Cuckoo's Egg

Home > Other > Cuckoo's Egg > Page 18
Cuckoo's Egg Page 18

by Clifford Stoll


  “Huh? What’s that mean?” I interrupted.

  “You know,” Ron said, “Westar 3.” I didn’t know, but I was learning by listening.

  He continued, “The communications satellite over the Atlantic. It handles ten or twenty thousand phone calls at once.”

  “So my hacker is coming from Europe?”

  “For sure.”

  “Where?”

  “That’s the part I don’t know, and I probably can’t find out. But hold on, and I’ll see what’s there.” More keyboard clicks.

  Ron came back to the phone. “Well, ITT identifies the line as DSEA 744031. That’s their line number. It can connect to either Spain, France, Germany, or Britain.”

  “Well, which is it?”

  “Sorry, I don’t know. You’ll have to call ITT. In three days, they’ll send us billing information, and then I can find out. Meantime, I can’t tell you much more than that.”

  From twenty-three thousand miles over Brazil, the Westar-3 satellite watches Europe and America at the same time. It relays microwave signals between the continents, each signal in its own channel. ITT, the multinational giant, leases a few thousand of Westar’s channels.

  Ron went back to washing his car and I crossed the room to the monitoring printer. Twenty minutes had passed, and my hacker hadn’t wasted a moment. Everything he typed was saved on my printer and displayed on my computer’s screen. If he started to wreck our system, I could pull his plug by just reaching behind the table.

  But he wasn’t interested in my lab’s computer. He first made sure that nobody was watching him by seeing who was logged on, and listing their jobs. Good thing my monitors were concealed.

  Then, he went directly to our network links and logged into the Network Information Center. This time, he searched for keywords like CIA, ICBM, ICBMCOM, NORAD, and WSMR. After picking up a few computer names, he methodically tried to log into each of them, using default account names like Guest and Visitor. He didn’t get far. Five systems bumped him off with bad passwords.

  Like a month ago, when he spent a while trying to get into the Army’s White Sands Missile Range. Over and over, he tried to log onto their computers. He had no problem finding the names of people working there—he just scanned the network directory. But he couldn’t guess their passwords.

  The Milnet connects to thousands of computers. Yet he wanted to get into White Sands. Why bother?

  Why’s this guy only interested in military stuff? There’s a whole world of computers, yet he’s targeting Army bases. Something serious is going on—it would be a long time before I found out what.

  After half an hour, he gave up on White Sands and tried to get back into our Elxsi computer. On Halloween, he’d sneaked in there and added a new account.

  Along with the physicist that managed the Elxsi, I’d planted a trap there. The computer looked like it was still wide open, but when the hacker touched it, it slowed down. The more the hacker tried to use it, the slower it went.

  Our electronic tar baby worked like an ace. The hacker tried to log into the Elxsi, and the machine coasted slower and slower. Not quite halting; he could see that he was making progress, but at an appalling rate. Elxsi, Inc. would have been ashamed—theirs is the zippiest of all minicomputers.

  Took him ten minutes to throw in the towel. But he came right back to our Unix machines, and right out onto the Milnet. This time, he spent an hour trying to break into forty-two military computers, literally around the world.

  With a single command, telnet, he’d connect to a military system, and spend one minute trying default account names and passwords. If he couldn’t guess his way in with four tries, he’d go on to the next computer.

  He knew how to guess. When greeted by the Unix response login:, he’d try default accounts like guest, root, who, and visitor. The Vax-VMS operating system greets you with Username:, on those systems he tried the defaults system, field, service, and user. He’d done this before, and I’m sure that hackers will do it again.

  If the Milnet was a roadway, connecting thousands of computers together, then he was a burglar, patiently visiting each house. He’d twist the front doorknob to see if it was unlocked, then walk around and try the backdoor. Maybe try lifting a window or two.

