Cuckoo's Egg
Page 17
Neat. After a day or two of fooling with the Caltech program, its simplicity and elegance came shining through. What seemed a hairy programming challenge turned out to be easy. So I spiffed up the display, adding colors and titles. The boss wanted me to jump through hoops; I’d put up a three-ring circus.
Thanksgiving would be a corker. With her bicycle and backpack, Martha had hauled home forty pounds of groceries. She made only a few sarcastic comments about roommates who sleep late, and set me to putting stuff away and cleaning the house.
“Put away the veggies, honey,” she said. “I’m going to the Safeway.” How could there possibly be more food to get? Seeing my amazement, she explained that this was just the fresh stuff, and she still had to get the goose, flour, butter, cream, and eggs. A corker, for sure.
I put the food away and climbed back in bed. I woke up to the smell of biscuits and goose wafting through the house. We expected Martha’s grad school friends who couldn’t go home (or preferred Martha’s cooking to mom’s), a couple of law professors, a few hungry warriors from her aikido dojo, and her zany friend Laurie. My conscience finally responded to all Martha’s bustling, and I revved up our 250-horsepower Hoover.
As I vacuumed the room, our roommate Claudia returned from a violin rehearsal. “Oh, don’t do that,” she exclaimed, “that’s my job.” Imagine—a roommate that enjoyed doing housework. Her only fault was playing late-night Mozart.
Thanksgiving passed by idyllically, with friends wandering in, helping in the kitchen, talking, and lounging around. It was an all-day feed, starting with fresh oysters from the San Francisco wharf, moving on leisurely to Martha’s wild mushroom soup, then the goose. Then we lay around like beached whales until we worked up the energy to take a short walk. Over pie and herbal tea, the talk turned to law, and Martha’s friend Vicky held forth on environmental regulation while a couple of professors argued over affirmative action.
Finally, too full and contented for intelligent conversation, we lay in front of the fire and roasted chestnuts. Vicky and Claudia played piano duets; Laurie sang a ballad, and I thought about planets and galaxies. Worries about computer networks and spies seemed unreal in this warm world of friends, food, and music. A down-home Thanksgiving in Berkeley.
At the lab, I forgot about the hacker. He’d been gone for almost a month. Why? I didn’t know.
The astronomers fiddled with their new graphics display, studying ways to strengthen their telescope. By now, I’d figured out how to animate the display, so they could zoom in on interesting parts, and rotate it on the screen. Object-oriented programming—by accident, I’d learned a new buzzword. The astronomers didn’t care, but I had to give a talk to computer folks.
On Wednesday, I was all set to dazzle the other systems folks. I’d memorized all the jargon and set up the display so that it wouldn’t foul up at the last minute.
A dozen computer whizzes showed up at three o’clock. The display system worked flawlessly, and the Caltech software loaded without a hitch. Computer people are accustomed to boring talks on databases and structured programming, so this three-dimensional color graphics display amazed them all.
Twenty-five minutes into the show, I was answering a question about the programming language (“It’s object oriented, whatever that means …”) when my pocket pager beeped.
Three beeps. Morse code for the letter S. S for Sventek. The hacker had connected to our system on the Sventek account.
Damn. A month of quiet, and the SOB shows up now.
Well, the show must go on. I couldn’t acknowledge that I was still chasing the hacker—my three-week allowance had long ago been used up. But I had to get over to the monitoring post and watch what he was doing.
Of course. I stopped showing pretty pictures and began describing an obscure area of galactic astronomy. It took five minutes, but people began to squirm and yawn. My boss looked at his watch, and ended the meeting. Another application for advanced astronomy.
I dodged the gang in the hallway, and slipped into the switchyard. The hacker wasn’t active on any of my monitors.
He’d left his footprints though. The printer showed him here for two minutes. Long enough to check out our system. He checked that the system manager wasn’t around, then looked for the Gnu-Emacs hole—it still hadn’t been patched. And he listed his four stolen accounts—no change there. Then, poof, gone.
