Cuckoo's Egg
Page 29
Or perhaps I should tell the world. Post a notice to lots of electronic bulletin boards saying, “Hey, you can break into any Unix computer by …” That would at least wake up the folks who manage the systems. Maybe even prod them into action.
Or should I create a virus, one that takes advantage of this security hole?
If there were a trusted clearinghouse, I could report to them. They, in turn, could figure out a patch for the problem, and see that systems are fixed. The National Computer Security Center seemed like a logical place for this. After all, they specialize in computer security problems.
But they didn’t want to touch it. The NCSC was too busy designing secure computers. For the past few years, they’d published an unreadable series of documents describing what they meant by a secure computer. In the end, to prove that a computer was secure, they’d hire a couple programmers to try to break into the system. Not a very reassuring proof of security. How many holes did the programmers miss?
The meeting at Bolling Air Force Base broke up with the FBI and Department of Justice dead set against our continuing to monitor the hacker. The CIA and NSA didn’t say much, and the military groups and the Department of Energy wanted us to stay open. Since DOE paid our bills, we’d stay open, so long as an arrest seemed likely.
While I was around Washington, Zeke Hanson invited me to give a talk at the National Computer Security Center. It’s just down the road from Fort Meade, NSA’s headquarters; even so, I got lost trying to find the place. There, under the exhaust of Baltimore Airport, a guard inspected my backpack for floppy disks, tape recorders, and viewgraphs.
“Hey, what can I steal on a viewgraph?”
The guard scowled. “Them’s our orders. Make trouble and you won’t pass.” He had a pistol on his side. OK.
You enter the meeting room through a door with a combination lock. Twenty people greeted me, leaving one chair empty, up near the front of the room. Ten minutes into my talk, a thin, bearded fellow wandered into the room, sat down in front, and interrupted my description of Tymnet’s traces.
“What’s the adiabatic lapse rate on Jupiter?”
Huh? I’m talking about transatlantic networks, and this guy asks me about the atmosphere of Jupiter? Well, hot dog—I can handle that.
“Oh about two degrees per kilometer, at least until you reach the two hundred millibar level.” By chance, this guy had asked me something straight from my dissertation.
Well, I continued my story, and every ten minutes the bearded guy stood up, left the room, and returned. He’d ask questions about the core of the moon, the cratering history of Mars, and orbital resonances among the moons of Jupiter. Weird. Nobody else seemed to mind, so I dovetailed my talk on the hacker with technical responses to this guy’s astronomical interrogation.
About quarter to five, I finished up and was walking out of the room (with a guard standing nearby). The bearded guy pulled me aside and said to the guard, “It’s OK, he’s with me.”
“What are you doing tonight?”
“Oh, going out to dinner with an astronomer friend.”
“Cool it. Tell him you’ll be a couple hours late.”
“Why? Who are you?”
“I’ll tell you later. Call your friend now.”
So I canceled my Friday evening dinner and was hustled into this guy’s dark blue Volvo. What’s happening here? I don’t even know his name and I’m traveling down the road. Some sort of kidnapping, I guess.
“I’m Bob Morris, the chief scientist at the Computer Security Center,” he said once we were on the highway. “We’re going to Fort Meade, where you’ll meet Harry Daniels. He’s the assistant director of NSA. Tell him your story.”
“But …”
“Just tell him what happened. I called him out of a congressional meeting in Washington to meet you. He’s driving up here right now.”
“But …” This guy wouldn’t let me get a word in.
“Look, the atmosphere of Jupiter is fine—though I’d thought all atmospheres were adiabatic so long as they convected—but we’ve got a serious problem on our hands.” Bob chain smoked and kept the windows rolled up. I gasped for breath. He went on. “We’ve got to bring it to the attention of people who can do something about it.”
“Yesterday’s meeting at Bolling was supposed to resolve that.”
“Just tell your story.”
