Cuckoo's Egg
Page 31
By late April the Bundespost still hadn’t received the proper papers from the United States. Their traces were based on an official complaint filed by the University of Bremen.
But although the Bundespost had completed several traces, they wouldn’t tell me the suspects’ names or phone numbers. German law prohibited this. Sounded familiar. Briefly, I wondered if my sister Jeannie would be willing to snoop around Hannover. She’d been the most responsive investigator so far.
I phoned Mike Gibbons. “We’re no longer handling this as a criminal case,” he said.
“Why give up when the Germans have traced the line and know the suspects’ names?”
“I didn’t say we were giving up. I just said that the FBI isn’t treating this as a criminal case.”
What did that mean? As usual, Mike clammed up when I asked questions.
Had the Air Force made much progress? They were quietly getting the word out that reptiles were crawling through the Milnet, trying to break into military computers. One by one, sites were tightening up security.
But the Air Force relied on the FBI to catch the hacker. Ann Funk and Jim Christy wished they could help, but couldn’t.
“Tell me anything except, ‘It’s not my bailiwick,’ ” I said.
“OK,” Ann replied, “it’s not within my command.”
I didn’t like leaving Berkeley, partly because I missed my sweetheart, but also because it left the hacker unwatched.
I was to talk to the NTISSIC, a governmental organization whose acronym has never been decoded. Bob Morris said they set policy for telecommunications and information security, so I could guess some of the letters.
“While you’re in the area,” Teejay said, “how about stopping by our headquarters in Langley?”
Me? Visit the CIA? I’m in way over my head now. Meeting the spooks on their own ground. I could just imagine it: hundreds of spies in trench coats, skulking around hallways.
Then the NSA invited me to Fort Meade as well. But not quite so informally. Over the phone, Zeke Hanson said, “We’d like you to prepare a talk for the X-1 department. They’ll send you questions in advance.”
Department X-1 of the National Security Agency? Yow, now this was cloak-and-dagger. As usual, I couldn’t get any more information out of them … Zeke wouldn’t even tell me what X-1 stood for.
Well, I arrived at NSA, and Bob Morris greeted me in his office. The three chalkboards were covered with Russian writing (“They’re rhyming riddles,” he explained) and a few mathematical equations. Where else but at NSA?
I chalked a short note in Chinese, and Bob hit me with an easy number problem: OTTFFSS. “What’s the next letter, Cliff?”
That was an oldie. One. Two. Three. Four. Five. Six. Seven. “The next letter is E for Eight,” I announced.
Well, we fooled around with puzzles and palindromes for a while, until he wrote out this series of numbers: 1, 11, 21, 1211, 111221.
“Complete that series, Cliff.”
I looked at it for five minutes and gave up. I’m sure it’s easy, but to this day, I still haven’t solved it.
It was weird. Here I was, hoping to light a fire under NSA’s feet. And here was Bob Morris, their top guru, competing with me in number games. Fun, sure. But disquieting.
We drove down to Washington, to the Department of Justice. We talked about computer security, and I pointed out to him that, for all he knew, I could be making up this whole story.
“You don’t have a way of checking up on me.”
“We don’t need to. NSA is a house of mirrors—each section checks on another section.”
“You mean you spy on yourself?”
“No, no, no. We constantly check our results. For instance, when we solve a mathematical problem by theoretical means, we check the result on a computer. Then another section might try to solve the same problem with a different technique. It’s all a matter of abstraction.”
“Think anyone will mind that I don’t have a tie?” I’d worn a clean pair of jeans, figuring there might be some important people. But I still didn’t own a suit or tie.
“Don’t worry,” Bob said. “At your level of abstraction, it doesn’t make any difference.”
The meeting was top secret, so I couldn’t listen—someone fetched me when my turn came. In a small room, lit only by the viewgraph machine, there were around thirty people, most of them in uniforms. Generals and admirals, like you see in the movies.
