Writing

Feed Software, technology, sysadmin war stories, and more.

Wednesday, June 13, 2012

Do not cross the computer lab's TA

I used to TA for a computer teacher, and as such, had to worry about maintaining the lab computers. They were a bunch of XTs and ATs running some flavor of DOS, and many of them were on our school network. We were starting to have problems with infected disks traveling around, so I decided to do something about it, and installed one of those McAfee tools which would scan things on the fly.

This obviously slowed down the machines which weren't so fast in the first place, and some of the kids did not like this. I noticed that my edits to autoexec.bat would keep disappearing from certain systems, but we could never pin it down to an exact date or time, so the administration refused to do anything about it. They didn't want to accuse the wrong kid, or something like that.

I decided it was time to turn up the heat, and marked the startup files as read-only with "attrib". To edit those files after that, you'd need to do something deliberate to re-enable it. I was trying to build a case that these little annoyances were going out of their way to mess up my machines.

Well, that didn't really work, either. This little weenie knew about attrib and just used it to open things back up, and pulled vshield out of the autoexec.bat. I responded by removing attrib from the machine and replaced it with something of my own design. All it did was flash the screen, make an awful noise through the speaker, and sent all-bits-on characters to the printer. The idea was to make an awful racket, since those dot matrix printers were anything but quiet.

Apparently the trail was getting warmer, but that wasn't enough. This little twit realized attrib was off the menu, so instead he started using ren and/or rename to slide autoexec.bat out of the way. After all, if you can't change it, just move it!

This time, I couldn't just replace the binaries since REN and RENAME were primitive commands inside the command.com interpreter. Still, they were just strings in the binary which had to match, so I went in and renamed the rename commands. Yep, I hex-mangled command.com so that REN became some other 3 character sequence, and RENAME turned into some other 6 characters (I think I used BEAVIS).

With those out of the way, I put my noisemaker program on the machine as ren.exe and rename.exe, confident that it would fire off the next time he tried his same tricks. This time, I added something extra, though. It would dump the time and date to a file on disk, and it did this before doing anything else. In other words, by the time you saw it flash, heard it wail, or noticed the printer revving up, it was too late.

Here, have a good chuckle at the stuff I used to write back then. Warning, Turbo Pascal ahead:

  assign (tf, 'c:\ncsa\log');
  {$I-}
  append (tf);
  dummy := ioresult;
  {$I+}
  if dummy <> 0 then
    rewrite (tf);
  getdate(y,m,d,dow);
  gettime(h,min,s,hund);
  writeln(tf, m, '/', d, '/', y,' ',lz(h),':',lz(min),':',lz(s));
  close (tf);

lz() was just a function to stick a leading zero in front. For what it's worth, I don't know why I was inconsistent with spaces before parens and certain args. If I had to guess, I'd say I wrote it in a rush one morning and didn't care about making it look pretty.

Anyway, this finally did the trick. I was able to bring up the log, demonstrate that the clock was in fact sane on that machine, and let the principals do the rest. The problem stopped shortly thereafter.

It's too bad that I was still just "thinking locally" back then, and hadn't really gotten into any network programming at that point. It would have been far more interesting to kick off an alert over the network to the teacher's machine and then have it wait for a command. She could have commanded it to start making noise, just lock up (so he'd have to reboot it, and the POST noises would be obvious), or drop to a fake DOS prompt.

It might have been really fun to just wire the machine to a relay closure which would connect the raw utility power through to some exposed contacts in the keyboard.

Mess with my autoexec.bat, will you? ZAP!