At home, my housemates and I haggled over a twenty-dollar phone bill. But I’d never seen thousand-dollar bills. Every month, Mitre had paid for hundreds of long-distance calls, all over North America.
But these weren’t people reaching out to touch each other. These bills showed Mitre’s computer dialing hundreds of other computers. (I proved this to myself by calling a few. Sure enough, in each case, I heard a modem answer with a whistle.)
Now here’s some useful information. Mitre might not be interested in analyzing it, but together with my logbook, I might be able to understand how far the hacker had penetrated. I’d just have to somehow separate the hacker’s calls from the normal calls.
Plenty of the calls were obvious hacking. On the list were lots of calls to Anniston, Alabama. And there were the calls to Tymnet in Oakland—they’d cost me a galaxy to trace.
But some of the calls on the bills must be legitimate. After all, Mitre’s employees must call computers to transfer data or copy the latest software from the West Coast. How could I separate the hacker’s calls?
Back home, when our phone bill arrived, Martha cooked up dinner, Claudia did the salad, and I baked cookies.* Afterward, stuffed on chocolate chips, we’d divvy up the phone bill.
Sitting around the dining table, my housemates and I had no problem figuring out who’d made which long-distance calls on our bill. If I had made a call to Buffalo from 9:30 until 9:35 and another to Baltimore from 9:35 to 9:45, then it was likely that I’d made the call to New York from 9:46 to 9:52.
Looking at Mitre’s phone bills, I knew that only the hacker would call the Army base in Anniston, Alabama. Pretty likely that a phone call made a minute after calling Anniston belonged to the hacker. Same for a call that ended just before dialing Alabama.
In physics, this is correlation analysis. If you see a solar flare today and tonight there’s a bright aurora, chances are that these are correlated. You look at things that occur close together in time, and try to find the probability that they’re somehow connected.
Correlation analysis in physics is simply common sense.
Well, here were six months of phone bills. Dates, times, phone numbers, and cities. Probably five thousand in all. Enough that I couldn’t analyze it by hand. Perfect for analyzing on a computer—there’s plenty of software written to search out correlations. All I had to do was enter them into my Macintosh computer and run a few programs.
Ever type five thousand phone numbers? It’s as boring as it sounds. And I had to do it twice, to make sure I didn’t make any mistakes. Took me two days.
Two days to enter the data, and an hour to analyze it. I told my program to assume that the hacker made all calls to the Anniston Army base. Find all calls that immediately preceded or trailed those calls. It took a minute, and showed me that the hacker had called Oakland’s Tymnet many times. Aah, the program behaved reasonably.
I spent the afternoon tinkering with the program, refining its statistical techniques and watching the effect of different algorithms on the output. It determined the probability that each call was made by the hacker. Cute—just the thing to settle arguments at home.
It wasn’t until the evening that I realized what the program was telling me: this hacker hadn’t just broken into my computer. He was into more than six, and possibly a dozen.
From Mitre, the hacker had made long-distance connections to Norfolk, Oak Ridge, Omaha, San Diego, Pasadena, Livermore, and Atlanta.
At least as interesting: he had made hundreds of one-minute-long phone calls, all across the country, to Air Force bases, Navy shipyards, aircraft builders, and defense contractors. What can you learn from a one-minute phone call to an Army proving ground?
For six months, this hacker broke into Air Force bases and computers all across the country. Nobody knew it. He was out there, alone, silent, anonymous, persistent, and apparently successful—but why? What’s he after? What’s he already learned? And what’s he doing with this information?
* Two eggs, 1 cup brown sugar, 1/2 cup regular sugar, 2 sticks softened butter. Fold in 2 1/4 cups flour, 1/2 teaspoon salt, 1 teaspoon baking soda, and a couple tablespoons of vanilla. For an extra chocolate jag, mix in 3 tablespoons of cocoa. Oh, don’t forget 2 cups of chocolate chips. Bake at 375 degrees for 10 minutes.
