Cuckoo's Egg

Home > Other > Cuckoo's Egg > Page 33
Cuckoo's Egg Page 33

by Clifford Stoll


  In four minutes this hacker had pried at a new part of my operating system. He searched for a program called X-preserve on our Unix computer.

  Hey—I know what he’s doing. He’s looking for the X-preserve hole in the VI-editor. Dave Cleveland and I had patched that almost a year ago. But this hacker is only now trying to exploit it.

  VI is the Unix screen editor. When Bill Joy wrote it, back in 1980, people thought it was the neatest invention around. It let you watch as you moved words around! If you wanted to remove a word in the middle of a paragraph, you just moved the blinking box to that word, and presto!

  VI was predecessor to hundreds of word processing systems. By now, Unix folks see it as a bit stodgy—it hasn’t the versatility of Gnu-Emacs, nor the friendliness of more modern editors. Despite that, VI shows up on every Unix system.

  What happens if you’re writing a long article and the computer hiccups? Say, there’s a power blackout or some moron pulls the plug. Used to be that you’d lose everything you had typed in.

  The VI editor uses X-preserve to recover what you’ve done. When the computer returns from the dead, X-preserve will reassemble the pieces of your work. It’ll then ask you where to store this knit-together file. Most people will say, “Oh, put it in my home directory.”

  But X-preserve didn’t check where you stashed that file. You could say, “Stick the file in the systems directory,” and it would do so.

  That’s what the hacker tried. He made a file that said, “Grant system privilege to Sventek.” He fired up the VI-editor, then tripped up the editor by feeding it an interrupt character. VI, sensing a problem, stored his file in pieces.

  The hacker’s next step? Tell X-preserve to slip that file into the systems directory. In a couple minutes, Unix would hatch it, and he’d become system manager.

  But the cuckoo’s egg fell out of this nest. We’d fixed the X-preserve program … it now checks who you are and won’t let you move a file into the systems area.

  Poor guy. He must feel crestfallen. A nifty trick to break into systems, but it just won’t work here in Berkeley.

  Oh, I’d left our other holes open. He can still use Gnu-Emacs to plant his egg-program in the systems nest. And I’ve purposely left two other holes in our system waiting around for him to discover. Just to measure his skill. So far, he’s batting one for three.

  All this took three minutes. He entered his program perfectly—not a single typing error. It’s as if he’d done this often. As if he’d practiced breaking into other computers.

  How many other system managers hadn’t yet patched X-preserve? How many other holes were still waiting to be discovered? Where would I go to warn people about this? How would I tell the people in the white hats, without tipping off the bad guys?

  Too late for that. The guys in the black hats already know.

  Although this connection lasted only a few minutes in Berkeley, the University of Bremen reported that he was connected for forty-five minutes. In turn, the Bundespost once again traced the entire link back to the same individual in Hannover.

  Turned out that the University of Bremen was also printing the hacker’s traffic. Two of us were now watching this guy. He could run, but he couldn’t hide.

  For the past couple months, he’d just nibbled at the SDINET files. He’d seen the names of these files and noticed that everyday I added new memos and letters but didn’t read them right off. I’d begun having my doubts whether he was still interested in our creative writing.

  On Wednesday, May 20, my doubts cleared up. He connected at five in the morning and dumped all the SDINET files. Here was one letter asking the Pentagon for more funding. Another talking about “over-the-horizon radar”—a catch phrase I’d found in an electronics magazine. Yet another note described tests of a new supercomputer, complete with parallel processors. I tried to conceal my utter lack of knowledge of these subjects by filling the letters with jargon.

  He swallowed them, all right. One by one. I wanted him to ask for each bogus memo by name rather than saying, “Give me all the files.” So I added a few ringers. Files that were far too long to type out. A few short files that were filled with gibberish—computer guacamole. He couldn’t print these poisoned files, so he’d have to check each file first. This slowed him down and he stayed on the system longer: more time to trace.

  Nine months? We’d been watching this one skunk for the better part of a year. And Mitre’s telephone bills said he’d been breaking in for more than a year. What persistence!

