if you're using UNIX, it even easier
to do than on a TWENEX system.  

I did the same thing when I was a summer hire for the at an Army post.
It was on a VMS3.x system and got me SYSTEM priveledges.  Also earned me
a dubious reputation.

On VMS, I had to kludge it, and say that the user typed in an incorrect
password and then exit (silently, of course) and let the REAL login
come out.  This was the tattle tale of the technique.  If you bombed
out of the login when you KNOW you typed the password right.

Oh yeah, it was all done with a command file, not in C or any other
compiled language...  Shows you how simple it was.  

I think the generic term for these devices are called "Password Snatchers".
See, it's so easy to think of that there's even a generic name for it...

-MikeP
--------
Michael A. Petonic   			(213) 453-8649 x3247
INTERATIVE Systems Corporation		"My opinions in no way influences
2401 Colorado Blvd.			the price of tea in China."
Santa Monica, CA. 90404
{sdcrdcf|attunix|microsoft|sfmin}!ism780c!mikep