From somewhere, the hacker had dialed 415/430-2900. The path to our mysterious visitor led to Pac Bell’s ESS-5 switch.
Across San Francisco Bay, Lee Cheng’s office overlooks a grungy alley off Market Street. Lee is Pac Bell’s bloodhound; from his office or up on a telephone pole, he traces phone lines.
Lee’s degree is in criminology, and his graduate work is in accident reconstruction and causation. But eight years of telephone tracing gives him an engineer’s view of the phone company and a cop’s view of society. To him, communities are split by area codes, exchanges, and trunk lines, as well as precincts and neighborhoods.
With advance warning, Lee starts a software program in the computer that runs the telephone exchange. At the switching control center, he logs onto the ESS maintenance channel, brings up line-condition-monitoring software, and starts a trap program.
The automatic trap program monitors the status of an individual telephone line. It records the date, time, how many rings before an answer, and where the call came from.
If the call came from a nearby phone—one from the same exchange—then the trace is complete, and Lee’s job is easy. More often, the call comes from another exchange, and Lee has to coordinate traces at perhaps five different phone exchanges.
When a technician at an exchange receives a trace call, he drops what he’s doing—Lee’s traces take precedence over everything except firefighting. He logs into the control computer, commands his computer to display the phone number’s status (busy, idle, off-hook), and executes programs to show where the connection came from (routing index, trunk group number, adjacent exchange name).
With luck, the trace might take a few seconds. But a few exchanges, left over from the 1950s, still use mechanical-stepping switches. When you dial through these exchanges, you can hear a soft pulsing in the background, as relays move a lever in tune with your dialing. The old grackles of the telephone system are proud of these antiques, saying, “They’re the only switches that’ll survive a nuclear attack.” But they complicate Lee’s job: he’s got to find a technician to run from rack to rack tracing these calls.
Local telephones can only be traced while connected. Once you hang up, the connection evaporates and can no longer be traced. So Lee races against time to finish a trace before the connection is lost.
Phone companies view phone traces as a waste of time. Only their most skilled technicians know how to trace a phone connection. Worse, traces are expensive, generate lawsuits, and upset customers.
Lee, of course, sees things otherwise. “Yesterday was a drug bust, today, it’s an extortion racket, tomorrow we’re tracing a burglary ring. Obscene phone calls around the full moon. Lately, we’ve been tracing call girls’ pocket pagers. Slice of life in the big city.” Still, the fear of lawyers keeps him from unofficially helping out.
Our conversation in September 1986 was curt:
“Hey, we need a telephone line traced.”
“Got a search warrant?”
“No, do we need one?”
“We won’t trace without a warrant.”
That was quick. No progress until Aletha Owens got the court order.
After yesterday’s attack, we couldn’t wait. My searches through the phone book were leading nowhere. A more competent Trojan horse would panic my boss into closing down the investigation. And my three-week allowance was down to ten days.
Sandy Merola was Roy Kerth’s sidekick. When Roy’s acid tongue got to one of the staff, Sandy applied balm. On a mission to the Berkeley campus, Sandy noticed a set of IBM personal computers in a public section of the library. Like any computer jock would do, he wandered over and tried to use them. Just as he suspected, these computers were programmed to automatically dial Tymnet and log into the Dow Jones Information Service.
Tymnet? Sandy spent a few minutes diddling on the terminal, and discovered that he could find the latest stock quotations and financial rumors from The Wall Street Journal. More important, when he signed off the Dow Jones service, the terminal prompted him for, “Tymnet username?” Seemed like nothing to lose by trying, so he entered, “LBL.” Sure enough, Sandy connected to my lab’s computers.
Maybe these public terminals explained things. Anyone could use them; they dialed the Oakland Tymnet number; and the library was all of a hundred feet away from Cory Hall, where the Berkeley Unix jockeys hang out.