If security at the Computer Security Center was tough, over at NSA’s headquarters—well, it took ten minutes to clear me through. Bob had no problem: “This badge lets me in anywhere, so long as I’m carrying a classified document.”
He entered a password and slid the card through the badge reader; meanwhile the guard fumbled with my viewgraphs. By the time we got to the director’s office, Harry Daniels had just arrived.
“This had better be important,” he said, glaring at Bob. This guy looked impressive—thin and about six-foot-six, he stooped when walking through doors.
“It is. I wouldn’t have called you otherwise,” Bob said. “Cliff, tell him.”
There was no room on his table—it was covered with cryptography equipment—so I spread out a diagram of the hacker’s connections on the floor.
Harry Daniels followed the chart meticulously. “Does he use the German Datex-P system to access the international record carriers?”
Holy smoke! How does someone this important know communications networks in such detail? I was impressed. I described the hacker’s break-ins, but the two of them wouldn’t let me speak two sentences without interrupting with a question.
Bob Morris nodded and said, “Here’s your smoking gun, Harry.”
The NSA honcho nodded.
The two of them talked for a few minutes, while I played with a World War II Japanese encryption machine. I wished I’d brought my Captain Midnight Secret Decoder Ring to show them.
“Cliff, this is important,” Harry Daniels said. “I’m not sure we can help you, but you can sure help us. We’ve had a real problem convincing various entities that computer security is a problem. We’d like you to talk to the National Telecommunications Security Committee. They make national policy, and we’d like them to know about this.”
“Can’t you just tell them?”
“We’ve been telling them for years,” Harry Daniels said. “But this is the first documented case.”
Bob Morris continued. “Mind you, he said, ‘Documented.’ The only difference between your case and others is that you’ve kept a logbook.”
“So this has been going on before?”
“I wouldn’t have called Harry up from Washington if I didn’t think it was serious.”
Driving back from Fort Meade, Bob Morris introduced himself. “I’ve worked on Unix security for the past ten years, up at Bell Labs in New Jersey.”
Wait a second. This must be the Morris that invented the Unix password protection scheme. I’d read papers by him about securing computers. Of course—Bob Morris, the violinist. His eccentricity was legendary: I’d heard stories of him eating dessert and lying down so a cat could lick the whipped cream from his beard.
Bob continued. “Next month’s meeting will be for policy making. If we’re ever going to progress beyond writing standards documents, we’ve got to demonstrate a danger to these people.” At last—someone at NSA who realized that computer security meant more than designing computers. “Any system can be insecure. All you have to do is stupidly manage it.”
“Well, yes, that about sums it up,” I agreed. “Some of the problems are genuine design flaws—like the Gnu-Emacs security hole—but most of them are from poor administration. The people running our computers don’t know how to secure them.”
“We’ve got to turn this around,” Bob said. “Secure computers might keep the bad guys out, but if they’re so balky that nobody will use ’em, it won’t be much progress.”
Tightening one computer was like securing an apartment house. But a network of computers, all sharing files and interchan
ging mail, well, this was like securing a small city. Bob, as chief scientist of the Computer Security Center, directed that effort.
By the time we’d returned, I’d almost grown accustomed to riding in a smoke-filled car. We started to argue about how planetary orbits interact—a subject that I ought to be able to hold my own in. But this guy knew his celestial mechanics. Ouch. I’d been away from astronomy too long if I couldn’t bat off his questions.
It was neat to talk with Bob Morris. Still, I was glad to come back home to Martha. I caught the bus home from the airport and jaywalked across College Avenue—striking another blow for anarchy. My roommate, Claudia, was practicing her violin when I walked in the door.
Claudia greeted me with a teasing smile. “Where have you been—running around with loose women, I bet!”
“Nope. Meeting dark, handsome spies with trench coats, in dark alleys.”
“Did you bring one home for me?” Claudia was perpetually on the lookout for a good man.