  I wondered again, what’s driving this guy? Sure, I’d get a charge out of fooling around for a night or two. Might even be fun for a couple weeks. But a year? Night after night, patiently twisting doorknobs to computers? Why, you’d have to pay me.

  Paid? Was someone paying this hacker?

  The next few times he showed up, I hadn’t added much more to his SDINET feeding grounds. My puppet secretary, Barbara Sherwin, wrote a word-processed memo asking for a week’s vacation. The hacker read this and should have understood why there was so little new information.

  Instead of pawing through LBL’s files, then, he went out over the Milnet, once again patiently trying to guess passwords. One of my bogus SDINET reports mentioned a special project at White Sands Missile Range; sure enough, he spent fifteen minutes scratching at their door. White Sands’ computers recorded a dozen attempts to break in, but none were successful.

  Chris McDonald, White Sands’ computer security ace, called me within the hour. “Someone’s setting off alarms inside my WSMR05 computer.”

  “I know. It’s the same hacker.”

  “Well, he’s trying accounts that don’t exist. Names like SDINET. There’s no way he’ll get in that way,” Chris said confidently. “Anyway, that machine needs two passwords, and we changed ’em all last week.” White Sands didn’t fool around.

  He wasted his time trying thirty other computers as well. The Korean Advanced Institute of Science and Technology. The Army Safety Center at Fort Rucker. Strategic Air Command. The Defense Nuclear Agency at Kirtland Air Force Base. Though he still tried account names like “guest” and “system,” he used “SDINET” as well. No doubt that he’s a believer.

  Mostly the hacker’s trips through my system were becoming routine. I still ran to the switchyard whenever my beeper called, but I guess I’d become accustomed to having this mouse in a cage.

  I’d waited eight months, I could wait some more. Around the second week of June, he stopped into my computer from 3:38 until 4:13 in the afternoon. We traced him completely—Hannover again—and stayed in touch with the FBI throughout.

  Immediately after logging onto my Berkeley computer, he jumped onto the Milnet and tried to log onto some computers at the Unisys Corporation, in Paoli, Pennsylvania. Systems named “Omega,” “Bigburd,” and “Rosencrantz” (I kept waiting to see Guildenstern, but he never found it). Then he tried the Unisys Burdvax system.

  He got in on his first try. Account name Ingres, password, “Ingres.” Not bad … he remembers the Ingres database. Buy why did he just try those Unisys computers? What brought them to his attention? Maybe someone told him to look for them.

  Maybe Laszlo Balogh in Pittsburgh worked in Paoli. The atlas said otherwise. Paoli’s a suburb of Philadelphia, hundreds of miles away from Pittsburgh.

  As an Ingres user, the hacker only had limited privileges, but he took what he could find. Most useful to him, he found a way to read the Unisys password file. Copied the whole thing to his home computer. Then he listed several files which should never be world-readable: the list of phone numbers that the Unisys computer knew, and Unisys’s network address file.

  I already knew what he’d do with the Unisys password file. He’d decrypt it by blasting a dictionary at it. Then he’d log into a more privileged account and garner still more power.

  Those other files were just as worrisome. They provided the hacker with phone numbers to nearby computers and a map of the Unisys local network. Now h
e knew how to connect from the Burdvax into other computers … he didn’t need to explore.

  But even as I watched, he disconnected. Was he scared? No, just patient. He was going to check up on other computers. First, the Fort Buckner system in Okinawa. Yes, his password was still good there. Despite our warnings, they hadn’t changed a thing.

  Next, he tried the Naval Coastal Systems Command in Panama City, Florida. But he couldn’t get in on his old Ingres account. They’d changed the password on him.

  Didn’t faze him for an instant. He turned around and logged in as user “Ovca,” password, “Baseball.” This worked perfectly.

  Aha! More evidence for password cracking. Two months ago, the hacker logged into that naval computer as “Ingres,” and copied their encrypted password file. Now, even though they deleted the Ingres account, he can still log in, using some other account. The fools had only changed one password. And their passwords were ordinary English words. Jeez.

