Cuckoo's Egg
Page 34
Teresa’s monitors showed this hacker had come from computer 6.133, the National Severe Storms Data Center’s computer at NASA’s Goddard Spaceflight Center. Not much to do but call them.
I didn’t get very far. They were worried about hackers on their computer and had discovered one or two problems, but couldn’t go much further. I pestered them, and they finally said that this particular connection had originated at NASA’s Marshall Spaceflight Center in Huntsville, Alabama. From there, who knows? Marshall didn’t keep records.
Same guy? I doubted it. The NASA computers aren’t secret—NASA does civilian space research and has nothing to do with the Strategic Defense Initiative. Still, worth remembering the incident: I wrote it down in my logbook.
I called Mike Gibbons again, wondering how much longer we’d have to wait before the FBI and their German partners began to move.
“Any day now,” Mike replied. “The warrants are in order and we’re just waiting for the right time.”
“Give me a figure, Mike. Do you mean hours, days, weeks, or months?”
“More than days, less than weeks.”
I wondered if the FBI was feeding some false information through Laszlo Balogh. “Ever reply to the Pittsburgh letter?” I asked.
“Hey, how about them Yankees winning another game?” As usual, Mike played his cards close to his chest.
Almost every day now, the hacker logged in for a few minutes. Sometimes he’d grab any new files from the SDINET account. Other days he’d try to break into military computers. Once he spent half an hour trying to guess the password for our Elxsi computer—I’d dropped a hint that our Elxsi was a central SDINET controller.
I could embroider fake military documents as fast as he could read them. Knowing that he was passing my handiwork to some agent in Pittsburgh, I added just a dash of verifiable information: the Pentagon was scheduling a secret satellite to be launched on the Atlantis space shuttle. This was common knowledge to anyone reading the newspapers. But I imagined that in his quest for secret information, he’d feel that these nuggets of truth confirmed that he’d struck the mother lode.
Sunday, June 21, 1987, at 12:37 P.M., he logged into our Unix computer as Sventek. For five minutes he checked the system status and listed a few mail files. This intrusion seemed just like his others.
But this session was different in one important way.
It was his last.
“Hi, Cliff, it’s Steve.” I put down my chocolate chip cookie.
“I just got a message from Wolfgang Hoffman at the German Bundespost. He says that there’ll be a full-time policeman outside the hacker’s apartment on Monday through Wednesday of next week. They’ll keep watch continually, and they’ll rush in to make an arrest as soon as he connects to Berkeley.”
“How will the cop know when to bust in?”
“You’ll give the signal, Cliff.”
The next time the hacker touched my system, I would call the FBI and Tymnet. They’d make the trace, tell the German BKA, and the cops would bust into his apartment.
Finally, after ten months.
Will he show up? And what if he doesn’t? Will they bust him anyway or give up on the whole thing? With my luck, they’ll drop the whole thing.
I spent the weekend at home with Martha, arriving at the lab late Sunday evening. With the best of luck, the hacker would show up on Sventek’s account, I’d call the FBI, and while he was dumping a file of my concocted SDI baloney, he’d be busted. I could imagine him frantically trying to conceal his computer as police break down his apartment’s door.
With dreams like those, I nestled under my desk, wrapped in the quilt that Martha and I had made last winter. In case my beeper failed, two personal computers stood watch, each wired to a bell. After ten months, I wasn’t going to miss my big chance.
Monday afternoon, June 22, Wolfgang Hoffman cabled this message: “Arrests expected shortly. Notify us immediately if hacker shows up.”
OK, I’m waiting. Every few minutes, I walk over to the switchyard and everything’s quiet. Oh yeah, a couple physicists are using Tymnet to analyze some high-temperature superconductors. But there’s no other traffic. My alarms and tripwires are in place, but not a peep.
Another night under the desk.
Tuesday morning, June 23, Mike Gibbons called from the FBI.