Sandy was a jogger the way some people are Catholics. He trotted up Cardiac Hill and told the police of his discovery. Here was a way to avoid a phone trace—the next time the hacker appeared, we’d just duck over to the library and grab the bastard. We didn’t even need a court order.
Sandy returned from the police station, still sweating. He caught me practicing a yo-yo trick.
“Cut the clowning, Cliff. The police are all set to run over to the campus and arrest whoever’s using those terminals.”
Being more accustomed to parking tickets and medical emergencies, the LBL police don’t understand computers and are pretty wary of telephone traces. But they had no problem with busting someone breaking into a computer.
“Hadn’t we better make sure that it’s the hacker, first?” I had visions of some undercover cops staking out a terminal and dragging a librarian into the paddy wagon for checking the Dow Jones industrials.
“It’s easy. Call me the next time the hacker shows up. I’ll drive down to the library with the police, and we’ll see what’s on the screen. If it’s data from LBL, then we’ll leave it to the police.”
“Are they gonna stake out the terminal? You know, like in ‘Dragnet’? With one-way mirrors and binoculars?”
“Huh? Be serious, Cliff.” Sandy jogged away. I guess scientists are graded in seriousness. It reminded me of when I’d filed a student health report, listing under complaints, “Potato Famine.” The doctor called me aside and lectured me, “Son, we take health seriously around here.”
We got our chance to test Sandy’s theory soon enough. Two days after his failed Trojan horse, the hacker returned at 12:42 P.M. Lunch hour. The perfect time for a Berkeley student to wander over to the library and use their terminals.
At the alarm, I called Sandy. Five minutes later, he appeared with two undercover police agents, wearing suits, ties, and winter coats. Nothing could be more conspicuous on a campus of hippies on a hot summer day. I glimpsed a large revolver under one of the cop’s coats. They were serious.
For the next twenty-five minutes, the hacker didn’t do much. He became super-user via the Gnu-Emacs hole, listed the day’s electronic mail, and scanned through our processes. Ron Vivier skipped lunch to trace the Tymnet connection into Oakland. Any minute, I expected to see the printer suddenly stop, signaling that Sandy and the constabulary had caught their man. But no, the hacker took his time and logged off at 1:20.
Sandy returned a few minutes later.
“No luck, huh?” His face said it all.
“Nobody was at the library’s terminals. Nobody even near them. Are you sure the hacker was on?”
“Yeah, here’s the printout. And Tymnet traced it into Oakland again.”
Sandy was let down. Our short cut hit a dead end: progress now depended on a telephone trace.
That evening, Martha was supposed to be studying constitutional law, but was actually piecing a calico quilt. I came home discouraged: the library stakeout had seemed so promising.
“Forget the hacker. You’re home now.”
“But he might be in my system right now.” I was obsessing.
“Well, there’s nothing you can do about it, then. Here, thread a needle and help with this seam.” Martha escaped law school by quilting; surely it would work for me as well. After twenty minutes of silence, while she studied, my sewing started to get crooked.
“When we get the warrant, we’ll have to wait until the hacker shows up. For all we know, that’ll be at 3 A.M., and nobody will be around.”
“I said, forget the hacker. You’re home now.” She didn’t even look u
p from her book.
Sure enough, the hacker didn’t show up the next day. But the search warrant did. It was legal now. Of course, I couldn’t be trusted to start anything as important as a phone trace: Roy Kerth was explicit that only he was to talk to the police.
We went through a couple dry runs, making sure we knew who to call and checking that we could unwind our own local network. Then I got bored and went back to writing some software to analyze optical formulas for an astronomer.
In the afternoon, Roy called our systems people and operators together. He lectured us about the need to keep our traces secret—we didn’t know where the hacker was coming from, so we mustn’t mention our work to anyone outside the lab. I figured that people would talk less if they knew what was going on, so I gave a chalk talk about what we’d seen and where we were heading. Dave Cleveland chipped in about the Gnu-Emacs hole, and Wayne pointed out that we’d better discuss the hacker strictly by voice, since he regularly read our electronic mail. The meeting broke up with Boris and Natasha imitations.
