Cuckoo's Egg
Page 11
I ran to Wayne’s office. “Look—the hacker’s on our local area network.”
“Slow down, Cliff. Lemme see.” Wayne kept five terminals in his office, each watching a different system. “Yeah, there’s Sventek, on the Unix-4 computer. Whatcha wanna do?”
“But he’s the hacker. And he’s coming from our lab-wide ethernet.”
“Big deal. There’s a dozen ways to get there.” Wayne turned to another terminal. “I’ll just switch on my friendly ethernet analyzer, and see who’s doing what.”
As Wayne typed in the parameters, I thought about the implications of finding the hacker on our local network. Our ethernet was a party line that snaked through every office. That he found a way into the ether was bad news: it meant that the hacker could attack even personal computers attached to the ethernet.
But maybe this would prove to be good news. Perhaps the hacker lived here in Berkeley and worked at our laboratory. If so, we were closing in on him quickly. Wayne would trace the ethernet to within a few feet of the source.
“Here’s your connection. He’s coming from … from the computer that controls the MFE net.”
“You mean the hacker is entering our lab through the MFE network?”
“Yeah. He’s coming from Lawrence Livermore Laboratory. The Magnetic Fusion Energy Network.”
I called down the hallway, “Hey, Dave! Guess who’s visiting Livermore?”
Dave ambled over to Wayne’s office. “How’d he get there? There’s no connection from there into our Unix system.”
“I don’t know how he got into Livermore, but he’s in our ethernet, coming from Livermore.”
Dave raised his eyebrows. “I didn’t know you could do that. Your hacker found a path to the Unix system that I didn’t know about.”
Wayne launched into Dave with his usual tirade against Unix. I left the two bosom enemies and called Livermore.
It took three calls to find the system manager of the MFE network. “Hi, you don’t know me, but you’ve got a hacker in your system.”
A woman answered, “Huh? Who are you?”
“I work at LBL. Someone’s messing around in my computer and he’s coming in from the MFE network. It looks like he’s logged in from Livermore.”
“Oh, hell. I’ll scan our users.… There’s only one job that’s connected from Livermore to Berkeley. Account 1674 … it belongs to someone named Cromwell.”
“That’s him,” I said. “The hacker found the password a couple hours ago. Got the password from a command file here in Berkeley.”
“I’ll kill that account. Cromwell can use our system, when he learns to keep his passwords secret.” She saw the problem as ignorant users, not unfriendly systems that forced people to use bizarre passwords like agnitfom.
“Can you trace the connection?” I wanted Livermore to keep the hacker on line, at least long enough to trace the line.
“No, we’re not authorized to make any traces. You’ll have to talk to our management first.”
“But by the time anyone decides, the hacker will be gone.”
“We run a secure installation,” she said. “If anyone finds out there’s a hacker at Livermore, heads will roll.”
“Unless you trace where the hacker’s coming from, you’ll never know if he’s out of your system.”
“My job is to run a computer. Not to catch criminals. Leave me out of your wild goose chase.”
She decided to chop off all access and disable the stolen account. The hacker disappeared from Livermore’s computer, and from ours.
Maybe it was just as well. Even if she had started a trace, I couldn’t monitor what the hacker was doing. I could detect that he was in my computer, all right. But the MFE network connected directly into my computer, without going through the switchyard. My printers wouldn’t capture what the hacker typed.
Depressed, I shuffled to lunch. At the LBL cafeteria, Luis Alvarez sat down across from me. Inventor, physicist, and Nobel Laureate, Luie was the twentieth-century Renaissance man. He didn’t waste time on bureaucracy; he demanded results.
“How’s astronomy?” Even from the stratosphere, Alvarez still found time to talk to pipsqueaks like me. “Still building that telescope?”
“Naw, I’m working at the computer center now. I ought to be writing programs, but I’ve been spending all my time chasing a hacker.”
“Any luck?”
