Advent of Computing - Episode 142 - OS and JEDGAR
Episode Date: October 13, 2024This time we are diving back into the Jargon File to take a look at some hacker folklore. Back in the day hackers at MIT spent their time spying on one another's terminals. That is, until some intrepi...d programmer found a way to fight back. Selected Sources: http://www.catb.org/esr/jargon/html/os-and-jedgar.html - OS and JEDGAR https://github.com/PDP-10/its - ITS restoration project
Transcript
Discussion (0)
This story says a lot about the ITS ethos.
On the ITS system, there was a program that allowed you to see what was being printed on someone else's terminal.
It spied on the other guy's output by examining the insides of the monitor system.
The output spy program was called OS.
Throughout the rest of the computer science world, and IBM too, OS means operating system.
But amongst old-time ITS hackers, it almost always meant output spy.
OS could work because ITS purposefully had very little in the way of protection
that prevented one user from trespassing on another's areas.
Fair is fair, however. There was another program that
would automatically notify you if anyone started to spy on your output. It worked in exactly the
same way, by looking at the insides of the operating system, to see if anyone else was
looking at the insides that had to do with your output. This counter-spy program was called Jedger, a six-letterism pronounced as two syllables,
Jed-ger, in honor of the former head of the FBI. But there's more. Jedger would ask the user for
a license to kill. If the user said yes, then Jedger would actually gun the job of the loser
who was spying.
Unfortunately, people found that this made life too violent,
especially when tourists learned about it.
One of the system's hackers solved the problem by replacing Jedgar with another program that only pretended to do its job.
It took a long time to do this because every copy of Jedgar had to be patched.
It took a long time to do this because every copy of Jedgar had to be patched.
To this day, no one knows how many people never figured out that Jedgar had been defanged.
From the Jargon File, version 4.4.7, via catb.org. Welcome back to Advent of Computing.
I'm your host, Sean Haas, and this is episode 142, OS and JEDGER.
This is part of our continuing Spook Month 2024 bash, so, as is the format this year,
this is going to be a short and somewhat spooky episode.
Today, we're returning to one of my favorite topics, hacker folklore.
These are the stories that have been spoken quietly in machine rooms and passed around networks since,
well, I would like to say since time immemorial, but it's more like since the 1960s.
The story I just read to you, and the one that we'll be
discussing today, is commonly known as OSN Jedgar. It comes to us by way of the Jargon File, a
classic repository of hacker culture. Over time, the Jargon File has been changed and updated. It's
very much a living document. Over the years, new words were added to the lexicon,
less used phrases were dropped, and in the 90s, an appendix called Hacker Folklore was added.
The more modern format is basically a dictionary followed by appendices with stories.
The version of OS and JEDGER that I read in the opening is from the latest version of the file, maintained on Eric Raymond's
website, catbee.org. It's one of these classic stories that I think touches on a pretty primal
fear on a computer. That's the feeling that maybe there's someone watching you.
And the funny part about this story, as with a lot of hacker folklore, is there's a twist.
That maybe you can reach out and fight back against the spy.
Maybe you can stop whoever's peeping over your shoulder.
This is a small episode, so I have two small goals for today's discussion.
First, we'll look at how the story of OS and Jedgar has changed over versions of the
jargon file.
That should give
us a neat way to discuss how folklore changes in this culture. And second, I want to figure out
just how true the story is. Were hackers at MIT spying and counter-spying on one another?
Did they actually kill off each other's processes to try and scrape back a little privacy? Or is this one of those
cases where the truth has been distorted over time? Let's find out.
OS and Jedgar don't actually appear in the jargon file until 1990, but it's in a much different
form. This is actually before the folklore appendix was added, so we don't get a
full story. Instead, we get definitions. The first definition for Jedgar reads as,
Jedgar, a counter-spy program. See Output Spy, from Jargon File version 1.5.0.
Riveting, I know. The referenced entry for Output Spy reads nearly the same as the
OS and Jedgar story. The key difference is the lack of Jedgar. The definition is basically
restricted to the first part of the modern story. Output Spy existed, it let you snoop,
and there was a tool that could be used to alert you to snoops. That's it.
This is where the story, in its modern form, first enters the jargon file.
But going back further leads to something interesting.
Jargonfile.org maintains a collection of different versions of the sacred text.
That archive numbers versions chronologically.
Some have dates, but not all of them.
