Book Read Free

Cuckoo's Egg

Page 12

by Clifford Stoll


  “The hacker’s not from California,” my guru replied. “I tell you, he just doesn’t know Berkeley Unix.”

  “Then he’s using a very slow computer.”

  “Not likely, since he’s no slouch at Unix.”

  “He’s purposely slowed down his Kermit parameters?”

  “Nobody does that—it wastes their time when they transfer files.”

  I thought about the meaning of this measurement. My friends’ samples told me how much delay Tymnet and AT&T introduced. Less than a second. Leaving two seconds of delay unaccounted for.

  Maybe my method was wrong. Maybe the hacker used a slow computer. Or maybe he was coming through another network beyond the AT&T phone lines. A network I didn’t know about.

  Every new piece of data pointed in a different direction. Tymnet had said Oakland. The phone company had said Virginia. His echoes said four thousand miles beyond Virginia.

  By the end of September, the hacker was appearing every other day. Often, he’d pop up his periscope, look around, and disappear in a few minutes. Not enough time to trace, and hardly worth getting excited about.

  I was tense and a little guilty. I often passed up dinner at home to sneak in some extra hacker watching.

  The only way I could keep following the hacker was by disguising my efforts as real work. I’d muck around with computer graphics to satisfy the astronomers and physicists, then fool with the network connections to satisfy my own curiosity. Some of our network software actually needed my attention, but usually I was just tinkering to learn how it worked. I called other computer centers ostensibly to clear up network problems. But when I’d talk to them, I’d cautiously bring up the subject of hackers—who else had hacker problems?

  Dan Kolkowitz at Stanford University was quite aware of hackers in his computer. He was an hour’s drive away from Berkeley, but that was an all-day bicycle ride. So we compared notes on the phone, and wondered if we were watching the same rodent gnawing at our systems.

  Since I’d started watching my monitors, I’d seen an occasional interloper trying to get onto my computer. Every few days, someone would dial into the system and try to log on as system or guest. These inevitably failed, so I didn’t bother following them. Dan had it much worse.

  “Seems like every kid in Silicon Valley tries to break into Stanford,” Dan moaned. “They find out passwords to legitimate student accounts, then waste computing and connect time. An annoyance, but something we’ll have to tolerate so long as Stanford’s going to run a reasonably open system.”

  “Have you thought about clamping down?”

  “To really tighten up security would make everyone unhappy,” Dan said. “People want to share information, so they make most of the files readable to everyone on their computer. They complain if we force them to change their passwords. Yet they demand that their data be private.”

  People paid more attention to locking their cars than securing their data.

  One hacker in particular annoyed Dan. “Bad enough that he found a hole in Stanford’s Unix system. But he had the nerve to call me on the phone. He talked for two hours, at the same time pawing through my systems files.”

  “Did you trace him?”

  “I tried. While he was talking on the phone, I called the Stanford police and the phone company. He was on for two hours, and they couldn’t trace it.”

  I thought of Lee Cheng at Pacific Bell. He needed just ten minutes to trace clear across the country. And Tymnet unwound their network in less than a minute.

  We compared the two hackers. “My guy’s not wrecking anything,” I said. “Just scanning files and using my network connections.”

  “Precisely what I see. I changed my operating system so that I can watch what he’s doing.”

  My monitors were IBM PC’s, not modified software, but the principle was the same. “Do you see him stealing password files and system utilities?”

  “Yes. He uses the pseudonym of ‘Pfloyd’ … I bet he’s a Pink Floyd fan. He’s only active late at night.”

  This was a difference. I often watched my hacker at noon. As I thought about it, Stanford was following different people. If anything, the Berkeley hacker seemed to prefer the name, “Hunter,” though I knew him by the several different account names he stole.

  Three days later, the headlines of the October 3 San Francisco Examiner blared, “Computer Sleuths Hunt A Brilliant Hacker.” Reporter John Markoff had sniffed out the Stanford story. On the side, the newspaper mentioned that this hacker had also gotten into the LBL computers. Could this be true?