“It’s playing hide-and-seek over the wires. First I think he’s coming from Berkeley, then Oakland, then Alabama, then Virginia. Lately I’ve traced him to Livermore.”
“Called the FBI?”
“Six times. They’ve got better things to do. The frustrating part is the complete lack of support.” I told him about the morning’s activity at Livermore.
“Yes, they’ve got their jobs to worry about.”
“But I’m trying to help them, damn it. They don’t care that their neighbor’s being burglarized.”
“Stop acting like a crusader, Cliff. Why don’t you look at this as research. Nobody else is interested—not Livermore, not the FBI. Hell, in a week or two, probably not even our lab’s administration.”
“They gave me three weeks. It’s already up.”
“That’s what I mean. When you’re doing real research, you never know what it’ll cost, how much time it’ll take, or what you’ll find. You just know there’s unexplored territory and a chance to discover what’s out there.”
“That’s easy for you to say. But I’ve got to keep three managers off my back. There’s programs to write and systems to manage.”
“So what? You’re following a fascinating scent. You’re an explorer. Think of who might be behind it. Some international spy, perhaps.”
“More likely some bored high school kid.”
“Well then, forget who’s causing the problems,” Luie said. “Don’t try to be a cop, be a scientist. Research the connections, the techniques, the holes. Apply physical principles. Find new methods to solve problems. Compile statistics, publish your results, and only trust what you can prove. But don’t exclude improbable solutions—keep your mind open.”
“But what do I do when I hit a brick wall?”
“Like Livermore’s system manager?” asked Luie.
“Or the telephone company withholding a phone trace. Or the FBI refusing a court order. Or our laboratory shutting me down in a couple days?”
“Dead ends are illusory. When did you ever let a ‘Do Not Enter’ sign keep you away from anything? Go around the brick walls. When you can’t go around, climb over or dig under. Just don’t give up.”
“But who’s going to pay my salary?”
“Permission, bah. Funding, forget it. Nobody will pay for research; they’re only interested in results,” Luie said. “Sure, you could write a detailed proposal to chase this hacker. In fifty pages, you’ll describe what you knew, what you expected, how much money it would take. Include the names of three qualified referees, cost benefit ratios, and what papers you’ve written before. Oh, and don’t forget the theoretical justification.
“Or you could just chase the bastard. Run faster than him. Faster than the lab’s management. Don’t wait for someone else, do it yourself. Keep your boss happy, but don’t let him tie you down. Don’t give them a standing target.”
That’s why Luie won a Nobel Prize. It wasn’t what he did, so much as how he went about it. He was interested in everything. From a few rocks slightly enriched in the element iridium, he’d inferred that meteorites (a source of iridium) must have struck the earth some sixty-five million years ago. Despite skepticism from paleontologists, he recognized those meteors to be the death knell of the dinosaurs.
Luis Alvarez never saw the subatomic fragments that won his Nobel prize. Instead, he photographed their trails inside bubble chambers. He analyzed those trails—from their length, he calculated the particles’ lifetimes; from their curvature, their charge and mass.
My research was a far cry from his, but what have I
got to lose? Maybe his techniques would work for me. How do you scientifically research a hacker?
At 6:19 that evening, the hacker returned. This time, he came through Tymnet. I didn’t bother tracing it—no use rousting everyone from dinner when they wouldn’t give me the phone number.
Instead, I sat and watched the hacker deliberately connect to the MX computer, a PDP-10 at the MIT artificial intelligence labs in Cambridge, Massachusetts. He logged in as user Litwin, and spent almost an hour learning how to operate that computer. He seemed quite unaccustomed to the MIT system, and he’d frequently ask for the automated help facility. In an hour, he’d learned little more than how to list files.
Perhaps because artificial intelligence research is so arcane, he didn’t find much. Certainly, the antique operating system didn’t provide much protection—any user could read anyone else’s files. But the hacker didn’t realize this. The sheer impossibility of understanding this system protected their information.