Well, I talked for half an hour, describing how the hacker was breaking into military computers and skipping through our networks. One general in the back kept interrupting with questions. Not easy ones, like, “When did you discover this guy?” but toughies, like “How can you prove that electronic mail hasn’t been forged?” and “Why hasn’t the FBI solved this case?”
Well, the questions didn’t let up for another half hour, when they finally let me off the rack. Over cheese sandwiches, Bob Morris explained what had happened.
“I’ve never seen so many brass in one room before. You know, that one guy who asked the good questions—he’s one of the junior people in the room. Just a Major General.”
I know as little about the military world as the next person. “I guess I’m impressed, though I’m not sure why,” I said.
“You ought to be,” Bob said. “These are all flag officers. General John Paul Hyde works at the Joint Chiefs of Staff. And that guy in the front row—he’s a big shot from the FBI. It’s a good thing he heard you.”
I wasn’t so sure. I could imagine a honcho in the FBI having a rough time of it: he knows that his agency ought to be doing something, yet something gets corked up. He didn’t need flack from some Berkeley longhair; he needed our support and cooperation.
I was suddenly queasy. I pressed the replay button in my mind. Did I screw up? It’s a weird feeling of being nervous after you do something. The more I thought about it, the more impressed I was with the military people. They’d zeroed in on the weak points of my talk, and understood both the details and importance of what I’d said.
How far I’d come. A year ago, I would have viewed these officers as war-mongering puppets of the Wall Street capitalists. This, after all, was what I’d learned in college. Now things didn’t seem so black and white. They seemed like smart people handling a serious problem.
The next morning I was to speak at NSA’s X-1 department. Sure enough, they’d prepared a list of questions, and asked me to concentrate on the following themes:
1. How was the penetrator tracked?
2. What auditing features exist?
3. How to audit someone with system-level privilege?
4. Supply technical details on how to penetrate computers.
5. How were passwords obtained for the Livermore Crays?
6. How were super-user privileges obtained?
7. Did the penetrator guard against detection?
I stared at these questions, and gulped. Oh, I understood what the NSA folks were asking me, but there was something wrong here.
Was it that the answers to these questions could be used to break into systems? No, that wasn’t my objection. They covered essentially defensive topics.
Or did I object to NSA’s role of gathering information but not sharing it with anyone else? No, not really. I had resigned myself to that.
Reading them a third time, I sensed that they showed an underlying assumption that I found offensive. I scratched my head, wondering what was annoying me.
Finally I realized what galled me about their questions.
It wasn’t the content of the question, it was their intrinsic neutrality. They assumed an impersonal adversary—a sanitized “penetrator.” They implied that this was an emotionless, technical problem, to be solved by purely technical means.
So long as you think of someone ripping you off as a “penetrator,” you’ll never make any progress. As long as they remained impersonal and detached, the NSA people would never realize that this wasn’t just a com
puter being penetrated, but was a community being attacked.
As a scientist, I understood the importance of remaining detached from an experiment. But I’d never solve the problem until I got involved; until I worried about the cancer patients who might be injured by this guy; until I became angry that this hacker was directly threatening all of us.
I rephrased the questions and scribbled a new viewgraph:
1. How does this scoundrel break into computers?
2. Which systems does he slither into?
3. How did this bastard become super-user?
4. How did the louse get passwords to the Livermore Cray?
5. Did the skunk guard against detection?
6. Can you audit a varmint who’s system manager?
7. How do you trace an eggsucker back to his roost?
Now those questions, I can answer.
These NSA spooks spoke in morally null jargon, while I felt genuine outrage. Outrage that I was wasting my time following a vandal instead of doing astrophysics. Outrage that this spy was grabbing sensitive information with impunity. Outrage that my government didn’t give a damn.
So how do you pump up a bunch of technocrats when you’re a longhaired astronomer without a tie? Or without any security clearance? (There must be some rule like, “No suit, no shoes, no clearance.”) I did my best, but I’m afraid that the NSA people were more interested in the technology than any ethical implications.