I didn’t have time to get out a clever answer, because Martha caught me from behind in a bear hug, and hoisted me into the air. “I missed you,” she said, setting me down with a kiss. It’s fun, but a little startling, to live with a woman who can beat me in a wrestling match.
I was worried that she’d be mad that I had gone away again, but she shrugged. “You’re in time for dinner, so you’re fine. Get in the kitchen and help.”
Martha was making her famous curry, which started with fresh coconut. I was out on the back porch whacking a coconut with a hammer when I heard Laurie pull up on her motorcycle.
Laurie was Martha’s best friend and college roommate. Despite her fierce exterior—crew cut, leather jacket, boots and black muscle shirt—she was a gentle country girl from New Mexico. She and Martha shared a special bond that made me just slightly jealous. But I guess I passed her test, for she treated us both as family.
“Hey, Cliffer,” she greeted me, mussing my hair. Looking hungrily at the coconut, she guessed what we were having. She tromped inside, hugged Martha, winked at Claudia, and scooped up the cat.
“Put that lazy thing down and chop some onions.” Martha was kitchen despot.
At last, dinner was on the table: a platter of curried rice, and dishes of chopped vegetables, nuts, raisins, fruit, and chutney. If it grows, Martha will curry it.
“Hey, where’ve you been for the past couple days?” Laurie asked me.
“Oh, I was summoned to Washington—the Reagans, you know, asked me to dinner,” I answered. I didn’t want to say that I’d just talked to a bunch of spies and spooks. Laurie hated the government, and I didn’t want to get her started.
“Oh, do tell what Nancy was wearing,” Laurie simpered, taking a third helping of curry. “Hey, what’s the latest on that hacker that you were chasing?”
“Oh, we haven’t caught him yet. Maybe never will.”
“Still think he’s a Berkeley student?” I hadn’t talked to Laurie about this thing for a couple months.
“Hard to say. For all I know, he’s coming from abroad.” I was getting nervous, surprised at my own reluctance to tell a close friend what I’d been up to. I wasn’t ashamed, exactly, but …
“Why are you spending so much time trying to catch some poor computer geek who’s just fooling around?”
“Fooling around? He broke into thirty military computers.” Whoops. Instantly, I wanted to unsay that.
“So what? That sounds like a good reason not to chase him,” Laurie said. “For all you know, he’s a pacifist from the German Green Party. Maybe he’s trying to find out what secret weird things the military is doing, and expose them to public scrutiny.”
I’d thought of that months ago and worried about it then. By now I was certain those weren’t his motives. I had done the obvious experiment: categorize his interests. Back in January, I’d created a variety of different-flavored baits. Alongside the bogus SDINET files, I’d placed equally counterfeit files about Berkeley’s local politics. Other files appeared to be financial statements, payroll accounts, games, and academic computer science topics.
If he were a peace activist, he might look at those political files. A thief, interested in ripping off our lab’s payroll, would go for the financial records. And I’d expect a student or computer nerd to reach for the games or academic files. But he wasn’t interested in any of these.
Except the SDI files.
This experiment, and a lot of more subtle things about his way of operating, convinced me that he was no idealist. This hacker was a spy.
But I couldn’t exactly prove that, and even after I explained my experiment to Laurie, she wasn’t convinced.
She still thought of anyone working against the military as one of “us,” and in her eyes I was persecuting someone on “our own” side.
How do I explain that, having been mixed up in this thing so long, I had stopped seeing clear political boundaries? All of us had common interests: myself, my lab, the FBI, the CIA, NSA, military groups, and yes, even Laurie. Each of us desired security and privacy.
I tried a different tack. “Look, it’s not a question of politics, but simple honesty. This guy violated my privacy and the privacy of all the other users. If someone broke into your house and rifled through your stuff, would you stop to ask if they were a fellow socialist?”
That didn’t work either. “A computer system isn’t private like a house,” Laurie responded. “Lots of people use it for many purposes. Just because this guy doesn’t have official permission to use it doesn’t necessarily mean he has no legitimate purpose in being there.”