  Most of the time, he found the doors and windows locked. After a minute pushing them, he’d move on to the next place. Nothing sophisticated: he wasn’t picking locks or digging under foundations. Just taking advantage of people who left their doors open.

  One after another, he tried military computers: Army Ballistics Research Lab; U.S. Naval Academy; Naval Research Lab; Air Force Information Services Group; and places with bizarre acronyms, like WWMCCS and Cincusnaveur. (Cincus? Or was it Circus? I never found out.)

  Today wasn’t lucky for him. None of his guesses panned out. Forty-two at-bats, forty-two outs.

  Clearly, he was going to be on a long time. I reached into my pocket for a Milky Way candy bar—what else, for an astronomer?—and sat back to watch the hacker on my green monitor. I could imagine the far end of that long connection. The hacker sitting behind his monitor, watching the same green characters on his screen. Probably chewing on his own Milky Way bar. Or smoking a Benson and Hedges.

  It was Saturday, but I figured I’d try to call the Air Force Office of Special Investigations. They’d told me to call if anything bubbled up, and the cauldron was boiling now. But no answer. Anyway, there wasn’t much they could do. I needed to know who was at the other end of ITT’s satellite channel.

  Only two people knew where I was—Ron Vivier and Martha. Ron was washing his car. So when the phone rang in the switchyard, I answered, “Hello, sweetie!”

  Silence, then, “Aah, I’ve probably got the wrong number. I’m looking for Cliff Stoll.” A man’s voice with a profound English accent. Had some British spies found me? Or was the hacker in London? What a mindgame.

  Turned out to be nothing so subtle. Ron Vivier had called Tymnet’s international department, where their experts in transatlantic communications took over. One of Tymnet’s international specialists, Steve White, started tracing.

  Steve works in Vienna, Virginia, making certain that Tymnet’s customers can communicate worldwide. He grew up in Dorset, England, and first learned to program a computer by mail: he’d write a program at school, send it to a computer center, and receive the printout a week later. Steve claims that this makes you write good programs the first time, since each mistake wastes a week of your time.

  Steve had studied zoology at the University of London, and found it just like astronomy: fascinating but impoverishing. So he moved to the states, and began working in his other specialty: digital communications. Steve troubleshoots international communications systems.

  There’s a dozen ways to tie computers together—telephones, optical fibers, satellite links, and microwave links. At my laboratory, I didn’t care how my data moved, so long as a scientist in Podunk could reach my computer in Berkeley. It was Steve’s job to make sure that data funnelled in one end of Tymnet reached me at the far end.

  Every communications company has someone like Steve White, or at least the successful ones do. To him, the network is a gossamer web of connections: invisible threads that appear and disappear every few seconds. Each of his three thousand nodes have to be able to instantly talk to each other.

  You could build a network by stringing a wire to every computer, and then connecting them together in one big switch. With a thousand terminals at our lab, that’s exactly how we did things; a zillion wires in the switchyard. Local phone companies still work that way: they route all the neighborhood telephone wires to a single building, where mechanical switches make connections.

  With thousands of computers spread around the country, Tymnet couldn’t have a central exchange. Mechanical switches were out of the question: too slow and unreliable. Instead, Tymnet creates virtual circuits between computers. Across the country, Tymnet’s switching computers, called nodes, communicate
with each other over leased cables.

  When your computer sends a message to mine, Tymnet treats it like a piece of mail: it squeezes your data into a envelope and sends it to one of Tymnet’s nodes. There, Tymnet’s computers stamp the envelope with the forwarding address, along with your own calling address. Like a post office running at the speed of light, special software grabs each envelope and tosses it to a node nearer its destination. When the envelope finally reaches my computer, Tymnet removes the address, opens the envelope, and delivers the data.

  There’s not one giant switch hooking your computer to mine. Instead, each network node knows where to toss every data packet—a central computer tells it the shortest path.* In crossing the country, a dozen Tymnet nodes may forward an envelope.

