A Discussion of the contents of /usr/hmcintyr on

There's a fair bit of info in this directory, if you understand what you're looking at. But I regret to say that if you know enough to understand the contents, you also see a lot of errors on the part of the creators of the "Lost Experience"

Start with the contents of the directory:

[   ] .Xdefaults              10-May-2006 12:31   33   
[DIR] bak/                    10-May-2006 12:31    -   
[   ] .bash_history           10-May-2006 12:31  125   
[   ] .bash_profile           10-May-2006 12:31  521   
[DIR] bin/                    10-May-2006 12:31    -   
[   ] .login                  10-May-2006 12:31   49   
[   ] .logout                 10-May-2006 12:31   98   
[   ] .lynxrc                 10-May-2006 12:31    0   
[DIR] mail/                   10-May-2006 12:32    -   
[   ] .mysql_history          10-May-2006 12:31    0   
[   ] .pinerc                 10-May-2006 12:31    0   
[   ] .rhosts                 10-May-2006 12:31    0   
[   ] .rlogin                 10-May-2006 12:31    0   
[   ] .shosts                 10-May-2006 12:31    0   
[   ] .vimrc                  10-May-2006 12:31  537   
[   ] .xinitrc                10-May-2006 12:31  834  

First thing that stands out is that all of the files have the same date: in a real home directory, these files would have a variety of date stamps, which would indicate not only the last time the user accessed the directory (e.g., ".bash_profile" would show the date hmcintyr last executed a command on his account, "bak" would show the last date a file was copied to this directory or deleted from it, etc.). I'm guessing that whoever created this artifact for the PTB didn't know how to tweak the timestamps to give this the needed level of authenticity; but we can safely ignore this to preserve the similation of reality.

These files are the kinds of files one would find in the home directory of any user of a UNIX computer: they are, for the most part, the personal configuration files of this user. The contents of .Xdefaults, .bash_profile, .login, .vimrc. & .xinitrc are real & functional; however, the presence & their contents is puzzling & inconsistent. On one hand, the .mysql_history indicates that this computer is a recent Linux or BSD system: MySQL is an Open Source program that has come into its own in the last few years. However, I'm surprised to see configuration files for Lynx (i.e. .lynxrc), an older text-oriented web browser, & for Pine (i.e. .pinerc), another older mail client, next to them; were I the sysadmin on this system, I'd use Mozilla & maybe mutt instead, both of which are newer & don't have as many known security holes in them.

Another issue can be seen in the .xinitrc file -- which has the configuration information for the X Window graphical user inteface (GUI) for the user. First there are these lines at the top of the file:

# $XFree86: mit/clients/xinit/xinitrc.cpp,v 1.3 1993/04/11 13:50:35 dawes Exp $
# $XConsortium: xinitrc.cpp,v 1.4 91/08/22 11:41:34 rws Exp $

This is an ancient version of this file, dating from 1993! Apparently it still works well enough for this server's sysadmin, but glancing at a computer installed with a recent version of Linux, the second line reads:

# (c) 1999-2002 Red Hat, Inc.

The next odd thing about this file is at the end:

# start some nice programs
/opt/SUNWmfwm/bin/mwm &
# olwm&
xsetroot -solid slategrey
xclock -geometry 50x50-1+1 &
exec xterm -geometry 80x24+10+10 -ls -C -name login

The second line in this code fragment is the command to start the window manager (that is, the engine of the GUI), mwm, which is better known as Motif. This was the leading commercial Window Manager for UNIX up until a few years ago; I'd expect to find Gnome or KDE as the Window manager. And what is surprising is that this executable is kept in the "/opt/SUNWmfwm" directory -- which suggests that this computer is running Solaris, & contradicts all of the other indications that this computer is running Linux! While I haven't worked with Solaris for the last few years, I would expect that if the owners paid the cash for this OS, that they would also use a different shall than bash (Korn & tcsh are included & supported under Solaris), & I believe Gnome is supported by Sun as their Window Manager now.

(Here, I suspect I know the reasoning for Motif over Gnome: the config files for the Gnome Window manager are so cryptic & complex that few people interested in the "Lost Experience" could easily figure out what they contain; this .xinitrc file is simple & clearly shows it contians no important information.)

I could spin out a number of suggestions why these inconsistencies could happen, but the easiest solution here is to assume that someone goofed; which again is unfortunate, because looking at the .bash_history file, someone did something very right.

This file is a copy of all of the commands the user has typed when he last logged in; some .bash_history files contain hundreds of lines, while others are removed upon logout. This history file is quite short, but reveals an awful lot about what its user was doing. The file contents appears below with a line-by-line explanation.

ls -al

"ls" means list files; the flags indicate all files -- including "hidden files" beginning with a dot

vim .screenrc

edits the config file for "screen" with a vi clone, vim. Vim is an odd choice for a computer with Solaris ("vi" comes installed), unless there is a lot of NFS-mounting going on.

screen -R work

screen allows the user to run a job in the background; the -R flag directs it to "reattach" the job (or provide user access to the program running in the background). In a nutshell, this user checked to see the results of a program he had left running

pine -i

Pine is a mail program -- a very old one. The "-i" simply means the user started this mail reader in a state where he could access his mail folders.

scp biz:docs/dcx_rfp.doc . scp biz:docs/dcx_contract.doc .

"scp" means "secure copy": the user was transferring files from the "biz" computer to this one. (Again another mistake: where is the ".ssh" directory that would contain the keys & configuration files for scp?)
Not a computer-related guess, but "RFP" apparently means "request for proposal": so these 2 files relate to business dealings with a company or person known by the initials "DCX".

trm dcx*

From a Google search, TRM is a means to "fingerprint" a file -- attach a tag to it so that this specific file can then be traced if copied or shared. (This is similar to what is called "watermarking".)

rm dcx_*.doc

Now that the file has been fingerprinted, the user's copies are deleted. This makes no sense -- unless he used pine to send these traceable copies to another user with pine.

I assume that at this point the user logged out. But the story told here is clear: hmcintyr logged in, looked for these 2 files, copied them from the computer "biz", stamped them with a fingerprint (so he could trace them at a future date for security), then emailed them to someone.

Why this was done -- & why it is important for "The Lost Experience" -- I cannot say, & leave for someone else to figure out.

Community content is available under CC BY-NC-ND unless otherwise noted.