Mitre’s phone bills showed hundreds of telephone calls all around the country, most of them a minute or two long. But no human voice spoke over that line—it was one computer dialing another.
My boss’s voice, though, was singularly human. Around the end of November, Roy Kerth stopped in my office, and found me asleep under my desk.
“Whacha been doing for the past month?”
I could hardly say, “Oh, typing in phone bills from some East Coast defense contractor.” Reminding him of my chase would jog his memory of a three-week limit. Quickly, I thought of our department’s new graphics terminal—a spiffy new toy that displays three-dimensional images of mechanical devices. I’d fiddled with it for an hour, just long enough to learn how difficult it was to use. But it was an excuse to get the boss off my back, and I told him, “Oh, I’m helping some astronomers design their telescope with our new display terminal.” This wasn’t a total lie, since we’d talked about doing this. For all of five minutes.
My maneuver backfired. Roy smiled slyly and said, “OK. Next week show us some pretty pictures.”
By never showing up before noon, I’d managed to avoid half of the department’s meetings. If I didn’t have something by next week, no doubt my wings would get clipped.
Time to slide the hacker onto the back burner—and just as the trail was heating up.
One week to learn how to program the beast, figure out what the astronomers needed, and get something on the screen. I knew zero about computerized design. And the programming language was from the twenty-first century: it claimed to be “an object-oriented language with graphical inheritance.” Whatever that meant.
So I wandered over to the telescope design team, where Jerry Nelson and Terry Mast were arguing over how much their telescope would bend due to gravity. When looking at stars straight overhead, gravity wouldn’t bend the telescope tube. But when pointing near the horizon, the tube would bow slightly. Just enough to upset the delicate optical alignment. They wanted to know how much, and could I show the effect on the computer.
This seemed like fun—at least more fun than figuring out what “graphical inheritance” meant. We talked for a while, and Jerry mentioned that Professor Erik Antonsson had written a program to display the telescope on a graphics display terminal. The same type as I was supposed to program.
“You mean that someone has already written the program to solve your problem and display a picture on the screen?” I asked.
“Yes,” the astronomer explained. “But it’s down at Caltech in Pasadena. Doesn’t do us much good four hundred miles away. We need the results now.”
I just had to get the Caltech program up to Berkeley and fit it into my Vax computer. No need to even figure out how to program the beast.
I called Professor Antonsson at Caltech. He’d be happy if we used his program, but how would he send it to us? Mail would take a week. Faster to send it electronically. Aah—when you need a program, don’t mail a tape. Just ship it over the network. In twenty minutes, the program percolated across the wires, and settled into my computer.
Well, Professor Antonsson had done a super job of programming the problem. By nine that evening, I’d customized his program for my system and the new telescope data.
Amazingly, the damn thing worked, though not quite the first time. By 2 A.M., I got it to draw a multicolored picture of the Keck Telescope, complete with struts, bearings, and mirrors. You could see where the tube bent, where the stresses built up, and which sections needed reinforcing. Technology comes through again.
One evening of real work, and I was off the hook. The hacker was back on the front burner.
But not a peep from him. My alarms were s
et, the monitors active, but he’d been invisible for two weeks. On my way home, I wondered if he too might have an urgent project that kept him away from my computer. Or had he found a new way to enter the Milnet, completely bypassing my traps?
As usual, I slept late the next morning. (No need to work early when Thanksgiving weekend was coming up.) At 11:30, I pedaled up the hill and ducked into work, ready to show off my zero-work computer display. But once in my office, I went back to wondering why the hacker wasn’t showing up. Time to call Mitre, and find out what they’d done.
Bill Chandler’s voice crackled through a noisy long-distance connection. Yes, a week ago, he’d disconnected their outgoing modems. The hacker could no longer leapfrog through Mitre’s local network.
The gig was up. We didn’t know where he came from, and we’d never find out. Since Mitre had corked up their hole, the hacker would have to find another path into my system.