  When your computer’s silent, the network sits back and handles other envelopes, but each Tymnet node still remembers where to send your packets. Every node has a thousand pigeonholes, and is constantly sorting envelopes.

  There’s no wire to trace; rather, there’s a thread of addresses between your computer and mine. Ron and Steve, the Tymnet guys, could trace the hacker’s connections by untangling this thread. The tail of the thread originated at an ITT earth station. Beyond there, who could tell?

  * The Internet, too, doesn’t have one central switch, but instead has many local switches, all around the country. The lowest-level switches (really, computers) are tied together, forming local networks. These, in turn, are grouped together into regional networks, which connect to national backbones. The Internet, then, connects networks together—like the Arpanet, the Milnet, and its hundred other networks.

  While Tymnet (and its many cousins) builds virtual circuits from one point to another, the Internet is hierarchical. An Internet message moves from local roads, to state roads, onto the highways, and then down through state roads to a specific street address.

  Envelopes for messages on Tymnet can be simple—once the virtual circuit is established, each node knows where to toss the message. Internet messages, however, have envelopes with complete destination and return addresses, so that each network can figure out how to send it one step closer to the ultimate destination. Those more complex envelopes let Internet packets get through even when the system’s congested.

  Which is better? Don’t ask me.

  So after months of tracking, the hacker’s coming from Europe. He was still on my computer, trying to chisel into the Navy Research Labs, when Steve White called.

  “Tymnet’s connection begins at ITT,” Steve said.

  “Yes, Ron Vivier already told me that. But he says that it could be from any of four countries.”

  “Ron can’t trace any farther,” Steve said, typing on his terminal. “I’ll do the trace myself.”

  “You can trace ITT’s lines?”

  “Sure. The international record carriers give Tymnet permission to trace their links, in case of problems. I’ll just log into ITT’s switch and see who’s calling.” Steve made it sound simple.

  I kept watching the hacker on my screen, hoping that he wouldn’t hang up while Steve made the trace.

  Steve came back on the line. In his modulated, almost theatric British accent, he said, “Your hacker has the calling address DNIC dash 2624 dash 542104214.”

  I’d grown accustomed to not understanding the jargon, but on principle, I dutifully wrote it down in my logbook. Fortunately, Steve translated for me.

  “You see, as far as Tymnet’s concerned, the hacker’s coming from ITT’s satellite. But from inside of ITT’s computers, I can see past their satellite link and trace the connection all the way back.”

  Steve had X-ray vision. Satellites didn’t stop him.

  “That DNIC number is the data network identifier code. It’s just like a telephone number—the area code tells where the call originates.”

  “So where’s the hacker coming from?”

  “Germany.”

  “East or West?”

  “West Germany. The German Datex network.”

  “What’s that?” Steve lived in a universe of networks.

  “Datex is the German equivalent of Tymnet. It’s their national network to connect computers together,” Steve explained. “We’ll have to call the Bundespost to find out more.”

  I forgot about the hacker on my computer, and listened to Steve. “You see, the DNIC completely identifies the computer that’s making the call. The first four digits tell me that it’s from the German Datex network. The Bundespost can look up that number in their catalog, and tell us exactly where it’s located.”

  “Who’s the Bundespost?” It sounded vaguely German.

  “They’re the German national postal service. The government communications monopoly.”

  “Why’s the post office running networks?” I wondered out loud. Here, the post office delivers letters, not data.

  “In a lot of countries, the post office owns the phone service. An historical outgrowth of government regulation. Germany’s probably the most centralized of all. You can’t get a telephone answering machine without government approval.”

  “So the hacker is coming from a government computer?”

  “No, it’s a private computer, probably. But the communications link is operated by the Bundespost. And that’s our next step. We’ll ring up the Bundespost in the morning.”

  I liked how he said “we” rather than “you.”

  Steve and I talked for a solid hour. Listening to his descriptions of the network was far more interesting than watching the hacker scan my computer for keywords like SDI. Steve wasn’t a technician, but a craftsperson; no, an artist who expressed himself through an invisible tapestry of electronic threads.