The first entries for OS and JEDGAR show up in version 1.5.0.
There's an earlier version that actually makes mention of output spy.
That's version 1.0.04.
It's one of the oldest archived versions of the file,
and luckily this is one of the few that has a concrete date It was last edited in 1976, in November of that year
Anyway, here's the most vintage mention
Quote
Gobble, verb
To consume or to obtain
Gobble up tends to imply consume
While gobble down tends to imply obtain.
This is followed by some example sentences. Quote, the output spy gobbles characters out of a TTY
output buffer. I guess I'll gobble down a copy of the documentation tomorrow. See snarf. End quote.
See, snarf.
End quote.
We get a very short mention in an example sentence.
That's not much, but I think it speaks to pretty common use of the term going back to the 1970s.
As the file is expanded, output spy gets its own entry, being elevated from a mere reference.
And then when the folklore appendix is added, the definition is rolled up into a story.
This means that the actual text of the OS and Jedgar story is, relatively speaking, new.
It's most likely from the middle of the 90s, compiled when the appendix was added.
The whole license to kill bit is also incorporated at that point. It doesn't show up in any older versions of the jargon file. To me, that puts the historicity of that part of the story on
kind of shaky ground. We know that something called Output Spy existed way back in the 70s,
and it was common enough to get reincorporated and enshrined in the file. But what exactly was it?
And what's the deal with the whole Jedgar part of the story?
To explain, we need to switch gears and look at the setting.
This gets to one of the funny things about the jargon file.
Over time, it's become this emblem of hacker culture in general,
but it was actually written in a very, very specific context.
It starts off at the MIT AI lab on a single computer running this somewhat obscure operating
system called the Incompatible Timesharing System, or ITS. It does quickly expand,
and soon there's another lab at Stanford contributing words.
The Stanford contributors are at SAIL, another AI lab, which itself is running a variant of ITS.
As a result, early versions of the jargon file are a snapshot of the culture around ITS specifically.
To be fair, that's kind of where hacker culture emerges
on the computer scene. That also means that early versions of the file and early stories in the file
can seem a little bit strange to someone familiar with more modern hacker culture.
This is also the reason that Output Spy shows up so early in the file's history. If the jargon file had started at a Unix outfit, things would have been very different.
But the fact of the matter is, the jargon file starts out on ITS.
And ITS was probably the only place where something like Output Spy could have existed.
You see, ITS was a weird operating system.
I ran a whole episode way back in the catalog about it, so if you want the full details,
you can go listen to episode 47.
Basically, it was an operating system with no security measures and no user restrictions.
This was all done in the spirit of hacking, what else?
The system was designed by hackers for hackers,
and many of the features or omissions were chosen to enable freedom and experimentation.
It's built so you can work out the perfect hack.
ITS was also, as the name says, a timesharing system.
It was used by multiple people simultaneously,
with each user logging in
over a teletype terminal. In order to do this trick, every user gets some space in memory,
where their output and inputs are buffered. This is sometimes called a TTY buffer,
and it's something that can be gobbled up in ITS. So basically, a theoretical output spy just has to know where
that buffer is for a certain user. The buffer is exactly what is sent out to the user's terminal
in normal operation. So if you can see that buffer, you can see what the user is looking at.
Thus, the whole output spy isn't a magical program. It's just a matter of
looking at just the right parts of memory. So let's start with that part of the equation.
Does output spy exist? Well, dear listener, this is something I love about ITS. We actually have
everything we need to answer that question. ITS is very well preserved thanks to the work of friend of the pod, Lars Brinkhoff.
I actually reached out to him for quite a bit of help on this episode, so big thanks.
We have most of the system's source code.
In some cases, that came from old code backups, and in other cases,
Larus has actually restored source code from existing binaries.
So we get this wild amount of visibility here.
First off, Output Spy isn't any one program.
Rather, it's kind of a feature of ITS, and it's kind of a number of different programs.
Let me explain.
There's actually an internal device called SPY, S-P-Y, that, if I'm reading the docs correctly, can just be pointed at someone else's
terminal. At least, in theory. We actually know what ITS hackers were doing in practice. Remember,
we have access to most of ITS's source code. From what we can tell, and
from a few discussions I had with Lars, it doesn't look like anyone used this spy device to write an
output spy. So what were they actually doing? For that, we can turn to an output spy program.
The one that's archived is called Scandal. S-C-A-N-D-L.