  The story described Dan’s snares and his inability to catch Stanford’s Pfloyd hacker. But the reporter got the pseudonym wrong—the newspaper reported “a crafty hacker using the name ‘Pink Floyd.’ ”

  Cursing whoever leaked the story, I prepared to close things up. Bruce Bauer of our lab’s police department called and asked if I’d seen the day’s paper.

  “Yeah. What a disaster. The hacker won’t show up again.”

  “Don’t be so sure,” Bruce said. “This may be just the break we’re looking for.”

  “But he’ll never show up, now that he knows that we know there’s a hacker in our system.”

  “Maybe. But he’ll want to see if you shut him out of the computer. And he’s probably confident that if he can outwit the Stanford people, he can sneak past us as well.”

  “Yes, but we’re nowhere near tracing him.”

  “That’s actually what I called about. It’ll be a couple weeks before we get the search warrant, but I’d like you to stay open until then.”

  After he hung up, I wondered about his sudden interest. Could it be the newspaper story? Or had the FBI finally taken an interest?

  The next day, doubtless thanks to Bruce Bauer, Roy Kerth told me to keep working on following the hacker, though he pointedly said that my regular duties should take precedence.

  That was my problem. Every time the hacker showed up, I’d spend an hour figuring out what he did and how it related to his other sessions. Then a few more hours calling people, spreading the bad news. Then I’d record what happened in my logbook. By the time I’d finished, the day was pretty much wasted. Following our visitor was turning into a full-time job.

  In my case, Bruce Bauer’s intuition was right. The hacker returned a week after the article appeared. On Sunday, October 12, at 1:41, I was beating my head against some astronomy problem—something about orthogonal polynomials—when my hacker alarm went off.

  I ran down the hallway and found him logged into Sventek’s old account. For twelve minutes, he used my computer to connect to the Milnet. From there, he went to the Anniston Army base, where he had no trouble logging in as Hunt. He just checked his files and then disconnected.

  On Monday, Chuck McNatt from Anniston called.

  “I dumped this weekend’s accounting logs and found the hacker again.”

  “Yes, he was on your system for a few minutes. Just long enough to see if anyone was watching.” My printouts told the whole story.

  “I think I’d better close my doors to him,” Chuck said. “There’s too much at risk here, and we don’t seem to be making headway in tracking him.”

  “Can’t you stay open a bit longer?”

  “It’s already been a month, and I’m afraid of him erasing my files.” Chuck knew the dangers.

  “Well, OK. Just be sure that you really eliminate him.”

  “I know. I’ll change all the passwords and check for any holes in the operating system.”

  Oh well. Others didn’t quite have the patience to remain open to this hacker. Or was it foolishness?

  Ten days later, the hacker reappeared. I got to the switchyard just as he was trying Anniston.

  LBL> Telnet ANAD.ARPA

  Connecting to 26.1.2.22

  Welcome To Anniston Army Depot

  login: Hunt

  password: jaeger

  Bad login. Try again.

  login: Bin

>   password: jabber

  Welcome to Anniston Army Depot.

  Tiger Teams Bewarel

  Watch out for any unknown users

  Challenge all strangers using this computer

  Chuck had disabled the Hunt account, but hadn’t changed the password on the system account, Bin.

  The greeting message warned the hacker that someone had noticed him. He quickly checked his Gnu-Emacs files, and found they had been erased. He looked around the Anniston system and found one file that had been created July 3. A file that gave him super-user privileges. It was hidden in the public directory / usr / lib. An area that anyone could write into. He’d named the file, “.d”. The same name he used to hide his files on our LBL system.

  But he didn’t execute that program. Instead he logged off the Anniston system and disconnected from LBL.

  Chuck hadn’t noticed this special file. On the phone, he said he’d changed every user’s password—all two hundred. But he hadn’t changed any of the system passwords like Bin, since he assumed he was the only one who knew them. He’d thought that he’d thoroughly eradicated any dangerous files, but he’d missed a few.

  That .d file at Anniston was a useful benchmark. The hacker had laid this egg on July 3, yet remembered exactly where he’d hidden it three months later.