“It’s damned well exactly like a house. You don’t want someone poking around in your diary, and you sure as hell don’t want them messing with your data. Breaking into these systems is trespassing without permission. It’s wrong no matter what your purpose is. And I have a right to ask these government agencies to help me get rid of this bastard. That’s their job!”
My voice had risen, and Martha looked anxiously from my angry face to Laurie’s. I realized that I sounded like a shotgun-toting redneck, yelling about law and order. Or worse—was I so blindly patriotic that I thought anyone who had an interest in military secrets was a traitor or a Commie spy?
I felt trapped and confused, and, unfairly, felt it was all Laurie’s fault for being so simplistic and self-righteous. She hadn’t had to deal with this hacker, and hadn’t had to call on the CIA for help, hadn’t talked to them and found they were real people. She thought of them as comic-book villains, killing innocent peasants in Central America. And maybe some of them were. But did that make it wrong to work with them at all?
I couldn’t talk anymore. I got up, rudely pushing away my half-finished plate of curry. I stomped off to the garage, to sand some bookcases we were making, and sulk in peace.
After an hour or so, it got harder to keep up the sulking. I thought of the fireplace, pie for dessert, and Laurie’s great back rubs. But, having grown up in a large, argumentative family, I was a dedicated, world-class sulker. I stayed in the cold garage, sanding furiously.
I suddenly noticed that Laurie was standing quietly by the door. “Cliff,” she said softly, “I really didn’t mean to give you such a hard time. Martha’s crying in the kitchen. Come on, let’s go inside.”
I thought of how easily I hurt Martha with my temper. I didn’t want to spoil the rest of the evening, so I went inside. We hugged, Martha wiped her face, and then served dessert. The rest of the evening, we talked brightly of other things.
But the questions Laurie had stirred up inside me came back to haunt me through the night. I lay awake and wondered where all this was leading me, and what kind of person I was being turned into by this strange chase.
I took flack from all directions, of course. The spooks didn’t trust me—I had no security clearance and didn’t work for a defense contractor.
Nobody had asked me to do this work, and we ran on zero budget. And how do I tell my Berkeley friends that I’d
just returned from the CIA?
Since we had neither funding nor authority, the three-letter agencies saw no reason to listen to us. I was little more than an annoyance to them. I felt like a grad student again.
A week after I’d returned, Mike Gibbons called from the FBI. “We’re closing our end of the investigation. There’s no reason for you to stay open.”
“Mike, is that you speaking, or one of your bosses?”
“It’s the FBI’s official policy,” Mike said, obviously annoyed.
“Has the Legal Attaché ever talked to the Germans?”
“Yes, but there’s confusion. The German federal police—the BKA—aren’t running the phone traces, so not much information filters back to the legat’s office. You might as well close up shop.”
“What’ll that do for the rest of the sites the hacker decides to hit?”
“Let them worry about it. Most of them won’t care anyway.”
Mike was right. Some of the places that had been broken into really didn’t care if they’d been hit. The Pentagon’s Optimis database, for example. Mike had notified them that a foreigner was using their computer. They didn’t bat an eyelash. Today, for all I know, anyone can read about the Army’s nuclear and biological warfare plans by logging onto their computer as Anonymous, with password Guest.
But though the FBI wanted us to close up, the Department of Energy still supported us. Halfway between, the CIA and NSA didn’t say one way or another.
No support either. For all that we’d told them, the NSA had never coughed up a nickel. And while it might seem fun to rub shoulders with secret agents, it did little for my astronomy, and even less for my reputation.
For several weeks during February, the hacker evaporated. None of my alarms went off, and his accounts remained dormant. Was he on to us? Had someone tipped him off to his impending arrest? Or was he sneaking through other computers?
Whatever the answer, his disappearance relieved some of the pressure to decide. For three weeks, I had nothing to report, so it made no difference if we stayed open. Without a half dozen agencies on my neck, I managed to actually write some software during that time.