Tuesday, at 12:42 in the afternoon, Sventek’s account lit up. Roy called the laboratory police—they wanted to be in charge of the phone traces. By the time Tymnet had unwound their network, Roy was shouting over the phone. I could hear his side of the conversation.
“We need a number traced. We have the search warrant. Now.”
Silence for a moment. Then he exploded.
“I don’t give a damn about your problems!! Start the trace now!”
More silence.
“If you don’t get a trace immediately, you’ll hear about it from the Lab director.” Roy slammed down the receiver.
The boss was furious—his face turned purple. “Damn our police! They’ve never handled a phone trace, and they don’t know who to call at the phone company!” Sheesh. At least his anger was aimed elsewhere.
Perhaps it was for the best. The hacker disconnected within a couple minutes, after just listing the names of the active users. By the time the phone trace was started, there’d be no connection to trace.
While the boss cooled off, I took the printout to study. There wasn’t much to summarize in my logbook. The hacker had just logged in, listed the users, then logged off. Didn’t even check the mail.
Aah! I saw why he logged off so fast. The system operator was around. The hacker must know the sysops’s name. He had raised periscope, seen the enemy, then disappeared. Sure enough, looking back to other printouts, he stayed around only when no operators were around. Paranoid.
I talked with each of our operators, explaining this discovery. From now on, they would run the system covertly, using pseudonyms.
September 16 marked the end of the second week on the trail. I tried working on optics again, but my mind kept drifting to the printouts. Sure enough, just after noon, my terminal beeped: the hacker had returned.
I called Tymnet, and then the boss. This time, we set up a conference call, and I listened to the trace as I watched the hacker walk through our system.
“Hi, Ron, it’s Cliff. We need another trace on our Tymnet line, LBL, Tymnet node 128, port 3.”
A minute of fumbling on the other end.
“Looks like it’s the third modem in our block of 1200-baud lines. That would make it line 2903. That’s 415/430-2903.”
“Thanks, Ron.” The police heard this, and relayed it to Lee Cheng at the phone company.
“That’s coming from the Franklin switch. Hold on.” I was accustomed to being put on hold by the phone company.
I watched the hacker fire up the Gnu-Emacs move-mail file. He was becoming super-user. He’d be on for at least another ten minutes. Maybe long enough to complete a trace. Come on, Pac Bell!
Three minutes passed by. Lee came back on line.
“The line’s active, all right. Connects to a trunk leading into Berkeley. I’ve got a technician checking that line right now.”
Another two minutes pass by. The hacker’s super-user now. He goes straight for the system manager’s mail files.
“The Berkeley technician shows the line connecting to AT&T long lines. Hold on.” But Lee doesn’t punch hold, and I listen in on his conversation with the Berkeley office. The guy in Berkeley insists that the line’s coming from far away; Lee’s telling him to check it again. Meanwhile the hacker is working on our password file. Editing it, I think, but I’m trying to hear what’s happening at the phone company.
“It’s our trunk group 369, and damn it, that’s routed to 5096MCLN.” The Berkeley technician was speaking in tongues.
“OK, I guess we’ll have to call New Jersey.” Lee seemed dismayed. “Cliff, are you still there?”
“Yeah. What’s going on?”
“No matter. Is he going to stay on much longer?”
I watched the printout. The hacker left our password file and was cleaning up his temporary files.
“I can’t tell. My guess is—oops, he’s logged off.”
“Disconnected from Tymnet.” Ron Vivier had been quiet until now.
“Dropped off the phone line.” Lee’s trace disappeared.
Our police officer came on line. “Well, gentlemen, what’s the story?”
Lee Cheng spoke first. “I think the call’s coming from the East Coast. There’s a slight chance that it’s a local Berkeley call, but … no, it’s from AT&T.” Lee was thinking out loud, like a graduate student at an oral exam. “All our Pacific Bell trunk lines are labeled with three digits; only the longdistance trunks have four-digit identifiers. That line … let me look it up.”