This is one of the things I love about ITS.
It's full of these great names.
Most of that program is actually just formatting text,
but the real heart of the code,
finding and pulling out data from someone else's buffer,
is only a few lines.
This isn't using a device driver or a system call.
Instead, it searches and accesses memory directly.
It, quite literally, like the jargon file hinted, gobbles the TTY buffer.
So output spies are very real, just not always by that name.
They also worked just as the old jargon file says. So then, what about the rest of the story?
Well, dear listener, would it surprise you to know that it's also 100% true?
We also have a preserved copy of Jedgar. This is a particularly cool piece of work.
Lars was able to track down a binary copy of JEDGER sitting on an old tape.
He was then able to take that binary and turn it back into its original source code. This is
possible because many ITS programs, JEDGER included, were written in assembly language,
so we get that nice one-to-one mapping between human-readable code and machine binaries.
The guts of JEDGR are pretty simple.
It starts up a daemon, meaning it just runs in the background while you work.
When the program is first executed, it asks, and this is a string taken right from the source code,
quote,
Am I licensed to kill? So there's one of our answers. That part
of the story comes from the program. There's no apocrypha there at all. As JEDGAR runs, it searches
memory for a certain signature. It turns out that all output spies work in a similar way. They start up and they
move into a waiting state. Specifically, they tell ITS to wake up their process when there's
a change in this region of memory called TOOP, the Terminal Output Buffer Output Pointer.
JEDGER simply looks for any processes that are in that waiting state called HANG,
and then it checks if that process has code to look at TOOP. That gives it a list of all running
output spies. It then checks to see if any of those spies are looking at your particular terminal.
If all signs point to espionage, you're alerted. Once again, from the source code,
quote, you are the subject of an illegal wiretap by convicted Watergate conspirators, end quote.
If JEDGAR has a license to kill, then it kills the output spy process. It actually tells ITS
to terminate that process. There's no restrictions preventing that
from happening, so the process dies. Once the deed is done, it lets you know, quote,
the admiscreant has been executed, end quote. All in all, pretty simple software. The final piece
is that Lars, during his restoration work, actually found two copies of Jedgar
One does what I explained, waiting, alerting, and killing
But the other version of Jedgar, well, it actually does nothing at all
It starts up, asks if it has a license to kill, and then just goes into the background and just hangs out
It's defanged. Once again,
the story keeps being backed up by software. There are so few times we get to say that. This is just
really cool. There's something neat going on here outside the whole folkloric aspect.
Both OS and Jedgar are actually tentatively related to modern software.
JEDGER acts very much like a primitive antivirus program. Antiviruses use databases of known viral
signatures to search for targets. Those signatures are just memory patterns. It's the same idea as Jedgar's tube check, just more complex.
Modern virtual terminals work in a very similar way to output SPI. So I admit this one's a little
more esoteric for most folk. In Unix-like systems these days, you don't use a physical terminal.
As cool as that would be, it would be kind of impractical, right? Instead, you use these programs called virtual terminals that are just little windows that
can pop up and act as their own standalone terminals.
They work by connecting to a terminal buffer inside the computer and then showing you its
contents.
You can even connect to someone else's buffer.
It's just that in modern systems, if you're going to gobble that,
you got to get permission first. All right, that does it for our quick look at OS and JEDGAR.
Or if you want, you could technically call it the story of scandal and gender.
This is one of my favorite types of folklore.
It's one of those stories where every bit is true, and we can actually look at its origins.
And what makes for a better story than some light-hearted espionage and, perhaps, digital murder in an AI research lab?
Finally, a huge thanks goes out to Lars Brinkhoff once again
for his work on ITS and for helping me understand its internals. It's thanks to the hard work of
folk like him that we can actually go back and look at historical software. And hey, thanks to
you for listening to Advent of Computing. I'll be back in just one week with the next episode in Spook Month 2024.
If you like the show, there are a few ways you can support it.
If you know anyone else who'd be interested in the history of computing,
please take a minute to share the podcast with them.
You can also rate and review the show on Apple Podcasts and Spotify.
You can support the show directly through buying Advent of Computing merch
or signing up as a patron on Patreon. Patrons get early access to episodes, polls for the show,
and bonus content. You can find links to everything on my website, adventofcomputing.com.
If you want to get in touch, good luck! I am still on vacation! None of you can reach me,
but I'll be back in a few weeks. And as always, have a great rest of your day.