Cuckoo's Egg
Page 26
We put all the files under one account, SDINET, and made certain that I was the only one who knew the password. Then I made these files entirely inaccessible to everyone except the owner—me.
Large computers let you make a file world-readable, that is, open to anyone who logs into the system. It’s a bit like leaving an office cabinet unlocked—anyone can read the contents when they wish. You might set world-read on a file containing the scores of the office’s volleyball tournament.
With a single command, you can make a file readable by only certain people, for example, your co–workers. The latest sales report, or some manufacturing designs, need to be shared among a few people, but you don’t want everyone to scan them.
Or a computer file can be entirely private. Nobody but you can read it. Like locking your desk drawer, this keeps everyone out. Well, almost everyone. The system manager can bypass the file protections, and read any file.
By setting our SDI files to be readable only by their owner, I made sure that nobody else would find them. Since I was the owner and the system manager, nobody else could see them.
Except, perhaps, a hacker masquerading as system manager.
For the hacker could still break in and become system manager. It would take him a couple of minutes to hatch his cuckoo’s egg, but he’d then be able to read all the files on my system. Including those bogus SDI files.
If he touched those files, I’d know about it. My monitors saved his every move. Just to make certain, though, I attached an alarm to those SDI network files. If anyone looked at them—or just caused the computer to try to look at them—I’d find out about it. Right away.
My snare was baited. If the hacker bit, he’d take two hours to swallow the bait. Long enough for the Germans to track him down.
The next move was the hacker’s.
I’d screwed up again. Operation Showerhead was ready, all right. It might even work. But I’d forgotten an important detail.
I hadn’t asked anyone’s permission.
Normally, this wouldn’t be a problem, since nobody cared what I did anyway. But bicycling up to the lab, I realized that every organization I’d been in contact with would want to know about our phony SDI files. Each place would have a different opinion, of course, but to go ahead without telling anyone would piss them all off.
But what if I asked their permission? I didn’t want to think about it. Mostly, I worried about my boss. If Roy stood behind me, then the three letter agencies couldn’t touch me.
On January 7, I went straight to his office. We talked about relativistic electrodynamics for a while—which mostly meant my watching the old professor at the chalkboard. Say what you will about crusty college professors, there’s no better way to learn than to listen to someone who’s paid his dues.
“Say, boss, I’m trying to get out from under this hacker.”
“CIA leaning on you again?” Roy was joking, I hoped.
“No, but the Germans will only trace the line for one more week. After next weekend, we might as well call it quits.”
“Good. It’s been too long anyway.”
“Well, I was thinking about planting some misleading data in our computer, to use as bait in catching the hacker.”
“Sounds good to me. It won’t work, of course.”
“Why not?”
“Because the hacker’s too paranoid. Still, go ahead. It’ll be a useful exercise.” Hot damn!
My boss’s approval insulated me from the rest of the world. Still, I ought to tell the three letter folks about our plans. I wrote a short proposal, framed as a scientific paper:
Proposal to Determine the Address of the Hacker
Problem:
A persistent hacker has invaded LBL’s computers. Because he is coming from Europe, it takes an hour to trace the phone lines. We would like to learn his exact location.
Observations:
1. He is persistent
2. He confidently works within our computers, unaware that we are watching him.
3. He searches for phrases like “sdi,” “stealth,” and “nuclear.”
4. He is a competent programmer and is experienced at breaking into networks.
Suggested solution:
Provide fictitious information to keep him connected for more than an hour. Complete the phone trace during this time.
My paper went on and on about History, Methodology, Implementation Details, and had footnotes about the chances of actually catching him. As boring as I could make it.
I sent this paper to the usual list of 3 letter agencies: the FBI, CIA, NSA, and DOE. I included a note saying that unless someone objected, we’d carry out this plan next week.
A few days later, I called each agency. Mike Gibbons of the FBI understood what I was getting at, but wouldn’t commit his agency one way or another. “What does the CIA have to say about it?”
Teejay at the CIA had also read my proposal, but was equally noncommittal:
“What did the guys at the ‘F’ entity say?”
“Mike said to call you.”
“Well, ain’t that dandy. Have you called the northern entity?” Northern entity? What’s north of the CIA?
“Uh, Teejay, who’s the northern entity?”
“You know, the big Fort M.”
Oh—Fort Meade in Maryland. The NSA.
Yes, I had called Fort Meade, and Zeke Hanson at the NSA’s National Computer Security Center had read my proposal. He seemed to like it, but he didn’t want to have anything to do with it.
“Well, I sure can’t tell you to go ahead,” Zeke said. “Personally, I’d love to see what happens. But if you get into trouble, we don’t have anything to do with it.”
“I’m not looking for someone to take responsibility. I’m wondering if it’s a bad idea.” Sounds strange, but that’s just what I was trying to do. Before you start an experiment, get the opinions of people who’ve been there before.
“Sounds good to me. But you really ought to check with the FBI.” That closed the circle—everyone pointed their finger at someone else.
Well, I called the Department of Energy, the Air Force OSI, and a guy at the Defense Intelligence Agency. Nobody would take responsibility, of course, yet nobody blocked the idea. That’s all I needed.
