Cuckoo's Egg
Page 20
“We collaborate with the Swiss physics lab, CERN. And those vandals have thoroughly walked through their computers. They probably stole passwords to our system, and linked directly to us.”
“Did they do any damage?” I asked.
“Damage! Haven’t you been listening?” Bob exploded. “Our networks are delicate things—people connect to us in hope of mutual support. When someone breaks into a computer, they destroy that trust. Aside from wasting days of my time, and forcing us to disable our network connections, these hackers undermine the openness that lets us do science together.”
“But did they erase your files?” I asked. “Did they change any programs?”
“Well, they modified my system to give them a backdoor password. But if you’re looking for headlines like, ‘Hacker wipes out entire system,’ you won’t find them here. These break-ins are far more insidious. They’re technically skilled but ethically bankrupt programmers without any respect for others’ work—or privacy. They’re not destroying one or two programs. They’re trying to wreck the cooperation that builds our networks.”
Whew! Here was a guy who took his computing seriously. I hadn’t learned much about hackers from Germany, but at last I’d spoken to someone who described them with the same expletives that I used. Bob realized that damage wasn’t measured in dollars ripped off, but rather in trust lost. He didn’t see this as fun and games, but a serious assault on a open society.
Once, I would have argued with Bob, saying that these were only kids fooling around. Once, I might have smiled and respected anyone who could hack around in so many computers. Not any more.
As an aside, Bob told me the German Chaos Club was attacking the U.S. Fermilab computer as well. I called Fermilab in Illinois and talked with their system manager. “Yes, some German hackers have been giving us headaches. They call themselves the Chaos Computer Club.”
“Were they spying?” I asked.
“Be serious. There’s no classified work here.”
I wondered. Were they vandals or spies? “Can you identify who’s breaking in?”
“One guy uses the pseudonym Hagbard. Another, Pengo. I don’t know their real names.”
“Have you secured your system since you detected them?”
“A little. We’re trying to do science, so we don’t want to shut our doors to the world. But these vandals are making it tough to run an open computing center. I wish they’d pick on someone else—like the military, for instance. Or NSA.”
If only he knew. “I suppose the police haven’t been much help?” I asked.
“Not much. They listen, but they’re not doing much.”
I called Stanford and asked one of their system managers, Dan Kolkowitz, if he’d heard anything from Germany.
“Come to think of it, someone broke in a few months ago. I monitored what he did, and have a listing of him. It looks German.”
Dan read the listing over the phone. Some hacker with the nom de guerre of Hagbard was sending a file of passwords to some hackers named Zombie and Pengo.
Hagbard and Pengo again. I wrote them in my logbook.
Still, it seemed like these guys were right. Those hackers were vandals who wanted to create trouble. They attacked universities and scientific institutes—easy pickings. They didn’t seem interested in military targets, and didn’t seem to know how to navigate the Milnet.
I realized another difference between my hacker and the Chaos Club hoodlums. My hacker seemed at home on Unix; not the Berkeley version, but Unix all the same. The vandals that Bob and Dan described seemed to only attack Dec’s VMS operating systems.
From now on, I’d watch for any news about the Chaos Computer Club, but I couldn’t assume that all German hackers were in league together.
One good thing was happening. One by one, I was making contact with other people who were losing sleep and slugging down Maalox over the same troubles that obsessed me. It was comforting to learn that I wasn’t completely alone.
It was time to take my mind off the hacker and return to astronomy. No such luck—Mike Gibbons of the FBI called.
“I thought you were on vacation,” I said.
“I am. At my folk’s place, in Denver.”
“Then how’d you get my message?” I wondered if the CIA had called.
“Oh, that’s easy,” Mike said. “We’re on two-hour alert. Day or night, the office can reach me. Sometimes makes my marriage uncomfortable.”
I understood all too well. My own beeper was an albatross. “Did you hear about the German connection?”
“How about telling me what happened over the weekend.” (Just the facts, ma’am.)
Once again, I read from my logbook. I’d reached the part about the DNIC numbers, when Mike interrupted.
“Can you Fed-ex your logbook here?”
“Sure. I’ll print out a copy and ship it to you.” Easy to do when you keep your notes inside a computer.
“I’ll see if we can open a case. No promises, but this looks interesting.” By now I’d learned that nobody ever promised to do anything.
I printed out a copy of my logbook and dropped it off at the express office.
When I returned, the phone was ringing. It was Teejay.
“I heard the news,” said my CIA contact. “You’re sure your friend lives across the puddle?”
“Yes, if you mean the Atlantic.” Teejay’s shorthand might confuse an eavesdropper, but they threw me for a loop every time. “Almost certainly he’s from Germany, and I’d be amazed if he’s from the States.”
“Do you know his exact location?”
“All I know is the electronic address of a computer. It’s a DNIC number, whatever that means.”
“Who’s going to decode it for you?”
“I expect the Bundespost to tell us who’s at the other end. Maybe tomorrow.”
“Have you called the, uh, northern entity?”
Northern entity? Who’s that? “You mean the ‘F’ entity?”
“No, the entity in the north. You know, Mr. Meade’s place.”