Not likely. If someone had bolted my door shut, I’d be suspicious that they were about to bust me. And I knew this hacker was paranoid. He’d disappear for sure.
So all my traps had been set in vain. The hacker was gone, and I’d never find out who he was. Three months of searching, with only a fuzzy question mark at the end.
Not that I should complain. Without a hacker to occupy my time, there was plenty of worthwhile work waiting. Like designing a telescope. Or managing a computer. And building scientific software. Jeez—I might even do something useful.
But I’d miss the excitement. Running down the hallway and jumping to a printer. Crowding around a computer screen, trying to trace connections through my computer out somewhere across the country.
And I’d miss the satisfaction of building tools with which to follow him. By now, my programs were almost instant. Seconds after the hacker touched my computer, my pocket pager beeped. It didn’t just tell me that the hacker was around. I’d programmed my pager to beep in Morse code, telling me the hacker’s target computer, his account name (usually Sventek), and which line the hacker had entered from. Backup alarms and monitors made the system fail-safe.
Somewhere out there, a stranger had come close to getting nailed. If only I’d been able to make one more trace.
Just one more trace.
The hacker was gone, but I had a few loose ends. Mitre’s long-distance phone bills showed dozens of calls to a number in Norfolk, Virginia. By calling around (standard graduate school technique: keep pestering), I eventually found that the hacker had been dialing the Navy Regional Automated Data Center.
Well, nobody’s stopping me, so I called the Navy data center and talked to their system manager, Ray Lynch. Ray seemed to be an outgoing, competent guy who took his job very seriously. He ran an electronic mailbox system—pigeonholes for electronic mail.
Ray reported that back on July 23, from 3:44 until 6:26 P.M., someone had broken into his Vax computer, using the account belonging to the field service engineers. Once inside his system, the hacker had created a new account named Hunter.
There’s that name again. Same guy, no doubt.
The episode normally would have escaped Ray’s attention. With three hundred Navy officers using his computers, he’d never have noticed someone illegally adding a new account.
But the next day, he received a phone call from Jet Propulsion Laboratory in Pasadena, California; the same people that run interplanetary spacecraft. An alert JPL operator had detected a new system manager at their mail management computer. This new user had entered from the Milnet, coming in from Virginia.
JPL called Ray Lynch, and asked him why his field service people had been fooling with their computer. Ray didn’t wait around to ask questions. He shut down his computer and changed all its passwords. The next day, he reregistered each of his users.
So my hacker had broken into JPL and a Navy computer. Months before I’d detected him in Berkeley, he had been fooling around the Milnet.
These targets were news to me. Were they a clue to where the hacker was? Well, if you live in California, there’s no reason to go through Virginia to reach a computer in Pasadena. And why would someone in Virginia go through Mitre to dial another Virginia phone?
Suppose this hacker had used Mitre to dial all his calls, except for local ones. That meant that any state that showed up on Mitre’s phone bills was not the hacker’s home. Ruled out Virginia, California, Alabama, Texas, Nebraska, and a dozen others. This didn’t lead anywhere, and hardly seemed convincing.
I called some of the other places listed on Mitre’s phone bills. The hacker had hit a college in Atlanta, Georgia. The system manager there hadn’t detected it, but he wasn’t likely to, either. “We run a pretty open system. Lots of students know the system password. The whole thing depends on trust.”
That was one way to run a computer. Leave all the doors open. Like one of my physics profs: anyone could wander into his office. Didn’t do much good, though. He kept his notes in Chinese.
From talking to Ray, I learned one new wrinkle about the hacker. Up until now, I’d watched him exploit Unix systems. But Ray’s system was a Vax computer running the VMS operating system. The hacker might not know the Berkeley variant of Unix, but he certainly knew how to break into Vax VMS systems.
Since 1978, Digital Equipment Corporation had been making Vaxes, their first thirty-two-bit computers. They couldn’t make them fast enough: by 1985, over fifty thousand had been sold, at $200,000 each. Most of them used the versatile, friendly VMS operating system, although some contrary cusses threw away the VMS system, preferring the power of Unix.