Afterwards they showed me a few of their computer systems. It was a bit disconcerting: every room I walked into had a flashing red light on the ceiling. “It warns everyone not to say anything classified while you’re here,” I was told.
“What’s the meaning of section X-1?” I asked my guide.
“Oh, that’s boring,” she replied. “NSA has twenty-four divisions, each with a letter. X is the secure software group. We test secure computers. X-1 are the mathematical folks who test software theoretically—trying to find holes in its design. X-2 people sit at the computer, trying to break software once it’s written.”
“So that’s why you’re interested in computer weaknesses.”
“Yeah. One division of NSA may spend three years building a secure computer. X-1 will examine its design and then X-2 will bang on it, searching for holes. If we find any, we’ll return it, but we won’t tell them where the bug is. We leave it for them to puzzle out.”
I wondered if they would have picked up the problem with Gnu-Emacs.
Along the way, I asked several people at NSA if there was any way that they could support our work. Individually, they regretted that our funding came entirely out of physics grants. Collectively, though, they offered no help.
“It would be easier if you were a defense contractor,” one spook told me. “NSA shies away from academics. There seems to be a kind of mutual distrust.” So far, my total outside support was $85, an honorarium for speaking at the San Francisco Bay Technical Librarians’ Association.
The tour of NSA lasted well into lunch, so I left Fort Meade late, and got plenty lost on my way to the CIA in Langley, Virginia. Around 2 P.M., I found the unmarked turnoff and pulled up to the gatehouse, an hour late.
The guard stared at me like I’d recently arrived from Mars. “Who are you here to see?”
“Teejay.”
“Your last name?”
“Stoll.” The guard looked over her clipboard, handed me a form to fill out, and slipped a blue pass on the rental car’s dashboard.
A VIP parking pass from the CIA. That’s gotta be worth $5.00 back in Berkeley. Maybe $10.00.
Me? A VIP? At the CIA? Surreal. I dodged a few joggers and bicycles on my way to the VIP lot. An armed guard assured me that I didn’t have to lock the car doors. In the background, the seventeen-year locusts were buzzing and a mallard quacked. What’s a flock of ducks doing at the portals of the CIA?
Teejay hadn’t said how technical a talk he wanted, so I stuffed my viewgraphs into a grungy envelope. Then, off to the CIA building.
“You’re late,” Teejay called from across the foyer. What do I tell him? That I always get lost on freeways?
In the middle of the foyer’s floor is a five-foot-diameter seal of the CIA, a terrazzo eagle set behind an official seal. I expected everyone to walk around the grey symbol, just as the high school students do in Rebel Without a Cause. No such luck. Everyone walks on top of it, showing the poor bird no respect.
On the wall, there’s a marble inscription, “The Truth Shall Set You Free.” (I wondered why they’d use Caltech’s motto—then I noticed the quote came from the Bible.) Four-dozen stars were engraved on the opposite wall—I could only guess about the forty-eight lives they represented.
After a ritualistic search of my belongings, I received a fluorescent red badge with a V. The visitor tag wasn’t necessary—I was the only guy around without a tie. Not a trench coat in sight.
The atmosphere was that of a subdued campus, with people strolling the hallway, practicing languages, and arguing around newspapers. Every once in a while, a couple would wander by, arm in arm. This was a long way from Boris and Natasha cartoons.
Well, not exactly like a campus. As Teejay showed me to his first-floor office, I noticed that each door was a different color, but none had cartoons or political posters on them. Some, however, had combination locks, almost like bank vaults. Even the electrical boxes had padlocks.
“Because you’re late, we’ve rescheduled the meeting,” Teejay said.
“I’ve got to select viewgraphs,” I said. “How technical a talk should I give?”
Teejay gave me the hairy eyeball and said, “Don’t worry about it. You won’t need viewgraphs.”