I worried about how the hacker might abuse our network connections over the weekend. Rather than camping out in the computer room, I pulled the plugs to all the networks. To cover my tracks, I posted a greeting for every user logging in: “Due to building construction, all networks are down until Monday.” It would surely isolate the hacker from the Milnet. By counting complaints, I could take a census of how many people relied on this network.
Quite a few, it turned out. Enough to get me in trouble.
Roy Kerth was first. “Cliff, we’re taking a lot of heat for the network being down. A couple dozen people are bitching that they haven’t received electronic mail. Can you look into it?”
He must have believed the greeting! “Uh, sure. I’ll see if I can get it working right away.”
It took five minutes to patch the network through. The boss thought I’d done magic. I kept my mouth shut.
But while the network was down, the hacker had appeared. My only record was a printout from the monitor, but that was enough. He had shown up at 5:15 A.M. and tried to connect into a Milnet site in Omaha, Nebraska. Disappeared two minutes later. From the network directory, I found he tried to get into a defense contractor there, SRI Inc.
I called Ken Crepea of SRI, and he hadn’t noticed anyone trying to get in. “But I’ll call you back if I see anything strange.”
Ken called back two hours later. “Cliff, you won’t believe this, but I checked our accounting logs, and someone’s broken into my computer.”
I believed him. “How do you know?”
“There’s weekend connections from several places, on accounts that ought to be dead.”
“From where?”
“From Anniston, Alabama, and from Livermore, California. Someone used our old account, SAC. It used to be used for the Strategic Air Command, here in Omaha.”
“Any idea how it was invaded?”
“Well, it never had much password protection,” Ken said. “The password was SAC. Guess we screwed up, huh?”
“What was he up to?”
“My accounting records don’t say what he did. I can only tell the times he connected.”
He told me the times, and I entered them into my log book. To protect his system, Ken would change all passwords to all accounts, and make each person show up in person to get a new password.
The hacker was on the Milnet through at least two other computers, Anniston and Livermore. And probably MIT.
MIT. I’d forgotten to warn them. I called Karen Sollins of their computer department and told her about Friday night’s intrusion. “Don’t worry,” she said, “there’s not much on that computer, and we’re throwing it away in a few weeks.”
“That’s good to know. Can you tell me who owned the Litwin account?” I wanted to know where the hacker got Litwin’s password.
“He’s a plasma physicist from the University of Wisconsin,” she said. “He uses Livermore’s big computers, and ships his results to our system.” Doubtless, he left his MIT passwords on the Livermore computer.
This hacker silently followed scientists from one computer to another, picking up the crumbs they left. What he didn’t know was that someone was also picking up the crumbs he was leaving.
The hacker knew his way around the Milnet. Now I could see the futility of closing him out of our computers. He’d just come in through some other door. Perhaps I could nail my own doors shut, but he’d still climb into other systems.
Nobody detected him. Unmolested, he had sneaked into Livermore, SRI, Anniston, and MIT.
Nobody chased him. The FBI certainly didn’t. The CIA and the Air Force Office of Special Investigations couldn’t or wouldn’t do anything.
Well, almost nobody. I followed him, but I couldn’t figure out a way to catch him. The telephone traces wouldn’t pan out. And since he used several networks, how was I to know where he came from? Today, he might enter through my lab and break into a computer in Massachusetts, but tomorrow, he might just as well enter the nets in Peoria and break into Podunk. I could monitor him only when he touched my system.
It was time to give up and go back to astronomy and programming, or make my site so inviting that he preferred to use Berkeley as a jumping-off place.
Giving up seemed best. My three weeks had expired, and I heard grumblings about “Cliff’s quest for the Holy Grail.” So long as it looked like my chase might bear fruit, the lab would tolerate me, but I had to show progress. For the past week, only the hacker had made progress.
“Do research,” Luis Alvarez had said. Well, OK, I’d watch this guy and call it science. See what I can learn about networks, computer security, and maybe the hacker himself.