“You can close up shop, Cliff.”
“What’s happened?”
“Arrest warrants were issued this morning at 10 A.M.”
“But I didn’t see anyone on my system then.”
“Makes no difference.”
“Anyone arrested?”
“I can’t say.”
“Where are you, Mike?”
“In Pittsburgh.”
Something was happening. But Mike wouldn’t say what. I’d wait for a while before closing my doors to this hacker.
A few hours later, Wolfgang Hoffman sent a message: “An apartment and a company were searched, and nobody was home at the time. Printouts, disks, and tapes were seized and will be analyzed in the next few days. Expect no further break-ins.”
What does this mean? I guess the police busted his apartment. Why didn’t they wait for our signal? Should I celebrate?
Whatever happened, at last we could seal our doors. I changed our Tymnet passwords and patched the hole in the Gnu-Emacs editor. What should we do about everyone’s passwords?
The only way to guarantee a clean system would be to change every single password overnight. Then certify each user, one by one, the next morning. Easy if there’s only a few people on your system. Impossible for our twelve hundred scientists.
Yet if we didn’t change every password, we couldn’t be sure that some other hacker might not have purloined an account. All it takes is one stolen account. In the end we expired everyone’s passwords and asked everyone to pick a new one. One that’s not in the dictionary.
I set traps on all the hacker’s stolen accounts. If anyone tries to log in as Sventek, the system will reject the try—but it’ll capture all the information on where the call originates. Just let him try.
Martha and I couldn’t celebrate in a big way—her bar-exam cram course was a ball and chain—but we played hooky for a day and escaped to the North Coast. We wandered on the high cliffs covered with wildflowers and watched the waves crash over the rocks a hundred feet below us. We climbed down to an isolated little cove—our own private beach—and for a few hours all my worries were far away, unreal.
Within the next few days, word filtered back from Germany. Apparently the Hannover police had simultaneously broken into a company, Focus Computer GmbH of Hannover, and the apartment of one of their employees. They seized eighty disks at the computer firm, and twice that at the apartment. Both the manager of Focus Computer and the individual were detained; they said nothing. But the manager hinted that they had suspected that they’d been observed.
The evidence? Shipped to somewhere called Wiesbaden for “analysis by experts.” Hell, I could analyze it easily enough myself. Just search for the word, “SDINET.” As the inventor of that word, I could tell instantly whether their printouts were the real McCoy.
What’s the hacker’s name? What was he up to? What’s the connection with Pittsburgh? What’s happened to him? Time to ask Mike of the FBI.
“Now that it’s all over, can you tell me the guy’s name?” I asked.
“It’s not all over, and no, I can’t tell you his name,” Mike replied, showing more than his usual annoyance at my questions.
“Well, can I find out more about this guy from the Germans?” I knew the prosecutor’s name, even if I didn’t know the hacker’s.
“Don’t contact the Germans. This is sensitive, and you’ll bollix things up.”
“Can’t you even tell me if the hacker’s in jail? Or is he wandering the streets of Hannover?”
“It’s not for me to say.”
“Then when will I find out what happened?”
“I’ll tell
you at the right time. Meanwhile, keep all your printouts locked up.”
Lock up the printouts? I looked across my office. Sandwiched between bookshelves of computer manuals and astronomy books, were three boxes of the hacker’s printouts. My office door doesn’t have a lock, and the building is open twenty-four hours a day. Oh—the janitor’s closet can be locked. I could stash the boxes up over the sink, on the shelf next to the ceiling.
While he was still on the phone, I asked Mike when I could expect to hear back on this case.
“Oh, in a few weeks. The hacker will be indicted and brought to trial,” Mike said. “Meanwhile, keep silent about this. Don’t publicize it and stay away from reporters.”
“Why not?”
“Any publicity may let him off. The case is tough enough without being tried in the newspapers.”
“But surely this is an open-and-shut case,” I protested. “The U.S. Attorney said that we had more than enough evidence to convict the guy.”