I sensed trouble ahead. No escaping this time. While sitting around Teejay’s desk, I discovered that he had a fantastic set of rubber stamps. Real “TOP SECRET” stamps, along with things like “CLASSIFIED,” “EYES ONLY,” “COMPARTMENTALIZED INTELLEGENCE,” “SHRED AFTER READING,” and “NOFORN.” I figured the last one meant “No Fornicating,” but Teejay set me straight: “No Foreign Nationals.” I stamped each one on a sheet of paper, and stuffed it in my pack of viewgraphs.
Greg Fennel, the other spook who had visited me in Berkeley, stopped by and took me up to the CIA’s computer room. More like a stadium. In Berkeley, I was accustomed to a dozen computers in a big room. Here, there were hundreds of mainframe computers packed tightly together in a huge cavern. Greg pointed out that, outside of Fort Meade, it’s the world’s largest computer installation.
All IBM mainframes.
Now, among Unix aficionados, big IBM systems are throwbacks to the 1960s, when computing centers were the rage. With desktop workstations, networks, and personal computers, Goliath centralized systems seem antiquated.
“Why all this IBM stuff?” I asked Greg. “Those things are dinosaurs.” I snidely showed my Unix bias.
“Well, we’re changing,” Greg answered. “We’ve got a dedicated artificial intelligence group, active robotics researchers, and our image-processing lab really cooks.”
I remembered proudly showing Teejay and Greg through my lab’s computing system. Suddenly, I felt incredibly embarrassed—our five Vaxes, scientific workhorses to us, seemed mighty puny next to these.
Yet our purposes were different. The CIA needs a giant database system—they want to organize and associate lots of diverse data. We needed number crunchers: computers that were fast with math. It’s always tempting to measure the speed of a computer or the size of its disks, and then conclude that “this one is better.”
The question isn’t, “Which computer is faster,” no, not even, “Which is better.” Instead, ask, “Which is more suitable?” or “Which will get your job done?”
After touring the CIA’s computing division, Teejay and Greg took me up to the seventh floor. The staircase is labeled with the floor numbers in different languages: I recognized the fifth floor (Chinese) and the sixth floor (Russian).
I was shown to an anteroom with a Per
sian rug on the floor, Impressionist art on the walls, and a bust of George Washington in the corner. A real mixed bag. I settled down into a sofa with Greg and Teejay. Across from us were two other guys, each with a picture badge. We talked a bit—one of the guys spoke fluent Chinese; the other had been a veterinarian before joining the CIA. I wondered what kind of talk I was expected to give.
The office door swung wide, and a tall, gray-haired man called us in. “Hi, I’m Hank Mahoney. Welcome in.”
So this is the meeting. It turns out that the seventh floor is the hide-out for the CIA’s high-muckity-mucks. Hank Mahoney’s the CIA’s deputy director; grinning nearby was Bill Donneley, the assistant director, and a couple others.
“You mean that you’ve heard about this case?”
“We’ve been following it daily. Of course, this case alone may not seem like much. But it represents a serious problem for the future. We appreciate your taking the effort to keep us informed.” They presented me with a certificate of appreciation—wrapped up like a diploma.
I didn’t know what to say, so I stammered out my thanks and looked at Teejay, who was chuckling. Afterward, he said, “We wanted to keep it a surprise.”
Surprise? Jeez—I’d expected to walk into a room of programmers and give a shoptalk on network security. I glanced at the certificate. It was signed by William Webster, director of the CIA.
On my way out, sure enough, the guards searched my stack of view-graphs. Halfway down, there was that page of paper with its telltale stamp, “TOP SECRET.” Uh oh.
Red alert—visitor caught leaving CIA with document stamped “TOP SECRET”! Nothing else on the page, of course. Five minutes of explaining and two phone calls later, they let me out. But not without confiscating the rubber stamp sampler. And a lecture on how “we take security seriously around here.”
I flew back to Berkeley, sitting next to Greg Fennel, who was flying west for some secret business. Turns out that his background is astronomy—he used to run an observatory. We talked a bit about Space Telescope, the billion-dollar, high-precision instrument that’s soon to be launched.