Cuckoo's Egg
Page 21
Fortunately, Steve didn’t mind my panic calls, and each time would explain a new wrinkle in Tymnet’s switching system. Today, however, Steve mentioned that the Bundespost had talked with the University of Bremen.
After a meticulous search, the systems folks at the University of Bremen had discovered a privileged user: “An expert has created an account for himself, and had root privileges. He was last active on December 6, and erased all accounting traces.”
Sounded familiar. In fact, the more I read it, the more it said. I could infer that Bremen used Unix, rather than the VMS operating system: on Unix computers, people say “root” access; on VMS, it’s “system” privileges. Same concept, different jargon.
Meanwhile, the German Bundespost had determined the account that the hacker used to connect across the Atlantic. They set a trap on that account: the next time someone used that account, they’d trace the call.
The man at the Bundespost thought the account might be stolen. Instead of asking the account owner if he’d authorized the hacker to call America, the Bundespost would quietly watch what was going on.
The Germans weren’t sitting around. The University would monitor the suspicious account, and the Bundespost watched the network activity. More and more mouse holes were being watched.
Within an hour, Steve received one more message from Germany: the University of Bremen will be shutting down its computers for the next three weeks. Christmas break.
Maybe this was good news. If the hacker didn’t show up during the break, he was likely from Bremen. But if he continued despite the break, he’d have to pick a different route … one that might lead directly to him.
The hacker wasn’t more than a few minutes from Berkeley. Now, we were only a couple weeks from him.
December was time to print greeting cards and my housemates got together for our annual ink splash. Martha drew the design and Claudia and I cut the silk screens. We figured that we’d avoid offending our zealot friends by keeping the card astronomical: Winter Solstice Greetings!
“We make cards the way you chase hackers,” Martha said.
“Huh?”
“Do it yourself,” she observed. “Not the way professionals would do it, but satisfying anyway.”
I wondered how a real professional would track this hacker. But then, who were the professionals? Was anyone dedicated to following people breaking into computers? I hadn’t met them. I’d called every agency I could think of, yet nobody had taken over. Nobody had even offered advice.
All the same, the FBI, CIA, OSI, and NSA were fascinated. A foreigner was siphoning data from U.S. databases. The case was documented—not just by my logbook, but also by massive printouts, phone traces, and network addresses. My monitoring station ran full time—the chances for catching the culprit seemed good.
But not a dime of support. My salary was skimmed from astronomy and physics grants, and lab management leaned on me for systems support, not counterespionage. Eight thousand miles away, a hacker was prying around our networks. Three thousand miles east, some secret agents were analyzing my latest reports. But two floors up, my bosses wanted to slam the door.
“Cliff, we’ve decided to call it quits,” Roy Kerth said. “I know you’re close to finding the hacker, but we can’t afford it anymore.”
“How about another two weeks. Until New Year’s Day?”
“No. Close things up tomorrow. Revoke everyone’s passwords tomorrow afternoon.” In other words, slam the door.
Damn. Three, nearly four months work down the tubes. And just when the trace seemed promising.
Frustrating. The hacker could hide, but he couldn’t shake me. My management was the only one who could do that. Just as we were zeroing in on the bastard.
Depressing as well. The hacker wouldn’t have any trouble returning to his haunts. He would still roam the networks, breaking in wherever he could. Nobody cared.
I began planning how to pull every user’s password. It’s easy to do—just rebuild the password file. But how do you tell passwords to twelve hundred scientists? Bring them together in one room? Call everyone on the phone? Mail them notes?
I was still bummed out when Mike Gibbons called from the FBI.
“Just checking to see where the trace has led.”
“Into Bremen,” I said. “A university there.”
“So it’s a college student, huh?”
“Not necessarily. But we’ll never find out.”
“Why not?”
“LBL is closing its doors. Tomorrow.”
“You can’t do that,” the FBI agent said. “We’re opening an investigation.”
“My boss thinks he can.”
“Tell him that we’re just making contacts in Europe. Whatever you do, don’t stop now.”
“You’re talking to the wrong guy, Mike.”
“OK. What’s your boss’s phone number?”
I wasn’t about to draw fire from Roy Kerth by asking for another extension. If the FBI really wanted us to stay open, let them deal with him.
Anyway, nobody was supporting me. All those fancy three-letter agencies ever said was, “Gimme.” Every agency wanted copies of logs and printouts. Every time we completed a trace, four or five people demanded to know where it led.
These were the facts of life in dealing with a bureaucracy: everyone wanted to know what we discovered, but nobody would take responsibility. Nobody volunteered to be the contact point, the center for collecting and distributing information. I’d started out in the center of the study, and it seemed like I’d stay there.
On the other hand, since nobody told me what to do, I could take chances—like remaining open to a hacker who could wipe out my computer in a couple seconds. I could be a one-man band, as in grad school: if it’s worth doing, do it for yourself, not to please some funding agency.
If only I could keep Kerth and company off my back.
The FBI did that. Mike Gibbons talked to Roy Kerth. I’m not sure what they said, but half an hour later, Roy told me to remain open for the next few weeks.