“Look, you don’t know everything that’s going on,” Mike said. “Take my word for it: don’t talk about it.”
The FBI was happy with their work, as well they should be. Despite several false starts, Mike had stuck with the investigation. The FBI wouldn’t let him tell me anything; there wasn’t much I could do about that. But he couldn’t stop me from checking on my own.
Ten months ago, Luis Alvarez and Jerry Nelson had told me to treat the hacker as a research problem. Well, at last the investigation was complete. Oh, there were a few details to figure out, but the real work was over. Yet the FBI wouldn’t let me publish what I’d learned.
When you run an experiment, you take notes, think for a while, then publish your results. If you don’t publish, nobody will learn from your experience. The whole idea is to save others from repeating what you’ve done.
It was time for a change anyway. I spent the rest of the summer making weird computer pictures of telescopes and teaching a few classes at the computer center. The pursuit of the German had taught me about how to connect computers together.
Sooner or later, the FBI would let me publish. And when it did, I’d be ready. Around the beginning of September, I started writing a dry, scientific paper about the hacker. I just distilled my lab notebook—all 125 pages of it—into a boring article and got it ready for some obscure computer journal.
Still, letting go of the hacker project wasn’t entirely easy. For a year, the chase had consumed my life. In the course of my quest, I’d written dozens of programs, forsaken the company of my sweetheart, mingled with the FBI, NSA, OSI, and CIA, nuked my sneakers, pilfered printers, and made several coast-to-coast flights. I pondered how I would now spend my time, now that my life wasn’t scheduled around the whims of some faceless foe from overseas.
Meanwhile, six thousand miles away, someone was wishing that he’d never heard of Berkeley.
A month before the Hannover hacker was caught, Darren Griffith had joined our group, having moved up from Southern California. Darren liked punk music, Unix networks, laser typography, and friends with spiked haircuts—in that order. Besides the coffeehouses and concerts, Berkeley attracted him because of its hundreds of Unix computers tied together with an ethernet, making an intricate maze for Darren to explore.
At work, our boss set him loose to work in his own rhythm and at whatever projects interested him. After five, when the normal folks left, he cranked up the stereo in his cubicle, and wrote programs to the sound of U2. “The louder the music, the better the code.”
I filled him in on the past year’s hack and figured that he’d be delighted with the hole in Gnu-Emacs, but he just shrugged. “Eeh, anyone could see how to exploit that. Anyway, it’s only on a few hundred systems. Now if you want a tasty security hole, check out VMS. They’ve got a hole you could drive a truck through.”
“Huh?”
“Yeah. It’s in every Vax computer from Digital Equipment Corporation that runs the VMS operating system Version 4.5.”
“What’s the problem?”
Darren explained. “Anyone that logs into the system can become system manager by running a short program. You can’t stop ’em.”
I hadn’t heard of this problem. “Isn’t DEC doing something about it? After all, they sell those systems.”
“Oh, sure, they’re sending out patches. But they’re being real quiet about it. They don’t want their customers to panic.”
“Sounds reasonable.”
“Sure, but nobody’s installing those patches. What would you do—some tape shows up in the mail saying, ‘Please install this program or your system may develop problems’ … you’ll ignore it, because you’ve got better things to do.”
“So all these systems are open to attack?”
“You got it.”
“Wait a second. That operating system was certified by NSA. They tested it and certified it secure.”
“Sure they spent a year testing it. And a month after they verified the system, DEC modified it slightly. Just a little change in the password program.” The National Computer Security Center’s verification program had a hole in it as well.
“And now fifty thousand computers are insecure.” I couldn’t believe it. If my hacker knew, he’d have a field day. Good thing we’d nailed him.
This problem seemed important, so I called Bob Morris at the National Computer Security Center. He’d not heard of it before, but he promised to check into it. Well, I’d done my job and warned the authorities.