  To hear Steve speak of it, the network is a living, growing organism. It senses trouble and responds to its environment. To him, the network’s elegance lay in its simplicity. “Each node just passes the data on to the next.”

  “Every time your visitor types a key,” Steve said, “a character bounces from Datex to ITT to Tymnet and into your system. And between keystrokes, our network wastes no time on him.”

  With thousands of conversations threaded through his system and millions of bits of data, not one dialogue was lost, and not a byte of data spilled out. The network kept track of the connections, and you couldn’t slip through the cracks.

  All the same, Steve seemed pessimistic about completing a successful trace. “We know where he connects into the system. But there’s a couple possibilities there. The hacker might be at a computer in Germany, simply connected over the German Datex network. If that’s the case, then we’ve got him cold. We know his address, the address points to his computer, and the computer points to him.”

  “Seems unlikely,” I said, thinking of my trace to Mitre.

  “It is unlikely. More likely, the hacker is coming into the German Datex network through a dial-in modem.”

  Just like Tymnet, Datex lets anyone dial into their system, and connect to computers on the network. Perfect for business people and scientists. And hackers.

  “The real problem is in German law,” Steve said. “I don’t think they recognize hacking as a crime.”

  “You’re kidding, of course.”

  “No,” he said, “a lot of countries have outdated laws. In Canada, a hacker that broke into a computer was convicted of stealing electricity, rather than trespassing. He was prosecuted only because the connection had used a microwatt of power from the computer.”

  “But breaking into a computer is a crime in the USA.”

  “Yes, but do you think the hacker will be extradited for that?” Steve asked. “Look at the support you got from the FBI. Be serious, Cliff.”

  Steve’s pessimism was contagious. But his trace jagged my spirits: so what if we couldn’t nail the hacker—our circle was closing around him.

  This hacker, though, knew nothing of our trace. He finally disconnected at 5:22, after two hours of twisting doorknobs and scanning files. My printer captured everythi
ng, but the real news was Steve White’s work.

  Germany. I ran over to the library and dug out an atlas. Germany’s nine hours ahead of us. The hacker showed up around noon or 1 P.M.; for him, it’s 9 or 10 P.M. He’s probably taking advantage of cheap rates.

  Poring over the atlas, I remembered Maggie Morley recognizing the hacker’s password. “Jaeger—it’s a German word meaning Hunter.” The answer had been right in front of me, but I’d been blind.

  This explained the timing of the acknowledgement echos when the hacker used the Kermit file transfers. I’d measured 6000 miles to the hacker, though I’d never relied much on that figure. I should have. Germany was 5200 miles from Berkeley.

  Not just blind. Deaf as well.

  I’d been gathering facts. Not interpreting them.

  Sitting alone in the library, I was suddenly deeply embarrassed over sending my sister on a wild goose chase, searching for a high school kid in Virginia; and the Berkeley detectives, running around campus with revolvers.

  I’d messed up. For months, I’d scoured North America, searching for the hacker. Dave Cleveland kept telling me, “The hacker’s not from the West Coast.” No, not by 5200 miles.

  Some details were still fuzzy, but I understood how he operated. Somewhere in Europe, the hacker called into the German Datex network. He asked for Tymnet, and the Bundespost made the connection through the international record carrier. Once he reached the States, he connected to my laboratory and hacked his way around the Milnet.

  Mitre must have been his stopover point. I could see how he made the connection. He’d entered the German Datex system, asked for Tymnet, and then logged into Mitre. Once there, he could explore their computers at his leisure. When he grew tired of reading the defense contractor’s reports, he could dial out from Mitre, connecting anywhere in North America—with Mitre picking up the tab.

  But who paid for his transatlantic connections? According to Steve, his sessions cost fifty or one hundred dollars an hour. Walking back to the computer room, I realized that I was following a well-heeled hacker. Or a clever thief.

 

‹ Prev