  He didn’t guess or hunt around for the .d file. No, he went straight for it.

  After three months, I can’t remember where I stash a file. At least not without a notebook.

  This hacker must be keeping track of what he’s done.

  I glanced at my own logbook. Somewhere, someone was keeping a mirror-image notebook.

  A kid on a weekend lark doesn’t keep detailed notes. A college joker won’t patiently wait three months before checking his prank. No, we were watching a deliberate, methodical attack, from someone who knew exactly what he was doing.

  Even though you have to coast slowly by the guardhouse, you can reach thirty miles an hour by pedaling down the LBL hill. Tuesday evening I was in no hurry, but pedaled anyway: it’s a kicker to feel the wind. A mile downhill, then a rendezvous at the Berkeley Bowl.

  The old bowling alley was now a huge fruit and vegetable market, the cheapest place for kiwis and guavas. Year ’round, it smelled of mangoes—even in the fish section. Next to a pyramid of watermelons, I saw Martha knocking some pumpkins, hunting for the filling to our Halloween pie.

  “Vell, Boris, ze secret microfilm is hidden in ze pumpkin patch.” Ever since I met the CIA, I was a spy in Martha’s eyes.

  We decided on a dozen little pumpkins for a carving party, and one fresh big one for the pie. After stuffing them in our backpacks, we biked home.

  Three blocks from the fruit market, at the corner of Fulton and Ward, there’s a four-way stop. With a can of spray paint, someone’s changed one stop sign to read, “Stop the CIA.” Another, “Stop the NSA.”

  Martha grinned. I felt uneasy, and pretended to adjust my backpack. I didn’t need another reminder of Berkeley politics.

  At home, she tossed pumpkins to me, and I stashed them in a box. “What you’re missing is a flag,” she said, throwing the last one low and inside, “some sort of pennant for chasing hackers.”

  She ducked into a closet. “I had a bit left over from my costume, so I stitched this together.” She unrolled a shirt-sized banner, with a snake coiled around a computer. Underneath, it said, “Don’t Tread on Me.”

  In the weeks before Halloween, both of us sewed furiously to make costumes. I’d made a cardinal’s outfit, complete with miter, scepter and chalice. Martha, of course, kept her costume hidden—you can’t be too careful when your roommate uses the same sewing machine.

  Next day, I hoisted my hacker-hunter flag just above the four monitors that watched the incoming Tymnet lines. I’d bought a cheap Radio Shack telephone dialer, and connected it to an expensive but obsolete logic analyzer. Together, these waited patiently for the hacker to type in his password, and then silently called my telephone.

  Naturally, the flag fell down and got caught in the printer, just as the hacker showed up. I quickly unsnarled the shreds of paper and cloth, just in time to see the hacker change his passwords.

  The hacker apparently didn’t like his old passwords—hedges, jaeger, hunter and benson. He replaced them, one by one, with a single new password, lblhack.

  Well, at least he and I agreed on what he was doing.

  He picked the same password for four different accounts. If there were four different people involved, they’d each have a separate account and password. But here in one session, all four accounts were changed.

  I had to be following a single person. Someone persistent enough to return over and over to my computer. Patient enough to hide a poisonous file in the Anniston Army base and return to it three months later. And peculiar in aiming at military targets.

  He chose his own passwords. “Lblhack” was obvious. I’d searched the Berkeley phone book for Jaegers and Bensons; maybe I ought to try Stanford. I stopped by the library. Maggie Morley, our forty-five-year-old documentmeister, plays rough and tumble Scrabble. Posted on her door is a list of all legal three-letter Scrabble words. To get in, you have to ask her one. “Keeps ’em fresh in my mind,” she says.

  “Bog,” I said.

  “You may enter.”

  “I need a Stanford telephone book,” I said. “I’m looking for everyone in Silicon Valley named Jaeger or Benson.”

  Maggie didn’t have to search the card catalog. “You need directories for Palo Alto and San Jose. Sorry, but we don’t have either. It’ll take a week or so to order ’em.”