  While he was at it, he checked into his old haunts. Ramstein Air Force Base. Fort Stewart. University of Rochester. The Pentagon Optimis Data Center. Finally he left the network.

  Today he’d broken into a new computer at Unisys. Where had I heard that name? Of course—they’re a defense contractor that makes computers for the military. Not just any computers. Unisys builds secure computers, systems that you can’t break into.

  Right.

  Wait a second. What other defense contractors had been hit? I scribbled a list on a pad of paper:

  Unisys. Makers of secure computers.

  TRW. They make military and space computers.

  SRI. They’ve got military contracts to design computer security systems.

  Mitre. They design high-security computers for the military. They’re the people that test NSA’s secure computers.

  BBN. The builders of the Milnet.

  What’s wrong with this picture? These are the very people that are designing, building, and testing secure systems. Yet hackers traipse freely through their computers.

  These companies don’t have dinky budgets, either. They charge our government tens of millions of dollars to develop secure software. No doubt about it: the shoemakers’ kids are running around barefoot.

  I’d seen this guy break into military computers, defense contractors, universities, and laboratories. But no banks. Oh—I know why. Their networks aren’t as public as the Arpanet. But if he got on their networks, I’d bet he’d be about as successful.

  For it doesn’t take brilliance or wizardry to break into computers. Just patience. What this hacker lacked in originality, he made up for in persistence. A few of the holes he exploited were news to me: the Gnu-Emacs problem, for instance. But mostly, he took advantage of administrators’ blunders. Leaving accounts protected by obvious passwords. Mailing passwords to each other. Not monitoring audit trails.

  Come to think of it, was it foolish to remain open? It had been almost ten months, and he was still free. Despite his breaking into more than thirty computers, despite Laszlo’s letter from Pittsburgh, despite all these traces, this hacker was still at large. How much longer would this go on?

  It was June—summer in paradise. I biked home, enjoying the scene, Berkeley students with Frisbees, sailboards, and an occasional convertible top down in the balmy air. Our garden was full of roses, marigolds, and tomatoes. The strawberries were thriving, promising still more milkshakes.

  Inside the house, however, Martha was imprisoned, studying for her bar exam. This last ordeal looked even harder than three years of law school. In summer, when everyone else can go out and play, you’re stuck in dreary review classes, cramming your head with legal rules, counting the days until the exam—a three-day ordeal modeled on the Spanish Inquisition.

  Martha coped, patiently reading her books, making intricate outlines of each subject with colored pens, meeting with fellow sufferers to quiz each other. She was philosophical about it; she put in exactly ten hours each day, then slammed the books shut. Aikido became her salvation—she took out her frustrations by flipping people over her head.

  Martha rarely talked about the lurking horror of the exam itself, but it was always there. Watching her go through this brought back memories of my own grad school days.

  In astronomy, you first enjoy three or four years of confusing classes, impossible problem sets, and sneers from the faculty. Having endured that, you’re rewarded with an eight-hour written exam, with questions like: “How do you age-date meteorites using the elements Samarium and Neodymium?” If you survive, you win the great honor and pleasure of an oral exam by a panel of learned professors.

  I remember it vividly. Across a table, five profs. I’m frightened, trying to look casual as sweat drips down my face. But I’m keeping afloat; I’ve managed to babble superficially, giving the illusion that I know something. Just a few more questions, I think, and they’ll set me free. Then the examiner over at the end of the table—the guy with the twisted little smile—starts sharpening his pencil with a penknife.

  “I’ve got just one question, Cliff,” he says, carving his way through the Eberhard-Faber. “Why is the sky blue?”

  My mind is absolutely, profoundly blank. I have no idea. I look out the window at the sky with the primitive, uncomprehending wonder of a Neanderthal contemplating fire. I force myself to say something—anything. “Scattered light,” I reply. “Uh, yeah, scattered sunlight.”

  “Could you be more specific?”