Meade. Fort Meade. He must mean the National Security Agency. “No, I called the ‘F’ entity, though.”
“Good. Are they moving or sitting on their butts?”
“I don’t know. They might open an investigation, but they wouldn’t promise.”
“They never do. I’ll get in touch with them and see if we can help things along. Meanwhile, why don’t you call the northern entity, and see if they’ll decode that address.”
Of course. NSA must have lists of every telephone number and electronic address in the world. I dialed the National Computer Security Center.
Zeke Hanson answered my call.
“Hey, Zeke, remember that you said that NSA can’t help me if the hacker’s coming from America?”
“Yeah, so what?”
“Well, he’s from Europe.”
“You mean that you’ve been following a foreigner on the Milnet?”
“You heard right.”
“Let me call you right back.”
By now, I’d gotten used to these call backs. The spooks either have secure telephone lines, or assume that I’m calling from a phone booth.
For the fifth time, I gave a how-I-spent-my-weekend talk. Zeke listened intently, obviously taking notes.
“Think the hacker’s on assignment?”
“I can’t say. But I suspect he’s saving his printouts.”
“How about sending me a list of keywords that he’s searched for.”
“Well, I’d be happy to, but I’m kinda busy today. Mostly, I’m trying to find the electronic address that belongs to that German DNIC number. I’d be glad to swap information.”
“You mean you’ll send me copies of the traffic in return for looking up that address?”
“Sure. Seems like a fair trade to me.” If I simply asked for the address point blank, he’d turn me down.
It didn’t work. Zeke stood his ground. “No possible way. I can’
t even confirm that we have such information.”
Stymied. I’d have to decode that address some other way.
Frustrating, too. All day long, secret agencies were asking details from me, but nobody ever told me anything.
The day’s flurry left me exhausted, but hopeful. This one trace to Germany opened several doors. The spooks could no longer wash this away as a minor domestic disturbance. It still might be minor, but it certainly wasn’t domestic.
I’d kicked over an anthill. For the next few days, I couldn’t get away from my phone. The spooks kept calling back, asking for technical details—how do you connect from Europe into military computers? Could I prove that the hacker came from Germany? Where did he pick up passwords? How did he become super-user?
The Air Force OSI, however, worried about how to defend the Milnet. Did the hacker get into this site or that network? What type of computers did he attack? Could we contain him by locking him out of Lawrence Berkeley Labs?
Finally, Steve White called. He’d received a terse message from the manager of the German Datex network:
“The address belongs to a computer in Bremen. We investigate.”
Our circle was slowly closing.
I was off to the library again, paging through the atlas. Bremen’s a port city in northern Germany, renowned for its medieval paintings and town hall. Momentarily, my thoughts flew across the Atlantic … these are places from history books.
On the heels of Steve’s call, Mike Muuss of the Ballistic Research Laboratory called. In Aberdeen, Maryland, the Army runs a research and development laboratory; it’s one of the last government labs that doesn’t farm out its research to private contractors. Mike’s their computer honcho.
Mike Muuss—he’s famous throughout the Unix community as a pioneer in networking and as a creator of elegant programs to replace awkward ones. As Mike puts it, good programs aren’t written or built. They’re grown. A six-foot-tall, mustached runner, he’s incredibly driven, intense, and obsessed. Mike’s paid his dues on ancient versions of Unix, dating back to the ’70s. When Mike talks, other wizards listen.
“We detected Joe Sventek probing our system on Sunday,” Mike Muuss said. “I thought he was in England.”
Do all wizards know each other? Is it telepathy?
“He is,” I replied. “You detected a hacker masquerading as Joe.”
“Well, keep him off the network. Boot him out.”
I’d been through that before. “Closing him from my computer probably won’t stop him.”
“Oh, he’s in a lot of computers, huh?” Mike understood.
We chatted about an hour, and I tried to hide my ignorance. Mike assumed that I knew about the Eniac, the world’s first big computer. “Yep, it was right here at Ballistics Research Lab. Back in 1948. Ten years before I was born.”
Eniac might have been their first world class computer, but hardly their last. Now, the Army runs a pair of Cray supercomputers—the fastest in the world. Without much modesty, Mike said, “If you want to see the Army in the year 2010, look in my computers today. It’s all there.”
Exactly what the hacker wanted.
Soon after that call, Chris McDonald of White Sands phoned. He’d also heard someone pounding at his doors and wanted to know what we intended to do about it.
“Nothing,” I replied. “Nothing until the bastard’s been arrested.” A bluff, considering the chances of even discovering where the hacker lived.
The hacker had tried to chisel into eighty computers. Two system managers had detected him.
Suppose you walked along a city street trying to force doors open. How long would it take before someone called the cops? Five houses? Ten?
Well, with the help of the hacker, I knew the answer. On the computer networks, you can bang on forty doors before someone notices. With this kind of guard our computers are sitting ducks. Almost nobody’s watching for intruders trying to break in.
My own lab was as blind as anyone else. The hacker had broken in, become system manager, and had full run of my Unix computer before we detected him. Even then, we’d stumbled on him by accident.