No way to trace him after the fact. But the monitor that caught him was on the Tymnet line. So he was coming in on the same line. Was his path from Mitre to AT&T to Pacific Bell to Tymnet?
Time to call Mitre. Bill Chandler answered. “No, he couldn’t have used our modems. They’re all turned off.”
Really? Easy to check. I called Mitre through Tymnet. I could still reach into Mitre’s network, but Bill had indeed shut off his modems. A hacker could fool with his computers, but couldn’t get out. My hacker had come from somewhere else.
Should I feel elated or despondent? The varmint was back with super-user privileges. But maybe this time I’d nail the bastard. If he kept returning to his roost, I’d trace him for sure.
I suppressed my vindictive feelings towards my unseen adversary. Research was the answer. The question wasn’t, “Who’s doing it?” I’d get no satisfaction if a postcard showed up saying, “Joe Blatz is breaking into your computer.”
No, the problem was to build the tools to find who was there. What if I traced the whole connection, and it turned out to be a red herring? At least, I’d understand the phenomenon. Not all research yields exactly the results you expect.
My tools were sharp. The alarms triggered as soon as he entered his stolen account names. If they failed, a backup program, hidden behind my Unix-8 computer would detect him within a minute. When the hacker touched the tripwire, my beeper told me about it instantly.
The hacker could hide, but he couldn’t violate physics. Every connection had to start somewhere. Whenever he showed up, he exposed himself. I just had to be alert.
The fox was back. This hound was ready for the chase.
After a month’s disappearance, the hacker was back on my system. Martha wasn’t happy about this; she began to see a mechanical rival in my pocket pager. “How long before you’re free from that electronic leash?”
“Just a couple more weeks. It’ll be over by New Year’s Day, for sure.” Even after three months of chasing, I still thought I was close to the end.
I was sure I’d catch him: since the hacker couldn’t hide behind Mitre anymore, the next trace would move us one step closer. He didn’t know it, but he was running out of space. In a few more weeks he’d be mine.
Friday, December 5, the hacker showed up again at 1:21 in the afternoon. He raised periscope, looking for our system manager and then listed our password file.
This was the second time he’d ripped off my password file. What for? There’s no key to unlock these encrypted passwords: they’re just goulash until they’re decrypted. And our encryption software is a one-way trapdoor: its mathematical scrambling is precise, repeatable, and irreversible.
Did he know something that I didn’t? Did this hacker have a magic decryption formula? Unlikely. If you turn the crank of a sausage machine backwards, pigs won’t come out the other end.
Four months from now, I’d realize what he was doing, but for now, I had my hands full trying to trace him.
Nine minutes after he showed up, he disappeared. Enough time for me to trace the connection to Tymnet. But their network sorcerer, Ron Vivier, was taking a long lunch. So Tymnet couldn’t make the trace. Another chance lost.
Ron returned my call an hour later. “It was an office party,” he said. “I thought you’d given up on chasing this guy.”
I explained the month-long hiatus. “We tracked him into Mitre, and they plugged the hole he was using. Stopped him for a month, but now he’s back.”
“Why don’t you cork up your hole, too?”
“Guess I ought to,” I said, “but we’ve sunk thr
ee months into this project. We can’t be far from solving it.”
Ron had been in the middle of every trace. He’d invested plenty of time, all voluntary. We didn’t pay Tymnet to trace hackers.
“Hey, Cliff, how come you never call me at night?” Ron had given me his home number, but I only called him at his office.
“Guess the hacker doesn’t show up at night. I wonder why.” He started me thinking. My logbook recorded every time the hacker had shown up. On the average, when was he active?
I’d remembered him on at 6 A.M. and at 7 P.M. But never at midnight. Isn’t midnight operation the very image of a hacker?
As of December 6, the hacker had connected to us one-hundred-thirty-five times. Enough times for a statistical analysis of his work habits. In a couple of hours, I’d entered all the dates and times into a program. Now just average them.
