I told this story in the network security class I've been teaching this semester. They enjoyed it and figured I might as well type it up for the blog... you know, so everyone else can consume, ingest, etc. the story.

It was in 1994, about sixteen years ago, my wife and I started dating. We had met online, long before eharmony.com or other online dating services appeared on the Internet. It wasn't via an online dating service, we had both been invited into a kind of virtual party line application on the VMS computer system at Utah State University. A program called PHONE separated the screen into regions, one for each person on the "call." Each participating user could see what they and everyone else was typing in real time. What happened with Christine and I was that we were both involved in a call with about six people or so and then everyone left except us. The rest is, as they say, history.

But that's not what this story is about.

Anyway, as Christine and I started hanging out, she explained that one of her best friends had accepted a scholarship to study math at a small private college in the northwest. This school had a student body of around 2,000 students. Where USU had a cluster of DEC Alpha systems running OpenVMS to serve as a central computing system for around 20,000 students, faculty, and staff, this small college had a Sun Solaris Unix system that students logged into to send and receive e-mail and perform other central computing tasks.

At the time, my future wife and her friend had figured out a way to communicate electronically with each other in a manner more interactive than electronic mail. Christine knew her friend's password on the Solaris system. Christine would telnet into her friend's account at a prescribed time and they would chat using a program called 'talk,' similar to PHONE on the VMS system.

I knew Unix pretty well then. I taught Unix system administration courses for a private training company in Salt Lake City in 1992, had worked as a systems administrator for a couple of companies, and spent a lot of time working in Unix labs on campus. When I found out Christine knew her friend's password and had gotten to know her friend a little bit, I started forming an idea for an incredibly funny, albeit cruel, geeky prank to pull.

To understand the impact of this practical joke, you have to understand how these computer systems were used back then. The World Wide Web was only barely in use then. The venerable Netscape Navigator Web browser wasn't to be released for several months. E-mail users at USU and at Christine's friend's school used text-based e-mail applications. To access and run these applications, users would use a telnet application to connect to the system and then type in the name of the e-mail application (pine, elm, VMS Mail, etc. Even Mutt -- now a favorite among text-based mail applications -- wouldn't be released until the next year.

Christine's friend, like many at Utah State as well, would go into an on-campus computer lab, boot up a computer, probably running Microsoft Windows 3.1 or Mac OS, and then run a telnet client (most at USU used MS-DOS Kermit because its principal author worked as a professor at USU) to connect to the system where the e-mail application ran.

Telnet has long since been replaced with SSH as the preferred way to log into a remote computer system. Telnet sends all data over the network unencrypted including all login credentials like username and password. Anyone who could intercept (or listen to) traffic between one computer and another could get everything, usernames, passwords, entire e-mail messages, conversations, you name it.

When you telnetted to a remote system, you would generally be prompted for your username and then your password. If you entered the right information, you'd usually then see a command prompt. That's where you'd type in 'pine' or whatever program you wanted to run.

Sometimes, there would be system scripts that ran before you saw the command prompt. The most common would be one that required you to change your password at certain intervals.

Now, back to the joke. I worked for a couple of hours on a shell script that we could upload to Christine's friend's account that would get run automatically the next time she logged in. The script would display something like this:

Your password has expired. Please choose a new one.
New Password: 

Now, this is where things started to get a little tricky. A real password changing application would not echo the characters typed back when the user typed in a password. My script had to turn off the behavior that normally echoed characters back. This wasn't that hard. I just had to use the 'stty' command in the script to turn the echo mode on and off.

The script notified Christine's friend that her password had expired and asked that she choose a new one. If I wanted to be really, really evil, I could have captured her password as she typed it and filed it away somewhere, but this was just about fun. After she typed in the password, like any good password changing program, the script asked her to type the password again.

Then, the script said her password wasn't long enough and prompted her to enter a longer password.

Then, it said her password didn't contain the necessary assortment of characters, numbers, and special characters.

Then, it called Christine's friend by name and said, "Oh come on, you can do better than THAT!" and gave her another chance.

I don't remember how many iterations it went through, but it was at least 4 or so. Then, when it was all done, it removed the directive that made it run when she logged in and deleted itself.

A few hours later, we caught up with Christine's friend and confessed. She was still frustrated, but began to see the humor in the prank we had pulled on her. She explained that others in the computer lab were puzzled as to why she was yelling so much profanity at her computer screen.

Good times. Good times.