Cuckoo's Egg
Page 19
Now I realized why Mitre paid for a thousand one-minute-long phone calls. The hacker would connect to Mitre, and instruct their system to phone another computer. When it answered, he would try to log in with a default name and password. Usually he failed, and went on to another phone number. He’d been scanning computers, with Mitre picking up the tab.
But he’d left a trail. On Mitre’s phone bills.
The path lead back to Germany, but it might not end there. Conceivably, someone in Berkeley had called Berlin, connected to the Datex network, connected through Tymnet and came back to Berkeley. Maybe the start of the path was in Mongolia. Or Moscow. I couldn’t tell. For the present, my working hypothesis would be Germany.
And he scanned for military secrets. Could I be following a spy? A real spy, working for them—but who’s them?… Jeez—I didn’t even know who spies work for.
Three months ago, I’d seen some mouse droppings in my accounting files. Quietly, we watched this mouse, seeing him sneak through our computer, and out through a hole and into the military networks and computers.
At last I knew what this rodent was after. And where he was from. I’d been mistaken.
This wasn’t a mouse. It was a rat.
I spent Saturday evening filling in my logbook. Now I could tie up loose ends. Anniston’s search wouldn’t turn up a hacker in Alabama: they were off by five thousand miles. Stanford’s hacker was certainly a different guy … my hacker would have homework in German, not English. And there wasn’t much use in calling around Berkeley, looking for someone named Hedges.
Probably the wrong name. Certainly the wrong continent.
Our stack of printouts was a foot thick. I’d carefully sorted and dated each listing, but I’d never combed through all the listings at one sitting. Most of it was dreary file listings and one-at-a-time guesses at passwords.
Is it easy to break into computers?
Elementary, my dear Watson. Elementary, and tediously dull.
I didn’t return home until 2 A.M. Martha waited up, piecing a quilt.
“Out with a hussy?”
“Yeah,” I replied. “Spent the day with a mysterious foreigner.”
“So the hacker’s from Europe after all.” She’d guessed what I’d been doing.
“He might live anywhere in the world,” I said, “but my bets are on Germany.”
I wanted to sleep late Sunday morning, curled up with Martha. But, dammit, my pager sounded at 10:44, a harsh, insistent squeal followed by a Morse code greeting. The hacker was at it again. In my Unix-5 computer.
I jumped into the dining room and dialed Steve White at his home. While his phone was ringing, I fired up my Macintosh computer. On the fifth ring, Steve answered.
“The hacker is live again, Steve,” I told him.
“OK, Cliff. I’ll start the trace and call you back.”
As soon as I hung up, I reached for my Macintosh. The beast acted like a remote terminal, thanks to a modem and a stellar software program called Red Ryder. Red automagically dialed my lab’s computer, logged onto the Vax, and showed me what was up. There was my hacker, traipsing through the Milnet.
Logged on like that, I appeared like an ordinary user, so the hacker could see me if he looked. So I disconnected quickly. Ten seconds was enough to see what my visitor was up to.
Steve called back in a couple minutes. The line didn’t come from the ITT international record carrier; today it was from RCA.
“RCA doesn’t use the Westar satellite,” Steve said. “They talk through the Comsat satellite.” Yesterday he used Westar, today Comsat. One elusive hacker—switching communications satellites from day to day.
But I had my facts wrong, and Steve set me straight.
“Your hacker doesn’t have any choice in the matter,” Steve explained. “To provide redundant service, we use a variety of international routes.”
With every call, Tymnet’s traffic takes a different route across the Atlantic. As a customer I would never notice, but traffic is spread across four or five satellites and cables.
“Oh, like interstate trucking, before deregulation.”
“Don’t get me started,” Steve said angrily. “You wouldn’t believe the international communications laws.”
“So where’s the hacker coming from today?”
“Germany. Same address. Same place.”
There wasn’t much more to do. I couldn’t monitor the hacker from home, and Steve had finished the trace. I sat shivering next to the Macintosh. Where do I go next?