“They’re finally taking us seriously,” Roy said.
“Serious enough to pay our overhead?”
“Are you kidding?”
Rescued from the brink. We’d stay open, though only through the grace of an informal agreement. I had a couple more weeks to catch the hacker.
I might not need much more. Friday, December 19, at 1:38, the hacker showed up again. Stayed around for two hours, fishing on the Milnet.
A pleasant Friday afternoon, trying to guess passwords to the Strategic Air Command, the European Milnet Gateway, the Army’s West Point Geography Department, and seventy other assorted military computers.
I got to the monitors within a few seconds, and phoned Steve White at Tymnet. He was getting ready to go home when I called.
“The hacker’s on our computer. Tymnet’s logical port number 14.”
“OK,” Steve said. The usual keyboard clatter in the background. Twenty seconds elapsed, and he called out, “Got it!”
Steve had traced a connection from California to Germany in less than a minute.
“How’d you do that?”
Steve laughed. “Now that I know you’re looking for traces, I’ve automated my tracing program. I just have to tell it to fly.”
“Where’s it point to?”
“You’re getting a call from address 2624 DNIC 4511 dash 049136.”
“What’s that mean?”
“We’ll have to ask the Bundespost, but I can tell you a bit about the address. The first digits, 2624, mean Germany.”
“We already know that.”
“The next four digits, 4511, begin with a 4. That means the hacker’s coming through a public dial-in port.”
“I don’t understand. What’s different from the last time you traced the hacker?”
“Last time, we traced him to a computer at the University of Bremen. That time, the digits were 5421. The 5 means that a computer was at the oth
er end.”
Oh—the address was coded, like American pay telephones, whose phone numbers always seem to have a fourth digit of 9.
“So the connection isn’t coming from the University of Bremen’s computer?” I asked.
“That’s for certain. But we know more than that. We know that the hacker’s coming into a dial-in port. He’s connecting from a local telephone.”
“Do you know his phone number?”
“No, but the Bundespost can determine what telephone number he called.”
Steve’s news brought us one step closer. The hacker couldn’t hide behind the University of Bremen.
“So when will we find the location of this electronic address?”
“Should be soon. I asked Wolfgang to look it up.”
“Who’s that?”
“Wolfgang Hoffman. The Datex network manager in Germany.”
“You’re on the phone with him?”
“Of course not,” Steve said. “We’re sending electronic mail to each other.” I could have guessed.
“And he hasn’t decoded today’s address, huh?”
“That’s right. Until the Bundespost decodes the address, we can’t do much … hold on, something’s showing up … it’s a message from Germany.” Steve apparently had a direct line to Europe, and passed notes between countries the way I might dash off an interoffice memo.
Steve translated the note. “Wolfgang says the hacker came from a dial-in port. He’s dialed in over a telephone line.”
“We knew that already.”
“Yeah, but he’s not coming from Bremen. Today, he’s dialing from Hannover.”
“So where is he? In Bremen or Hannover?”
“Wolfgang doesn’t know. For all we know, he could be in Paris, calling long distance.”
Another dash to the library. Their atlas showed the city of Hannover, maybe seventy-five miles south of Bremen. Looked like a big city, around half a million people. Jeez—the stuff that travelogues are made from.
Was some student in Bremen dialing Hannover? Not likely. Even with the university closed, he could just call Bremen’s Datex port. A Bremen student wouldn’t make a long distance call to Hannover.
Aah, but when the university closed up, students go home.
Was I following some sophomore, home on vacation?
But it didn’t feel like a student. College students don’t have six-month attention spans. They’d search for games and academic programs, not military keywords. And wouldn’t a student leave some kind of signature or joke behind—some way of sticking out his tongue at us?
If this wasn’t a student, then why did he come from two places in Germany? Maybe he knew some way to call long distance into Hannover—perhaps from some unprotected computer, or with a stolen credit card. Yesterday it was Bremen. Today Hannover. Where will he hide tomorrow?
The only way to find out was to keep watching. Quietly.
I’d waited four months. I could wait a while longer.
“You need a German search warrant.”
Steve White called back from Tymnet. He’d just received electronic mail from Wolfgang Hoffman at the German Bundespost. Wolfgang was hot to pursue the hacker, but needed legal support to trace their lines.
“How do I get a search warrant in Germany?” I asked Steve.
“I don’t know, but the Bundespost says they’re going to the Hannover courts tomorrow to discuss it.”
This was good news. Somewhere in Germany, Wolfgang Hoffman had started wheels turning. With luck, they’d get some court orders, make a couple more traces, and arrest the varmint.
Steve White was less optimistic. “When the hacker shows up, the Germans will have to trace the Datex networks, find the phone number that the hacker is calling, and then trace that telephone line.”
“Foo,” I said, remembering my traces in Berkeley and Virginia. Unless Wolfgang and his team were patient, competent, and clever, the hacker would evade them.
Too many things could go wrong. The hacker could be from another country. He could be using a phone line from another city, disguised through a wide-area telephone system. The court might not grant the search warrants. Or the hacker might sniff the wind and realize that someone was on his trail.