Well, not exactly a simple average. What’s the average of 6 A.M. and 6 P.M.? Is it noon or midnight? But this is bread and butter for statistics folks. Dave Cleveland showed me the right program, and I spent the rest of the day making all sorts of averages.
On the average, the hacker showed up at noon, Pacific time. Because of daylight savings time, I could stretch this to 12:30 or even 1 P.M., but there was no way that he was an evening person. Though sometimes he showed up in the morning, and occasionally at night (I still resented him spoiling Halloween for me!), he generally worked in the early afternoon. On the average, he stayed connected twenty minutes. A lot of two- or three-minute connections, and a few two-hour runs.
So what does this mean? Suppose he lives in California. Then he’s hacking during the day. If he’s on the East Coast, he’s three hours ahead of us, so he works around three or four in the afternoon.
This doesn’t make sense. He’d work at night to save on long-distance telephone fees. To avoid network congestion. And to avoid detection. Yet he brazenly breaks in during the day. Why?
Confidence? Perhaps. After he made certain that no system operator was present, he roamed the insides of my computer without hesitation. Arrogance? Possibly. He was shameless in reading others’ mail and copying their data. But this hardly could account for his showing up during midday.
Maybe he felt he was less likely to be noticed when dozens of others were using our computer. Although lots of programs ran at night, most of these were batch jobs, submitted during the day and postponed until evening. By midnight, only a couple of night owls were logged in.
Whatever his reason, this peculiar habit made life slightly easier for me. Fewer interruptions when sleeping with Martha. Less need to call the police at night. And a greater chance that I’d be around when he showed up.
As we chopped onions at the kitchen table, I told Martha about my results. “I’m tailing a hacker that avoids the dark.”
She wasn’t impressed. “This doesn’t make sense. If the guy’s an amateur, then he’d be breaking in during off-hours.”
“So you say he’s a professional, keeping regular office hours?” I could picture someone punching a time card in the morning, spending eight hours breaking into computers, then punching out.
“No,” Martha said, “even professional burglars keep odd hours. What I want to know is whether his hours change on weekends.”
I couldn’t answer that one. I’d have to go back to the lab, cull out all the weekend times, and average them separately.
“But suppose the hacker really only shows up around noon,” Martha continued. “It might be nighttime where he lives.”
When it’s noon in California, where is it evening? Even astronomers get confused by time changes, but I know it gets later as you move east. We’re eight hours behind Greenwich, so lunchtime in Berkeley is bedtime in Europe. Is the hacker coming from Europe?
Improbable, but worth thinking about. A month or two ago, I’d measured the distance to the hacker by timing echos when the hacker ran Kermit. What I found didn’t make much sense: the hacker seemed to be around six thousand miles away.
Made sense now. It’s five thousand miles to London. Small world.
But how do you get from Europe into our networks? Phoning across the Atlantic would cost a fortune. And why go through Mitre?
I had to keep reminding myself that these were just weak pointers. Nothing conclusive. But it was hard to fall asleep that evening. Tomorrow I’d go up to the lab and reread my logbook with a new hypothesis: the hacker might be coming in from abroad.
Saturday morning I woke up nestled in Martha’s arms. We fooled around for a while, and I made a batch of my quasi-stellar waffles—the ones that are advertised all over the Andromeda galaxy.
Despite the early hour, I couldn’t resist heading over to the lab. I bicycled along side streets, scanning for yard sales. Right along the way, someone was selling their household, well preserved from the 1960s. Rock posters, bell-bottom jeans, even a Nehru jacket. I picked up a Captain Midnight Secret Decoder Ring for two dollars. It still had an endorsement for Ovaltine.
At the lab, I started analyzing the hacker’s log-in times, separating out his weekend sessions. It took a while, but I managed to show that on weekdays he showed up from noon to three P.M.; on weekends he’d show up as early as six A.M.
Suppose this sneak lived in Europe. He might break in at any hour on the weekend, but confine himself to evenings during the week. The log-in times agreed with this, but agreement is hardly proof. A dozen other theories could satisfy the data.