Both Unix and VMS divide up the computer’s resources to give a separate area for every user. There’s space reserved for the system and common space that can be shared by everyone.
Somehow, when you uncrate the machine and first switch it on, you’ve got to be able to create places for your users. If the machine comes to you protected with passwords, you won’t be able to log on the first time.
Digital Equipment Company answered this problem by packaging every Vax-VMS computer with three accounts, each with its own password. There’s the SYSTEM account, with the password, “MANAGER.” An account named FIELD, password “SERVICE.” And an account USER with the password “USER.”
The instructions say to start the system running, create new accounts for your users, and then change these passwords. Starting up a computer is a bit tricky, and well, some system managers have never changed these passwords. Despite Digital’s best efforts to make the system managers change those passwords, some never do. The result? Today, on some systems, you can still log in as SYSTEM, with the password “MANAGER.”
That system account is completely privileged. From it, you can read any file, run any program, and change any data. Seems nutty to leave it unprotected.
The hacker either knew about these backdoor passwords, or else he knew some very subtle bug in the VMS operating system. Either way, there was little doubt that he was skilled in two operating systems: Unix and VMS.
Some high school students are impressive computer jockeys. But it’s a rare high school student who’s both deeply skilled and versatile—experienced in several computers. That takes time. Years, usually. Yes, most Unix systems folks could exploit the Gnu-Emacs hole, once they realized its weakness. And most VMS system managers knew about the not-so-secret default passwords. But each operating system took a couple years to become proficient in, and the skills weren’t very portable.
My hacker had a couple of years of Unix experience, and a couple of years in VMS. Probably had been system manager or administrator along the way.
Not a high school student.
But not an experienced wizard, either. He didn’t know Berkeley Unix.
I had been following someone in his twenties who smoked Benson and Hedges cigarettes. And broke into military computers, searching for classified information.
But was I following him anymore? No, not really. He wouldn’t show up again.
Teejay called in t
he afternoon. “I’m just checking to hear what’s new about our boy.”
“No, nothing really. I think I know how old he is, but not a whole lot.” I started explaining about the Navy data center and the backdoor passwords, but then the CIA agent interrupted.
“Got printouts of those sessions?”
“Well, no, my direct evidence is Mitre’s phone bills. If that’s not convincing, there’s other pointers. He created an account with the name Hunter. Same as at Anniston.”
“Did you write this in your logbook?”
“Sure. I put everything there.”
“Could you send me a copy?”
“Well, it’s kinda private.…” Teejay wouldn’t send me copies of his reports.
“Come on, be serious. If we’re ever going to light a fire under the ‘F’ entity, I’ve got to know what’s happening.”
The “F” entity? I searched my memory. Fourier transform? Fossils? Finger painting?
“What’s the ‘F’ entity?” I asked, somewhat humiliated.
“You know, the entity in Washington,” Teejay replied with a touch of annoyance. “J. Edgar’s boys. The Bureau.”
Why not just say the FBI?
“Oh, I get it, you want my logbook to convince the ‘F’ entity to do something.” Entity, indeed. Spooktalk.
“Yeah. Just send it to me.”
“What’s your address?”
“Just mail it to Teejay, Zip Code 20505. It’ll reach me.”
Now there’s status. No last name, no street, no city, no state. I wondered if he ever got junk mail.
With the CIA off my neck, I might as well go back to real work. I played around with Professor Antonsson’s graphics program for a while, and found that it was amazingly simple to understand. All this hype about object-oriented programming just meant that you didn’t write programs using variables and data structures; instead, you told the computer about things. To describe a robot, you’d detail its feet, legs, joints, torso, and head. No need to talk about X’s and Y’s. And “graphical inheritance” just meant that when the robot moved its leg, the feet and toes moved automatically. You didn’t have to write a separate program to move each object.
Cuckoo's Egg Page 16