I heard Lee type into his computer.
Lee came back in a minute. “Hey, Cliff, do you know anyone in Virginia? Maybe Northern Virginia?”
“No. There’s no particle accelerators near there. Not even a physics lab. Of course, my sister’s there …”
“Think your sister’s breaking into your computer?”
Yeah, sure. My sister was a tech writer for the goddamn Navy. She even attended night school at the Navy War College.
“If she is,” I replied, “I’m the pope of San Francisco.”
“Well then, we can’t go any further today. Next time, I’ll make the trace faster.”
It was hard to imagine a faster trace. I’d taken five minutes getting everyone on line. Ron Vivier had spent two minutes tracing the call through Tymnet; it had taken Lee Cheng another seven minutes to snake through several telephone exchanges. In a shade under a quarter hour, we’d traced the hacker through a computer and two networks.
Here was a conundrum. Sandy Merola felt the hacker came from the Berkeley campus. Dave Cleveland was certain he came from anywhere except Berkeley. Chuck McNatt from Anniston suspected someone from Alabama. The Tymnet trace led to Oakland, California. Now Pacific Bell said Virginia. Or was it New Jersey?
With each session my logbook grew. It wasn’t enough to just summarize what had happened. I began to annotate each printout and search for correlations between sessions. I wanted to know my visitor: understand his wishes, predict his moves, learn his name, and find his address.
While trying to coordinate the traces, I’d pretty much ignored what the hacker was actually doing. After the tension died down, I hid in the library with the printout from his most recent connection.
Right off, it was obvious that the fifteen minutes which I’d watched were only the coda of the hacker’s work. For two hours, he had been connected to our system; I’d only noticed him during the last quarter hour. Damn. If only I’d detected him right away. Two hours would have been enough to complete a trace.
More damning, though, was why I hadn’t noticed him. I’d been watching for activity on Sventek’s account, but he had used three other accounts before touching Sventek’s account.
At 11:09 in the morning, some hacker had logged into an account belonging to a nuclear physicist, Elissa Mark. This account was valid, billed to the nuclear sciences department, though its owner had been on sabbatical at Fermilab for the past year. It took just one phone c
all to find that Elissa was unaware of anyone using her computer account; she didn’t even know if it still existed. Was this the same hacker that I’d been following? Or someone else?
I had no way of knowing in advance that the Mark account had been hacked. But paging through the printout left little doubt.
Whoever was using the Mark account had become super-user by crawling through the Gnu-Emacs hole. As system manager, he searched for accounts that hadn’t been used in a long time. He found three: Mark, Goran and Whitberg. The latter two belonged to physicists long departed from our lab.
He edited the password file and breathed life into the three dead accounts. Since none of these accounts had been deleted, all their files and accounting information remained valid. To steal these accounts, the hacker needed to learn their passwords. But the passwords were protected by encryption: our DES trapdoor functions. No hacker could cut through that armor.
With his purloined super-user powers, the hacker edited the system-wide password file. He didn’t try to decrypt Goran’s encrypted password, instead, he erased it. Now that the account had no password, the hacker could log in as Goran.
With this he disconnected. What’s he up to? He couldn’t crack passwords, but as super-user, he didn’t have to. He just edited the password file.
He reappeared a minute later as Goran, then chose a new password for this account—Benson. The next time Rodger Goran tried to use our Unix computer, he’d be frustrated to find his old password no longer worked.
Our hacker had stolen another account.
Aah—here’s why the hacker stole old accounts. If he stole active accounts, people would complain when their familiar passwords no longer worked. So my adversary stole old accounts that weren’t used anymore. Robbing the dead.
Even as super-user, he couldn’t undo the DES trapdoor. So he couldn’t figure out someone else’s password. But he could swipe passwords, with a Trojan horse, or steal a whole account, by changing the password to a new word.
Cuckoo's Egg Page 7