So I reopened our doors and sure enough, the hacker entered and poked around the system. He found one interesting file, describing new techniques to design integrated circuits. I watched as he fired up Kermit, the universal file-transfer program, to ship our file back to his computer.
The Kermit program doesn’t just copy a file from one computer to another. It constantly checks to make sure there haven’t been any mistakes in transmission. So when the hacker launched our Kermit program, I knew he was starting the same program on his own computer. I didn’t know where the hacker was, but he certainly used a computer, not just a simple terminal. This, in turn, meant that the hacker could save all his sessions on a printout or floppy disk. He didn’t have to keep notes in longhand.
Kermit copies files from one system to another. The two computers must cooperate—one sends a file, and the other receives it. Kermit runs on both computers: one Kermit does the talking, the other Kermit listens.
To make sure it doesn’t make mistakes, the sending Kermit pauses after each line, giving the listener a chance to say, “I got that line OK, go on to the next one.” The sending Kermit waits for that OK, and goes on to send the next line. If there’s a problem, the sending Kermit tries again, until it hears an OK. Much like a phone conversation where one person says “Uh huh” every few phrases.
My monitoring post sat between my system’s Kermit and the hacker’s. Well, not exactly in the middle. My printer recorded their dialogue, but was perched at the Berkeley end of a long connection. I watched the hacker’s computer grab our data and respond with acknowledgements.
Suddenly it hit me. It was like sitting next to someone shouting messages across a canyon. The echoes tell you how far the sound traveled. To find the distance to the canyon wall, just multiply the echo delay by half the speed of sound. Simple physics.
Quickly, I called our electronic technicians. Right away, Lloyd Bellknap knew the way to time the echoes. “You just need an oscilloscope. And maybe a counter.” In a minute, he scrounged up an antique oscilloscope from the Middle Ages, built when vacuum tubes were the rage.
But that’s all we needed to see these pulses. Watching the trace, we timed the echoes. Three seconds. Three and a half seconds. Three and a quarter seconds.
Three seconds for a round trip? If the signals traveled at the speed of light (not a bad
assumption), this meant the hacker was 279,000 miles away.
With appropriate pomp, I announced to Lloyd, “From basic physics, I conclude that the hacker lives on the moon.”
Lloyd knew his communications. “I’ll give you three reasons why you’re wrong.”
“OK, I know one of them,” I said. “The hacker’s signals might be traveling through a satellite link. It takes a quarter second for microwaves to travel from earth to the satellite and back.” Communications satellites orbit twenty-three thousand miles over the equator.
“Yeah, that’s one reason,” Lloyd said. “But you’d need twelve satellite hops to account for that three-second delay. What’s the real reason for the delay?”
“Maybe the hacker has a slow computer.”
“Not that slow. Though maybe the hacker has programmed his Kermit to respond slowly. That’s reason two.”
“Aah! I know the third delay. The hacker’s using networks that move his data inside of packets. His packets are constantly being rerouted, assembled, and disassembled. Every time they pass through another node, it slows him down.”
“Exactly. Unless you can count the number of nodes, you can’t tell how far away he is. In other words, ‘You lose.’ ” Lloyd yawned and returned to repairing a terminal.
But there was still a way to find the hacker’s distance. After the hacker left, I called a friend in Los Angeles and told him to connect to my computer through AT&T and Tymnet. He started Kermit running, and I timed his echoes. Real short, maybe a tenth of a second.
Another friend, this time in Houston, Texas. His echoes were around 0.15 seconds. Three other people from Baltimore, New York, and Chicago each had echo delays of less than a second.
New York to Berkeley is about two thousand miles. It had a delay of around a second. So a three-second delay means six thousand miles. Give or take a few thousand miles.
Weird. The path to the hacker must be more convoluted than I suspected.
I bounced this new evidence off Dave Cleveland. “Suppose the hacker lives in California, calls the East Coast, then connects to Berkeley. That could explain the long delays.”