  A week wouldn’t slow things down, at the rate I was going.

  “Jaeger. A word that’s been kind to me,” Maggie smiled. “Worth sixteen points, but I once won a game with it, when the ‘J’ landed on a triple-letter score. Turned into seventy-five points.”

  “Yeah, but I need it because it’s the hacker’s password. Hey, I didn’t know names were legal in Scrabble.”

  “Jaeger’s not a name. Well, maybe it’s a name—Ellsworth Jaeger, the famous ornithologist, for instance—but it’s a type of bird. Gets its name from the German word meaning hunter.”

  “Huh? Did you say, ‘Hunter’?”

  “Yes. Jaegers are hunting birds that badger other birds with full beaks. They harass weaker birds until they drop their prey.”

  “Hot ziggity! You answered my question. I don’t need the phone book.”

  “Well, what else can I do for you?”

  “How about explaining the relationship between the words hedges, jaeger, hunter and benson?”

  “Well, Jaeger and Hunter is obvious to anyone who knows German. And smokers know Benson and Hedges.”

  Omigod—my hacker smokes Benson and Hedges. Maggie had won on a triple-word score.

  I was all set on Halloween morning. I’d finished my cardinal’s costume, even the miter. Tonight’s party would be a gas: pasta with a dozen lunatics, followed by Martha’s fantastic pumpkin pie, and an excursion into San Francisco’s Castro district.

  But first I had to dodge my bosses at the lab. The physicists were ganging up on the computer center, refusing to pay our salaries. Supporting central computing was expensive. The scientists figured that they could buy their own small machines, and avoid the overhead of paying our programming staff.

  Sandy Merola tried to convince them otherwise. “You can hitch a thousand chickens to your plow or one horse. Central computing is expensive because we deliver results, not hardware.”

  To placate them, Sandy sent me to write a few graphics programs. “You’re a scientist. If you can’t make ’em happy, at least listen to their problems.”

  So I spent the morning sitting in the back row of a physics seminar. A professor droned on about the quark function of the proton—something about how each proton has three quarks. I wasn’t tired enough to sleep, so I pretended to take notes while thinking about the hacker.

  Returning from the
seminar, Sandy asked if I’d learned anything.

  “Sure.” I glanced at my notes. “The distribution function of quarks isn’t quantized over the proton. Happy?”

  “Be serious, Cliff. What did the physicists say about computing?”

  “Not much. They know they need us, but don’t want to pay.”

  “Same as the Air Force,” Sandy smiled. “I just got off the phone with one Jim Christy of their Office of Special Investigations.”

  “Hey, isn’t he the narc with the military spooks?”

  “Be serious. He’s a detective working for the Air Force, please.”

  “OK, he’s an all-American good guy. So what did he say?”

  “He says the same thing as our physicists. They can’t support us, but they don’t want us to go away.”

  “Did he make any progress with the Virginia phone company?”

  “Naw. He called around, and they won’t budge without a Virginia search warrant. He checked out the Virginia state law, and the hacker’s committing no crime there.”

  “Breaking into our computer isn’t a crime?” I couldn’t believe it.

  “Breaking into a California computer isn’t a crime in Virginia.”

  “I don’t suppose the Air Force can lean on the FBI to get a warrant?”

  “Nope. But they want us to keep monitoring, at least until the Air Force decides it’s a dead end.”

  “Did they cough up any dimes?” My time was funded through the grants of astronomers and physicists. They weren’t pleased to watch me spend their money chasing some ghost.

  “No bucks, nothing but an unofficial request. When I asked for support, Jim gave me the bailiwick story.”

  Sandy wasn’t going to give in. “It’s been two months since we started, and nobody’s listened to us. Let’s stay open for another week, then call it quits.”

  By five o’clock, I was ready for the Halloween party. On my way out, I checked the floppy disks on the monitors. The printer suddenly started up. There was the hacker. I glanced at the time—17:43:11 PST.

  No. Not now. I’ve got a party to go to. A costume party no less. Can’t he choose any other time?

 

‹ Prev