To the lab. And quick. I scribbled a note for Martha (“The game is afoot”), threw on some jeans, and hopped on my bike.
I wasn’t fast enough. The hacker disappeared five minutes before I arrived. I should have stayed in bed.
Well, I paged through Sunday morning’s listing—Sunday evening for him—and saw him up to his old tricks. One by one, trying to break into military computers by guessing obvious passwords. Tedious. About as interesting as guessing locker combinations.
Since he’d shown up in the morning, I might as well wait around and see if he’d return. Based on my statistics, he’d be back within an hour or two.
Sure enough, he returned at 1:16 in the afternoon. My pager sounded off, and I ran to the switchyard. There he was, logging into the stolen Sventek account.
As usual, he looked around for others on the computer. Had I been connected from my home, he’d have noticed me. But from my high ground in the switchyard, I was undetectable. He couldn’t pierce my electronic veil.
Confident that nobody was watching him, he headed straight out through our Milnet port. With a few commands, he searched the Milnet directory for any locations with the acronym “COC.” Huh? I’d never seen such a word. Did he misspell something?
I needn’t have wondered. The network information computer cranked for a minute or two, and then returned a half dozen military Command Operations Centers. He kept searching for other keywords: “Cheyenne,” “icbm,” “combat,” “kh11,” “Pentagon,” and “Colorado.”
Sitting there watching him paw through the Milnet directory, I felt like I was watching someone thumbing through the yellow pages. Which numbers would he dial?
All of them. Every keyword brought up a few computer addresses, and after he’d found thirty of them, he closed his connection to the Milnet directory. Then, once again, he methodically tried to break into each of the sites; the Air Force Data Services Center in Arlington, Virginia, the Army Ballistics Research Lab, an Air Force training center in Colorado Springs, the Navy Pacific Monitoring Center in Hawaii, and thirty other places.
But again, he had no luck. By chance, he’d picked places which didn’t have obvious passwords. It must have been a frustrating evening for him.
Finally, he tried to break into his old haunt, the Anniston Army base. Five times. No luck.
So he gave up on the Milnet and returned to messing with my Unix computer. I watched the cuckoo lay its egg: once again, he manipulated the files in my computer to make himself super-user. His same old trick: use the Gnu-Emacs move-mail to substitute his tainted program for the system’s atrun file. Five minutes later, shazam! He was system manager.
Now I had to watch him carefully. With his illicit privileges, he could destroy my system, either by accident or on purpose. And it would only take one command, like rm*—erase all files.
For now, though, he restrained himself. He just printed out phone numbers of different computers, and logged off.
Uh oh. He took a list of telephone numbers that our computer often connects to.
But Mitre had cut off their outbound telephone service. He must have discovered this by now. Yet he still collected phone numbers. So he must have some other way to make phone calls. Mitre wasn’t his only stepping stone to the telephone system.
He came back to my system after fifteen minutes. Wherever he’d gone, none of his calls had panned out. Bad passwords, I’ll bet.
As soon as he returned, he started Ker
mit running. He was going to copy a file back to his computer. My password file again? No, he wanted my network software. He tried to export the source code to two programs: telnet and rlogin.
Whenever one of my scientists connects through the Milnet, they use telnet or rlogin. Both of them let someone remotely log into a foreign computer. Each of them transfers commands from a user over to a foreign computer. Either is a perfect place to plant a Trojan horse.
By changing a couple lines of code in our telnet program, he could make a password grabber. Whenever my scientists connected to a distant system, his insidious program would stash their passwords into a secret file. Oh, they’d log in successfully. But the next time the hacker came into my Berkeley computer, there’d be a list of passwords waiting to be picked up.
Line by line, I watched Kermit shovel the program over to the hacker. No need to time the transfer—I now knew those long delays were caused by satellites and the long hop into Germany.
Watching him, I got annoyed. No, pissed off. He was stealing my software. Sensitive software at that. If he wanted it, he’d have to swipe it from someone else.