Wolfgang sent another message: “Until the search warrant appears, we will record the name of the Datex user-identifier.”
Steve explained, “Whenever you use Tymnet or Datex, someone pays for the service. When you use the network, you have to type in your account number and password. The Germans are going to find out who’s paying for the hacker’s connections. When we signal them that the hacker’s around, they’ll not only trace their Datex network, but also find the account name that’s paying for the connection.”
I understood. If the hacker had stolen someone else’s account number and password, he could be charged with theft, and getting a search warrant would be easy. On the other hand, if he was paying for his own connections, it would be easy to find his name, and a court order wouldn’t be necessary. They might not even have to trace his telephone lines.
No doubt, this guy Wolfgang was sharp. He was looking for shortcuts to avoid making telephone traces. At the same time, he was building a case against the hacker.
Saturday, December 20, Steve called me at home. Martha glared at me for letting brunch get cold.
Steve had just received another message from Germany. The Bundespost had contacted the Bremen State Prosecutor, Herr Stattsanwalt Von Vock. (“Now that’s a high-class title,” I thought.)
The message from Germany read: “The German State Prosecutor needs to contact high-level U.S. criminal justice persons so as to execute proper search warrants. The Bundespost cannot move until officially notified by a high-level U.S. criminal office.”
What’s a high-level U.S. criminal office? The Mafia? Whatever they meant, I’d better get people moving.
I called my boss, Roy Kerth, who crustily observed that it’d taken the Germans six months to discover this problem. “If they were half competent, the hacker would be behind bars by now.”
To catch this snake, we all had to pull in the same direction. My boss’s flames didn’t promote harmony, so how could they promote international cooperation? Maybe I’d be better off appealing to our legal counsel.
Aletha Owens knew what to do. “I’ll call Germany and talk to them directly. They probably need someone in the FBI, but I’ll start things moving.”
“Sprechen Sie Deutsch?”
“Not in twenty years,” Aletha said. “But I’ll haul out the old Berlitz tapes.”
Sunday morning, Aletha called back. “Hey, my German isn’t so bad. A few problems with the future tense, but not bad. Not bad.”
“Yeah, but what did you learn?”
“Well, I learned all sorts of things about reflexive verbs and …”
“What about the hacker?”
“Oh, him. Aah, yes.” Aletha adopted a mock academic tone. “The German State Prosecutor is a most kindly gentleman who believes in protecting both liberty and property. So he needs an official request to open an investigation.”
“Who’s the official?”
“The FBI. We’ve got to ask the FBI to contact their German counterparts. Or should I say, ‘you,’ since I’ll be gone next week.”
It was on my shoulders to get the FBI to call the Germans to open an investigation. Great—another chance for them to say ‘go away kid.’ I left a message for Mike Gibbons at the Alexandria, Virginia, FBI office.
Amazingly, Mike called ten minutes later from Colorado.
“Hi, Cliff. This had better be important.”
“Sorry to bother you, but the German prosecutor needs to talk to someone in the FBI. We’ve traced our troubles into Hannover.”
“Well there’s nothing I can do tonight,” Mike said. “And I don’t have any documentation here.”
In theory, the FBI’s representative in Germany would contact his German counterpart, and things would progress fro
m there. Mike said that this guy, the U.S. Legal Attaché, lived in Bonn and handled communications between the two countries. In a sense, he represents the FBI within Germany.
Over the next few months, I would often hear about the U.S. Legal Attaché. I never learned his name, though plenty of curses were directed his way.
The next day, Mike fished through the crime laws. “It’s covered by the computer fraud act. Open and shut case.”
“But the guy has never set foot in the States,” I observed. “How can you get someone from another country?”
“Well, he probably won’t be extradited, if that’s what you mean. But we can press charges and get him thrown into a German prison, especially if the German law is similar to ours.”
“What’s the likelihood that the FBI will drop the whole thing?”
“Not if I can help it,” Mike said. “We’ll have to work with attorneys at the Justice Department, but I don’t see a problem there.”
I still didn’t believe him. The case was obvious to me, but too complex to describe to a criminal lawyer.
“Is there anything that I can get that will help you?”
“Come to think of it, there is. Could you write up a summary of the hacker? You know, draw up a profile of him and tell us who we’re looking for. Things like when he’s active, what he’s expert in, any idiosyncrasies. Don’t speculate, but try to identify our man.”
Here was a useful project to keep me from pestering Mike for a few days. I combed through my logbook and drew together a profile of my hacker.
Compiling this profile should have kept me out of trouble for a few days. But trouble came from another front.
Someone at NSA had leaked word of my research to the Department of Energy. In turn, they were pissed that they hadn’t heard earlier—and more directly.
Roy Kerth stopped me in the hallway. “DOE is going to reprimand us for not telling them about this incident.”
“But we did tell them,” I objected. “More than two months ago.”
“Prove it.”
“Sure. It’s in my logbook.”
Roy wanted to see it, so we walked over to my Macintosh and brought up the logbook. Sure enough, on November 12th, my logbook said that I’d informed DOE. I’d written a summary of our conversation and even included a phone number. DOE couldn’t complain—we could prove that we’d informed them.