Around the end of July, Darren picked up a message from the network. Roy Omond, a system manager in Heidelberg, Germany, had detected a group called Chaos Computer Club breaking into his Vax computer. They’d used the hole that Darren had described. Omond’s message described how these vandals had broken in, set up Trojan horses to capture passwords, then erased their trails behind them.
The Chaos Computer Club, huh? I’d heard rumors that back in 1985, a few German hackers banded together to “explore” computer networks. To them the government monopoly only made trouble—they called it the “Bundespest.”* They soon developed into a gang that systematically attacked computers in Germany, Switzerland, France, and eventually the United States. Those pseudonyms I’d heard of before—Pengo, Zombie, Frimp—were all members … self-styled cyberpunks who prided themselves on how many computers they could break into.
Sounded familiar.
By the end of the summer, the problem had spread. The Chaos gang broke into a hundred computers around the world, using the NASA SPAN network. Wait a second. The Petvax computer! Those alarms in June—I’d traced them back to the NASA network. I’ll bet that the connection wended its way all the way back to Germany. Uh oh.
Pretty soon, I realized what was happening. The Chaos Computer Club had broken into computers at the CERN physics laboratory in Switzerland, and caused endless headaches there—they were said to have stolen passwords, destroyed software, and crashed experimental systems.
All for the fun of it.
From the Swiss laboratory, Chaos members had stolen passwords to reach into computers at American physics labs—Fermilab in Illinois, Caltech, and Stanford. From there, it was a short hop to the NASA network and into NASA’s computers.
Every time they entered a computer, they used the bug to become system manager. Then they modified the operating system to let them in with a special password—one known only to them. Now, whenever a Chaos Club member used the magic password on an injured Vax computer, they’d get in … even if the original hole was fixed!
Whoa! Serious stuff here. Hundreds of computers were at risk. They could easily wreck the software on each system. But what to do? NASA’s not responsible for each computer connected to its network. Half of them are at universities, running scientific experiments. NASA probably doesn’t even have a list of all the computers attached to its network.
The NASA network, like the Milnet, is a roadway connecting computers around the country. A burglar will naturally use that road, but that
’s hardly the fault of the road’s builder. NASA’s only responsible for keeping the road intact. The security of each computer rests in the hands of the people running it.
The Chaos Computer Club created headaches for network folks—they were thumbing their noses at hundreds of system managers and thousands of scientists. If you owned a Vax computer, you had to rebuild the system software from scratch. That’s an afternoon’s work. Multiply that by a thousand sites. Or was it fifty thousand?
At last the Chaos Club triumphantly announced their break-ins to the press, painting themselves as brilliant programmers. I searched for any mention of my laboratory, of Milnet, or of Hannover. Nothing. It was as if they’d never heard of my hacker. Yet what a coincidence: a couple months after I nail a German hacker breaking into computer networks, a German club goes public, saying that they’ve prowled through NASA’s networks.
Could this be who had broken into my computer? I thought for a while. The Chaos gang seemed to work with the VMS operating system and knew little about Unix. My hacker certainly knew VMS, but he seemed more at home on Unix. And he had no hesitation to exploit any bug in the computer. Hannover is close to Hamburg, the home of Chaos. Less than a hundred miles.
But my hacker was arrested on June 29. The Chaos Club was breaking into systems during August.
Hmmm. If the LBL hacker from Hannover was in contact with the Chaos Club, his arrest would send shock waves through the entire club. They’d evaporate as soon as they heard that one of their members had been arrested.
Another wrinkle … NASA doesn’t have secrets. Oh, perhaps the military shuttle payloads are classified. But almost everything else about NASA is public. Right down to the design of their rockets. Hell, you can buy the space shuttle’s blueprints. Not the place for a spy.
No, my hacker wasn’t in Chaos. Probably he was loosely tied into their club … perhaps he checked into their electronic bulletin board. But they didn’t know about him.