By Wednesday, it was too late for anyone to object. I was sold on Martha’s idea, and was willing to back it up.
Sure enough, Wednesday afternoon, the hacker showed up. I’d been invited to lunch at the Cafe Pastorale in Berkeley with Dianne Johnson, the field representative of the Department of Energy. Along with Dave Stevens, the computer center’s math whiz, we enjoyed some fine fettucini, while talking about our progress and plans.
At 12:53 PST, in the middle of a cup of cappuccino, my beeper went off. The morse code said the hacker was into our Unix-4 computer as Sventek. I didn’t say a word—just ran to the phone booth and called Steve White at Tymnet ($2.25 in quarters), and he started the trace running. The hacker was on for only three minutes—just long enough to see who was logged onto my computer. I was back at the table before the coffee cooled off.
That spoiled the rest of lunch for me. Why had he stayed around only three minutes? Did he sense a trap? I couldn’t tell until I saw the printout up at the lab.
The monitors showed him logging on as Sventek, listing the names of everyone currently logged on, and then disappearing. Damn him. He didn’t look around long enough to discover our bogus files.
Oh—maybe our bait was too well hidden. The German phone technician would be around for only a couple more days, so I’d better make it more obvious.
From now on, I’d stay logged on to my computer. I would play sweet Barbara Sherwin, connected to the computer on the SDINET account. The next time the hacker raised his periscope, he’d see SDINET clunking away, trying to edit some file or another. If that didn’t catch his attention, then nothing would.
Naturally, he didn’t show up the next day, Thursday. We were running out of time. N
othing the next morning. I was about to call it quits, when my beeper sounded at 5:14 P.M, Friday, January 16. There’s the hacker.
And I’m here, working in the SDINET account, playing with a word processing program. His first command, “who,” listed ten people. I was the seventh on his list:
who
Astro
Carter
Fermi
Meyers
Microprobe
Oppy5
Sdinet
Sventek
Tumchek
Tompkins
There’s the bait. Come on, go for it!
lbl> grep sdinet/etc/passwd he’s searching for user “SDINET” in our password file
sdinetsx4sd34xs2:user sdinet files in/u4/sdinet, owner sdi network project
Ha! He swallowed the hook! He’s hunting for information about the user SDINET! I knew what he’d do next—he’d search over in the SDINET directory.
lbl> cd /u4/sdinet lbl> ls he’s moving over to the SDINET directory and trying to list the file names
file protection violation -- you are not the owner. But he can’t see them!
Of course he can’t read the SDINET data—I’ve locked everyone out of those files. But he knows how to evade my lock. Just plant a little egg, using the Gnu-Emacs software. Become super-user.
None of my files are hidden from the system manager. And my visitor knows exactly how to grab those privileges. It just takes a few minutes. Would he reach into the monkey bottle?
There he goes. He’s checking that the Gnu-Emacs move-mail program hasn’t been changed. Now he’s creating his own false atrun program. Just like the old days. In a couple more minutes, he’ll be system manager.
Only this time, I’m on the phone to Steve White.
“Steve, call Germany. The hacker’s on, and it’ll be a long session.”
“Spot-on, Cliff. Call you back in ten minutes.”
Now it’s the Germans’ turn. Can they pull the plum from the pie? Let’s see, it’s 5:15 P.M. in Berkeley, so in Germany, it’s uh, 2:15 in the morning. Or is it 1:15? Either way, it’s sure not ordinary business hours. Sure hope that the Hannover technicians stayed late tonight.
Meanwhile, the hacker’s not wasting time. Within five minutes, he’d built a special program to make himself super-user. He twisted the tail of the Gnu-Emacs program, moving his special program into the systems area. Any minute now, Unix will discover that program and … yep, there it goes. He’s super-user.
The hacker went straight for the forbidden SDINET files. (I’m glued to my monitor, thinking, “Come on, guy, wait till you see what’s sitting there for you.”) Sure enough, he first lists the file names:
lbl> ls
Connections
Form-Letter
Funding
Mailing-Labels
Pentagon-Request
Purchase-Orders
Memo-to-Gordon
Rhodes-Letter
SDI-computers
SDI-networks
SDI-Network-Proposal
User-List
World-Wide-Net
Visitor-information
Many of these files aren’t just single memos. Some are file directories—whole file cabinets full of other files.
Which one will he look at first? That’s easy. All of them.
For the next forty-five minutes, he dumps out file after file, reading all the garbage that Martha and I created. Boring, tedious ore, with an occasional nugget of technical information. For example:
Dear Major Rhodes:
Thank you for your comments concerning access to SDINET. As you know, a Network User Identifier (NUI) is required for access to both the Classified and Unclassified SDINET. Although these NUI’s are distributed from different locations, it is important that users who use both sections of the network retain the same NUI.
For this reason, your command center should contact the network controllers directly. At our laboratory in Berkeley, we can easily modify your NUI, but we would prefer that you issue the appropriate request to the network controllers.
Sincerely yours,
Barbara Sherwin
Aah … there’s a pointer in that letter saying that you can reach the SDINET from Lawrence Berkeley Laboratory. I’ll bet that he’ll spend an hour or two searching for the portal to reach that mythical SDINET.
