MetaFic

So, I decided I wasn't going to comment, 'cause I didn't have any ideas, but then my brain started going over the security measures that I've seen.

One access control method that I've seen is the use of what's called a Crypto-Card. The user has a PIN which he enters. The cryptocard then gives a temporary password, which is only valid for one minute. The user has to enter that temporary password within the valid time-frame. The accessed computer compares the username and the temporary password to a set of software routines that is synched with the crypto-card. If valid, access is granted. If the user messes up three times within a certain time-frame, the account is locked for a half-hour or so, to keep automated cracking methods from getting a shot.

Another possibility is an entirely local network. For example, a user will have a computer on a network which is connected to the outside world (protected by the above-explained method). Inside his office, he also has another computer which is on a local-only network, meaning there are absolutely NO connections to the rest of the world. This computer has a normal name-and-password setup.

So, I'm envisioning H/G having to crack the first system, set up magical replicas of the crypto-card and what-not, then hack into the user's outward-enabled machine. From there, they'd need to do some pretty fancy magic to reach from that computer over to the other, local-network-only computer, crack that username/password, to get into what they really want.

Anyway, just some ideas. . .

One thing that might help in a lot of cases is a sort of magical recording device. It could be a charmed object, a small creature, or any number of things. The point is that the device would create a memory of its surroundings, which could then be viewed in a Pensieve. Canon shows us that Pensieves can fill in information that the original viewer did not directly see or pay attention to, so the monitoring device need not be terribly smart or well-positioned relative to the computer. If you had one of these devices set up in the same room as a computer during a day or three of normal use, you'd probably acquire memories of all the relevant passwords and security measures. That wouldn't help you with the crypto-key method DukeBrymin mentioned, but it would give you a lot of other information.

This also dodges the issue of casting spells on computers, which I think would probably cause problems. If technological devices don't work at Hogwarts due to all of the magic in the area, then I think it's logical to guess that a spell cast directly on a computer (with thousands of individual electronic bits) would have unexpected results.

I wonder how much of this security was around 10 or so years ago?

Aside from that, I'd assumed that there were layers of security to work through and part of me is thinking that they'd be able to compromise one level at a time over a period of time and remain undetected. That way they'd be able to keep the final and riskiest part until they were sure they had bee undetected.

Thanks for your help.

I already have them using 'worms' that are a combination of Arithmancy and charms to get into a system. I might expand the fauna to include higher life forms that would be able to perform more complex functions. I have the most complex worm so far able to digest its surroundings and then excrete that onto a hard drive.

Our heroes are not in the magical world and therefore don't have access to a pensieve but I agree that it could be used in such a way.

Thanks for your input on this I'll see if my brain can respond creatively to it.

I suppose it depends on what type of data you are trying to access, how much access you need and what you want to do with it... are you just trying to access a specific person's account? Or do you want access to all the account data? Are you interacting with the interfaces provided or trying to access the data directly?

If I was trying to hack an ATM with magic and I just wanted cash, I'd not bother hacking the accounts, I'd just find a way to trigger the cash delivery electronics... If I wanted to access a specific person's account I would make the machine think I had put their card and pin number in and take things from there.

I actually use the a system DukeBrymin describes above to access my online banking, though I have never heard it referred to as crypto-card before. I have a security token that I carry around with me on my key ring. When I want to access my online banking I enter my access-id (username) and PIN code (password) and press a button on the security token. It then displays a 6 digit number which I also enter in the online banking system. What this gives me access to, is my specific account and the functions that the online banking interface allows for. A while back my bank extended the use of this system so that any time I want to add an new account to the list of accounts I can transfer money to, I have to use the token for that as well.

In terms of networks there are a number of techniques used to lock out computers that are not authorised. On my local wireless network for example I use encryption, and address locking. I also set it up not to announce itself to anyone scanning for a wireless network.

Address locking is very simple. Every computer on any network has a unique address. I've set up my router with a white list, and only the computers with the addresses specified on the white list can get in. I recently replaced one of my computers, and it took me a while to get the new one connected to the network because I forgot to add it to the access list. :-)

Encryption can used on both data being transmitted and data being stored. The main idea behind current encryption systems is to use keys so long that a brute force attack would take too long to execute using existing technology to be useful. I've heard it said of quantum computing that it would make existing encryption techniques obsolete because with it you could try every single possible key simultaneously, so if I was going to try to use magic to break into encrypted data, that's the approach I would probably use.

Things like Virtual Private Networking allow for transmission of private data over a public network (e.g. the internet) They do that by creating an encrypted connection between two computers called a tunnel, then treating the data coming through the tunnel as if it was coming from a computer on the same local (private) network.

I hope this gives you some ideas.

- SC

Wow! A wealth of info there.

The low level hacking they've done, but their plans, world domination, revenge etc, require more cash that a few hundred Francs at a time will give them, hence the need for access to a banks systems.

Much food for though and my mind is buzzing with ways our heroes can charm their way through all that.

Thanks

Couple of notes:

I spent a heck of a lot of time learning the networking and computer hardware in the early 90s due to a stupidly long medical recovery I did about that time. Some of it was job related (ie: how to hack X.25 or frame relay nets,etc)

ATMS in the 90s were rare-ish around britain outside the major cities, until later in the decade where they started popping up like mad. No idea why. Just like pizza delivery was unknown at that same time. (I have some great stories about phone conversations regarding that) In Scotland I found them just about everywhere from small hamlets to large cities for whatever reason. I think I was at a wedding in Scotland at a castle in.. 92? and I recall them everywhere. (I also recall the stupid candy bars were all back-ass-wards from what I knew for each name. VERY confusing) There WAS a massive uptake on 'smart carded pay phones' about then though, ALL over the UK. You could still red-box them though.

Cryptocard is a trademarked security token for computer/network logins from a Canadian company named Cryptocard. (http://www.cryptocard.com/) They are about 15 years old, even though the company is about 20ish. They have a couple of modes of useage from PIN number and one time password, to challenge/response modes. I've used and done some programming for them if anyone cares.

There are quite a few brands of hardware authentication tokens for this type of thing. In the mid 90s they would have been VERY rare outside government and military useage.

If you are thinking about mid-90s computer security you have to understand that in Britain, BT-Tymnet really didn't link up a heck of a lot until later in the decade, WELL after the Internet commercialization explosion that occured in the US. (and they sold it to.. MCI? Worldcom? about 93/94ish) This was mostly due to the way that public networks, broadcasting, and licensing worked in the UK.

In other words: not a heck of a lot was networked around Britain in the mid 90s, outside universities and government research labs. Much like the US in the early 80s (uunet, bitnet days) There was some TINY ammount of X25 and later Frame Relay, but no 'internet' as we know it. Banks connected directly to their main branch via modem.

Depending on what it is you want, the suggestion about triggering the ATM's mechanisms makes the most sense for small things. Larger hacking in the early/mid 90s would be fairly trivial. Re-write account data to show a new account with large balances and do money transfer and pickups at branches. It WOULD eventually be caught due to the way accounting was done back then. People actually verified machine #s for many years.
Banks generally weren't worried about hackers back then as everything was done on 'leased lines' from point to point (ie:bank to bank) on the equivilent of a high speed phone line. There was no 'outside' to worry about hackers getting in from! One had to T-tap the line and do something with/to the data stream that was moving between locations, then modify the data to add things or change things in the stream AND change the CRC on both ends.

Now by 2002 things were VERY VERY different on the other side of the pond.