It seemed unlikely that computer people could detect hackers in their systems. Well, maybe they could, but nobody was looking. So it was fruitful to keep combing through Mitre’s phone bills. The hacker had clearly called TRW, Incorporated in Redondo Beach; he’d spent hours hooked into their computer.
TRW—they’re a defense contractor, working for the Air Force and NASA.
When I called Howard Siegal of TRW’s signal processing facility, he’d never heard a thing.
“We can’t possibly have a hacker here. We’re running a secure facility.”
By definition, they were secure. I’d heard it before. “Just for my curiosity, could you check your accounting logs for the past couple months?”
He agreed, though I didn’t expect to hear back from him. The next morning, though, he called back with bad news.
“You were right,” Howard said. “Someone’s been in our system, but I can’t discuss it. We’re closing all access to our computer.” He wouldn’t describe what evidence had changed his mind, nor would he say if the hacker had become super-user.
I mentioned TRW to my friends at the Keck Observatory. Terry Mast raised his eyebrows: “Hell, they’re the defense contractors that built the KH-11.”
Wait a second. I’d seen KH-11 before. The hacker scanned for that keyword on Saturday. “Say, Terry, what’s the KH-11?”
“It’s a spy satellite. A secret spy satellite. KH stands for Key Hole. It’s the eleventh in a series. It’s obsolete now.”
“Replaced by the KH-12, I suppose.”
“Yes, in fact. Massive cost overruns, the usual. Both of them are extremely secret projects.” Secrecy automatically multiplied the cost of any project.
After a while, Steve White of Tymnet called back. The German Bundespost had determined that the hacker came from the University of Bremen. The address pointed to a Vax computer, not a telephone line, but the University knew nothing of any hacker. Apparently, they doubted that a hacker was on their computer. I wasn’t surprised: I’d heard it before. Give ’em a day or two, I thought.
A Vax computer, at a university. A university pointed to a student. I wondered if my gut feeling was wrong: could I just be chasing some poor sophomore prankster?
When talking to the CIA and NSA, I’d been careful to point out that possibility. It was bad enough to waste my time on this quest. I didn’t want the spooks to gird up for battle, only to find some kid with a peashooter.
But the spooks asked me speculative questions. Zeke at the NSA: “Can you characterize this person’s computer experience?” Well, that’s easy. Just list what he’s done, and how adept he appears. Then, “How old is he?” and “Is he paid or is this his hobby?” I could only guess at these: the hacker never typed in his age, weight, and occupation.
All my callers wanted to know about the hacker, even if they hadn’t the slightest interest in solving the case. My logbook held the information, but was well over fifty pages. To get out from under these phone calls, I wrote a note describing what I knew about him. By bringing together observations about him, perhaps I could paint a profile of this hacker.
Some of their questions I could answer directly: he targeted the military and defense contractors. He guessed and stole passwords. He’d usually work at nights, German time.
Other answers came from indirect observations: he seemed to be in his twenties—his experience in Unix and VMS told me that. Probably out of college—he worked even when school was out. And only a smoker would choose Benson and Hedges as passwords.
I must be watching only one or two people. I inferred this by knowing that he had four purloined accounts on my system, yet he had chosen the same password for all of them. Had there more than a couple people in on the caper, they would have chosen separate passwords.
In writing this profile, I got an impression of someone methodical and d
iligent. He’d been active for well over six months—and some of Mitre’s records indicated almost a year. He didn’t mind spending two hours on Sunday night, slowly trying to guess passwords into military computers. Tedious and tiresome work.
The NSA kept pushing at my conclusions. Zeke asked, “If he’s so methodical, how do you know you’re not just following some computer program?”
This one threw me for a loop. Zeke had challenged me on a point I hadn’t thought of before.
Could I prove that I was following a real person?
I’d once assumed that computer hackers were brilliant geniuses, creatively searching out ways to build new programs. This guy was patient and plodding, repeatedly trying the same tricks. The same sort of behavior you’d expect to find from a computer program.
Suppose someone had programmed a computer to methodically try to log into a hundred other computers. All you’d need would be a home computer with a modem: the programming would be fairly easy. It could guess passwords (like “visitor” and “guest”) about as well as a human. And it could run all night long, without anyone nearby.
A momentary panic. Could I prove that I wasn’t following such a machine?
Sure. My hacker made mistakes. Occasional typing errors.
I told Zeke, “There’s a human behind that keyboard, all right, who’s not a perfect typist.”
“Can you be sure that the hacker’s in the same country as the computer?”
Zeke was on top of this, all right. His questions kept me thinking. I was watching someone, and my guts said he was in Germany. But there’s no reason why he couldn’t be sitting in Australia, connected into a computer in Germany.
My beeper interrupted my answer. The hacker was back. “Gotta run, Zeke!”
Down the hall again, into the switchyard. There he was, just logging in. I started calling Tymnet, but by the time Steve White answered, the hacker had logged off. Total connect time: thirty seconds.
Damn. All week long, the hacker had been connecting for a minute or two at a time. Every time, he triggered my beeper and siphoned off my adrenaline. But I couldn’t trace such short connections. Ten minutes, for sure. Five minutes, maybe. But not one minute.