  Well, words came from somewhere, out of some deep instinct of self-preservation. I babbled about the spectrum of sunlight, the upper atmosphere, and how light interacts with molecules of air.

  “Could you be more specific?”

  I’m describing how air molecules have dipole moments, the wave-particle duality of light, scribbling equations on the blackboard, and …

  “Could you be more specific?”

  An hour later, I’m sweating hard. His simple question—a five-year-old’s question—has drawn together oscillator theory, electricity and magnetism, thermodynamics, even quantum mechanics. Even in my miserable writhing, I admired the guy.

  So Sunday morning I’m looking at Martha, calmly working on an outline, the dining table strewn with books. She’ll pass, all right, but I also know how scared she is and how an exam can make anyone feel absolutely stupid and helpless. I can’t make her ordeal easier, but I can at least make breakfast. I slip quietly into the kitchen and crack a few eggs …

  At 9:32, the damned hacker steps on my tripwire. The pager beeps. I call Steve White. He calls Germany. Like the old double play: Tinker to Evers to Chance.

  Steve needed a minute to find the hacker coming from address 2624 DNIC 4511 0199-36. Direct from Hannover. (Or as direct as transatlantic satellite connections can be.)

  The Bundespost was hot. Took them only a few minutes to confirm that they’d started a trace. Nice. Meanwhile, having started the ball rolling, I pulled on some clothes and biked up to the lab. No time for yard sales this morning.

  I arrived with plenty of time to spare. My visitor was still pawing through the bogus SDINET files, carefully copying each one into his own computer. One file described how the Strategic Defense Initiative was to be used in tracking satellites in space. Another file seemed to say that you could connect directly into several Air Force computers from my laboratory.

  The hacker wanted to try, but couldn’t figure out where we’d installed the network software. So he scoured our entire computer, searching for any program containing the phrase “SDI.” He found quite a few, but none seemed to do the job for him.

  Then he rifled Dave Cleveland’s mail. Dave had prepared for this—he’d written a letter talking about how he’d hidden the SDINET access ports. Dave’s letter contained the sentence, “I’ve concealed the SDI network port, and I doubt that many people will discover it.”

  That was enough to set the hacker on an hour-long wild goose chase. He combed through our system, groping for what he knew was a hidden program th
at would be his northwestern passage to military computers everywhere.

  I sat back, smiling at the screen. He’d been suckered in, all right. He still felt challenged to uncover the SDI network connection and truly believed that he could reach those classified computers.

  Yet my system looked vanilla. Because it was vanilla. Oh, here and there, I sprinkled hints that other people were using the SDI network. One physicist cooperated and sent a complaint to the system manager, saying that the SDI network wasn’t functioning last Tuesday night. Another wrote a mundane program full of subroutines with names like SDI-link and Copy-SDI.

  Though it took hours, the hacker eventually discovered these, and must have scratched his head, wondering why others had such an easy time using the network. He tried logging into computers named Sdi and Sdinetwork. Over and over, he sifted through our system, but to no avail.

  Eventually he gave up and let me go home. Martha wasn’t pleased, of course. She’d been studying all morning, and she was hungry and grouchy. The two eggs stared at me from the pan, uncooked, just as I’d left them.

  So I made a brunch of omelets, hot cocoa, and fruit salad; she dumped her books off the table with a vengeance, and we sat down, enjoying a few moments of peace in the quiet sunny room. The more strange life gets, the more precious those times are, with food and friends and the Sunday Times crossword puzzle.

  Monday morning, Teresa Brecken, the Petvax system manager, reported that someone had attacked her computer. He couldn’t get into it but had been probing it, searching for weak places. His pounding had set off alarms, and Teresa called me.

  He’d come in over her port to the High Energy Physics Network. That didn’t mean much—there’s a couple thousand other computers on that net. Moreover, the Hepnet ties to SPAN, the Space Physics Applications Network, run by NASA. Altogether there’s well over ten thousand computers on those networks.

  Had the hacker been laughing at me all the time? While I’d been watching the Tymnet mouse hole, had he been waltzing in through some NASA network?

 

‹ Prev