From: jra@news.IntNet.net (Jay Ashworth)
Newsgroups: alt.sys.pdp10,alt.folklore.computers,comp.lang.lisp,alt.os.multics
Subject: The Thompson Login Trojan: The REAL Story
Date: 30 Apr 1995 01:11:47 -0400
Organization: Intelligence Network Online, Inc.
Lines: 84
Message-ID: <3nv66j$bi5@xcalibur.IntNet.net>
References: <D5yxwn.5BG@sdf.saomai.org> <WGD.95Apr17091443@martigny.ai.mit.edu> <3mulpf$pte@xcalibur.IntNet.net> <WGD.95Apr17215015@martigny.ai.mit.edu> <D78EvB.Aon@bonkers.taronga.com> <3n0hac$j2s@crcnis3.unl.edu> <fhoward-1904951150130001@139.185.91.236>
NNTP-Posting-Host: xcalibur.intnet.net
Keywords: horse, mouth

fhoward@us.oracle.com (Forrest Howard) writes:
>In article <3n0hac$j2s@crcnis3.unl.edu>, jhesse@herbie.unl.edu (jhesse) wrote:
>> Peter da Silva (peter@bonkers.taronga.com) wrote:
>> : In article <WGD.95Apr17215015@martigny.ai.mit.edu>,
>> : Bill Dubuque <wgd@zurich.ai.mit.edu> wrote:
>> : >"The actual bug I planted in the compiler would match code in 
>> : >the UNIX "login" command..."
>> : I always heard he implemented it but didn't distribute it.
>> What did "it" do?

>Actually I think it was distributed.  Ken talked about it at the 2nd? unix
>users group meeting at columbia.  In my faded recollection I believe he
>said there was code in cpp that
>  
>a) inserted code when compiling login.c (or was it init.c or gtty.c?) that 
>     added code to recognize a particular username/password independent of 
>     /etc/passwd.
>b) reinserted the trojen horse when recompiling cpp.c

Proving that the real Mrs. Robinson stood up.

It occured to me last week that ken@research.att.com is _still_ a valid
address, 25 years later... so I asked.  Here, from Ken himself, is the
Real Story<tm>:

) From ken@plan9.att.com Sun Apr 23 14:42 EDT 1995
) Received: from plan9.att.com by  IntNet.net (5.x/SMI-SVR4)
) 	id AA19375; Sun, 23 Apr 1995 14:42:51 -0400
) Message-Id: <9504231842.AA19375@ IntNet.net>
) From: ken@plan9.att.com
) To: jra@IntNet.net
) Date: Sun, 23 Apr 1995 14:39:39 EDT
) Content-Type: text
) Content-Length: 928
) Status: RO
) 
) thanks for the info. i had not seen
) that newsgroup. after you pointed it
) out, i looked up the discussion.
) 
) writing to news just causes more
) misunderstandings in the future. there
) is no way to win.

[ note: I asked him if he minded my posting the reply, he had no objection ]

) fyi: the self reproducing cpp was
) installed on OUR machine and we
) enticed the "unix support group"
) (precursor to usl) to pick it up
) from us by advertising some
) non-backward compatible feature.
) that meant they had to get the
) binary and source since the source
) would not compile on their binaries.
) 
) they installed it and in a month or
) so, the login command got the trojan
) hourse. later someone there noticed
) something funny in the symbol table
) of cpp and were digging into the
) object to find out what it was. at
) some point, they compiled -S and
) assembled the output. that broke
) the self-reproducer since it was
) disabled on -S. some months later
) the login trojan hourse also went
) away.
) 
) the compiler was never released
) outside.
) 
) ken

Everyone: please save this post, so the next time the question comes up,
you can just go look.  :-)

Cheers,
-- jr 'will bug legends for food' a
-- 
Jay R. Ashworth       High Technology Systems Consulting              Ashworth
Designer             Linux: The Choice of a GNU Generation        & Associates
ka1fjx/4    "I minored in babbling in college... and got       +1 813 790 7592
jra@baylink.com     honors in it." --Brian Heath                     NIC: jra3