I’d ignored one source of information. The Usenet is a nationwide network of thousands of computers, tied together by telephone links. It’s a wide-area electronic bulletin board, a sort of networked classified newspaper. Anyone can post notes; every hour, dozens of new messages show up, divided into categories like Unix Bugs, Macintosh Programs, and Science Fiction Discussions. There’s nobody in charge: any Unix computer can link to Usenet, and post messages to the rest. Anarchy in action.
System managers post a lot of the messages, so you’ll find notes like, “We have a Foobar model 37 computer, and we’re trying to hook up a Yoyodyne tape to it. Can anyone help?” Often someone will respond, solving the problem in minutes. Other times, it’s a lone voice in an electronic wilderness.
I couldn’t post a note saying, “Hackers are breaking into my computer. Any idea where they’re coming from?” Since most systems folks read these bulletin boards, the hacker would find out right away.
But I could scan for information. I started a text search, hunting for the word, “Hack.” Any messages with that keyword would pop out.
Oops. Bad choice of keyword. The word hacker is ambiguous. Computer people use it as a complement to a creative programmer; the public uses it to describe a skunk that breaks into computers. My search turned up lots of the former usage and not many of the latter.
A few useful notes turned up, though. A guy in Toronto reported that his computer had been attacked by a group from Germany. They called themselves the Chaos Computer Club and seemed to be technocratic vandals. Another note talked about hackers in Finland trying to extort money from a corporation by holding their computers hostage. A third mentioned that a hacker in London ran a credit card scam, where he sold credit card information over the telephone lines.
None of these seemed to describe what my hacker was doing. Nor was it much comfort to realize that others face similar varmints.
I walked out on the roof of the building and looked out over the bay. Below me, Berkeley and Oakland. Across the water, San Francisco and the Golden Gate Bridge. For all I knew, someone within a few blocks was playing an elaborate practical joke on me. I was fiddling with my secret decoder ring when my beeper went off. Three dots. Sventek again, and on my Unix machine.
I ran down the staircase and into the switchyard. The hacker was just logging in. Quickly I called Ron Vivier at Tymnet. No answer. Of course, dummy, it’s a Saturday. Another call to his home. A woman answered.
“I need to talk to Ron right away. He’s got to make a panic network trac
e right now.” I was out of breath and panting. Five flights of stairs.
She was taken aback. “He’s in the yard washing the van. I’ll get him.” A few centuries later, Ron showed up. There were a couple kids screaming in the background.
“I’ve got a live one for you,” I gasped. “Just trace my port 14.”
“Right. It’ll take a minute. Good thing I’ve got two phone lines here.” I hadn’t realized that he didn’t have a whole switchboard at his fingertips. He must be dialing into his computer.
Another couple eons passed, and Ron came back on the line. “Hey Cliff, are you certain that it’s the same guy?”
I watched him searching for the word SDI on our computer. “Yes, it’s him.” I was still wheezing.
“He’s coming in from a gateway that I’ve never heard of. I’m locked onto his network address, so it doesn’t matter if he hangs up. But the guy’s coming from somewhere strange.”
“Where’s that?”
“I don’t know. It’s Tymnet node 3513, which is a strange one. I’ll have to look it up in our directory.” In the background, Ron’s keyboard clicked. “Here it is. That node connects to ITT node DNIC 3106. He’s coming from the ITT IRC.”
“Huh? What’s that mean to me?” His ante was beyond my purse.
“Oh, I’m sorry,” Ron said. “I keep thinking that I’m talking to another Tymnet guy. Your hacker is coming from outside the Tymnet system. He’s entering Tymnet from a communications line operated by the International Telephone and Telegraph company.”
“So what?”
“Tymnet moves data between countries using the IRCs. Once, international agreements forced us to use IRCs, now we choose the cheapest carrier around. The IRCs are the go-betweens that link countries together.”
“Are you saying that the hacker is coming from abroad?”
“No doubt. ITT takes a Westar downlink.…” Ron spoke quickly and used plenty of acronyms.