Did he believe what I’d fed him? There’s an easy way to find out. Just watch what he does—a disbeliever won’t go hunting for the Holy Grail. The files made a believer out of him. He interrupted his listing to search for a connection into our SDI network. On my monitor, I watched him patiently scan all our links to the outside world. Without knowing our system thoroughly, he couldn’t search exhaustively, but he spent ten minutes checking the system for any ports labelled “SDI.”
Hook, line, and sinker.
He returned to reading our fake SDINET files, and dumped the file named form-letter:
SDI Network Project
Lawrence Berkeley Lab
Mail Stop 50-351
1 Cyclotron Road
Berkeley, CA 94720
name name
address address
city city, state state, zip zip
Dear Sir:
Thank you for your inquiry about SDINET. We are happy to comply with your request for more information about this network. The following documents are available from this office. Please state which documents you wish mailed to you:
#37.6 SDINET Overview Description Document 19 pages, revised Sept, 1985
#41.7 Strategic Defense Initiative and Computer Networks: Plans and implementations (Conference Notes) 227 pages, revised Sept, 1985
#45.2 Strategic Defense Initiative and Computer Networks: Plans and implementations (Conference Notes) 300 pages, June, 1986
#47.3 SDINET Connectivity Requirements 65 pages, revised April, 1986
#48.8 How to link into the SDINET 25 pages, July 1986
#49.1 X.25 and X.75 connections to SDINET (includes Japanese, European, and Hawaii nodes) 8 pages, December, 1986
#55.2 SDINET management plan for 1986 to 1988 47 pages, November 1985
#62.7 Unclassified SDINET membership list (includes major Milnet connections) 24 pages, November 1896
#65.3 Classified SDINET membership list 9 pages, November, 1986
#69.1 Developments in SDINET and Sdi Disnet 28 pages, October, 1986
NUI Request Form
This form is available here, but
should be returned to the Network Control Center
Other documents are available as well. If you wish to be added to our mailing list, please request so.
Because of the length of these documents, we must use the postal service.
Please send your request to the above address, attention Mrs. Barbara Sherwin.
The next high level review for SDINET is scheduled for 20 February, 1987. Because of this, all requests for documents must be received by us no later than close of business on 11 February, 1987. Requests received later than this date may be delayed.
Sincerely yours,
Mrs. Barbara Sherwin
Documents Secretary
SDINET Project
I wondered how he’d react to this letter. Would he send us his address?
It didn’t make much difference. Steve White called back from Tymnet. “I’ve traced your connection over to the University of Bremen.”
“Same as usual, huh?”
“Yeah. I guess they’ve reopened for classes,” Steve said. “At any rate, the Bundespost has traced the Datex line from Bremen into Hannover.”
“OK. Sounds like the hacker’s in Hannover.”
“That’s what the Bundespost says. They’ve traced the Datex line into a dial-in port located near downtown Hannover.”
“Keep going, I follow you.”
“Now comes the tough part. Someone has dialed into the Datex system in Hannover. They’re coming from Hannover, all right—it’s not a long distance line.”
“Does the Bundespost know that phone number?”
“Almost. In the past half hour, the technician traced the line and has narrowed it down to one of fifty telephone numbers.”
“Why can’t they get the actual number?”
“Wolfgang’s unclear about that. It sounds like they’ve determined the number to be from a group of local phones, but the next time they make a trace, they’ll zero in on the actual telephone. From the sound of Wolfgang’s message, they’re excited about solving this case.”
One in fifty, huh? The Bundespost is almost there. Next time, they’ll have him.
Friday, January 16, 1987. The cuckoo laid its eggs in the wrong nest.
The trace almost reached the hacker. If he came by once more, we’d have him.
But the deadline was tomorrow night. Saturday, when the German telephone technicians would give up the chase. Would he show up?
“Martha, you don’t want to hear this, but I’m sleeping at the lab again. This may be the end of the road, though.”
“That’s the dozenth time you’ve said that.”
Probably was. The chase had been a constant stream of “I’ve almost got him” followed by “He’s somewhere else.” But this time it felt different. The messages from Germany were confident. They were on the right scent.
The hacker hadn’t read all our bogus files. In the forty-five minutes that he’d linked into our system, he listed about a third of the data. He knew there was more, so why didn’t he stay around and browse?
All the more likely that he’d come back soon. So once again, I crawled under my desk and fell asleep to the sound of a computer disk drive whining in the distance.
I woke up, for once, without a beeper squawking in my ear. Just a peaceful Saturday morning, alone in a sterile office, staring at the bottom of my desk. Oh well, I’d tried. Too bad the hacker didn’t show up.
Since nobody else was around, I started to play with an astronomical program, trying to understand how mistakes in mirror-grinding affect images from a telescope. The program was just about working when my beeper called at 8:08 a.m.
A quick jog down the hall, and a glance at the monitor’s screen. There’s the hacker, just logging into the Unix-5 computer, on one of his old account names, Mark. No time to figure what he’s doing here, just spread the word fast. Call Tymnet, and let them call the Bundespost.