But I couldn’t just kill Kermit. He’d notice that right away. Now that I was closing in on him, I especially didn’t want to tip my hand.
I had to act fast. How do I stop a burglar without letting on that I’m watching?
I found my key chain and reached over to the wires connected to the hacker’s line. Jangling the keys across the connector, I shorted out his circuit for an instant. This added just enough noise to confuse the computer, but not enough to kill the connection. To him, it would look like some characters had become garbled. Misspelled words and unintelligible text—the computer equivalent of radio static.
He’d blame it on network interference. He might try again, but eventually, he’d give up. When the connections are lousy, there’s no use in talking long distance.
It worked like a charm. I’d jangle my keys, he’d see noise, and his computer would ask for a replay of the last line. I was careful to let a little data get through. But so slowly that the whole file would take all night.
The hacker disconnected and tried again. No way. He couldn’t make it through my fog, and he couldn’t figure out where the noise was coming from.
He gave up trying to steal our software, and contented himself with just looking around. He found a pathway into Berkeley’s Opal computer, but didn’t explore it.
Now there’s a strange one. The Berkeley Opal computer is the home of some real computer research. You don’t have to look far to find some of the finest communications programs, academic software, and games. Apparently this hacker didn’t care for the things students might be interested in. But show him something military, and he goes wild.
It was 5:51 in the afternoon when the hacker finally called it quits. I can’t say that his every frustration gave me satisfaction. Rather, he responded the way I expected. My work was slowly yielding a solution.
Steve White traced the connections throughout the day. Just as in the morning, they all came from Germany.
“Any chance that it’s someone from another European country?” I asked, knowing the answer in advance.
“The hacker could be from anywhere,” Steve answered. “My trace only proves a connection from Berkeley into Germany.”
“Any idea where in Germany?”
Steve was as curious as I. “There’s no way to tell without a directory. Every network has its own way of using the address. The Bundespost will tell us tomorrow.”
“So you’ll call them in the morning?” I asked, wondering whether he spoke German.
“No, it’s easier to send electronic mail,” Steve said. “I’ve already sent a message about yesterday’s incident; today’s will confirm it, and add a few more details. Don’t worry, they’ll hop to it.”
Steve couldn’t hang around this Sunday afternoon—he was cooking a dinner with his lady friend Lynn—which reminded me of Martha. I hadn’t called home.
Martha wasn’t pleased. She’d left word with Claudia that she’d be out late. Were it not for this hacker, we’d be hiking in the redwoods. Oops.
Last night was a tense time at home. Martha didn’t talk much. By spending the day watching the hacker, I’d wrecked a fine Sunday afternoon. Progress with the hacker had cost dearly on the home front.
Who should I tell about the latest discovery? My boss, for sure. We’d had a bet on where the hacker came from, and I’d lost. I owed him a box of cookies.
The FBI? Well, they hadn’t shown much interest, but this was now out of the league of my local police. Might as well give them another chance to ignore us.
Air Force Office of Special Investigations? They’d asked to be kept aware. With the hacker’s attacks on military computers, I ought to tell someone from the defense establishment, no matter how politically awkward I felt.
If it was hard to talk to the military, then calling the CIA was a real hurdle. A month ago, I’d accepted that they needed to know about someone trying to break into their computers. I’d done my duty. Now, should I tell them that it’s a foreigner?
But once again, they seemed like the right people to call. I could understand the nodes, and networks, but espionage … well, they don’t teach you that stuff in grad school.
Surely my friends among Berkeley’s flourishing left wing would tell me I’d be co-opted by the State. But I didn’t exactly feel like a tool of the ruling class, unless imperialist running-dog puppets breakfasted on stale granola. I argued with myself as I biked through traffic, but my guts told me what to do: the CIA should know, and I ought to tell them.
It had been a constant struggle to get the bureaucracy to move. Maybe I could get someone to notice by waving this flag in front of all the three-letter agencies.
First I’d call the FBI. Their Oakland office hadn’t been interested, but maybe I could get a rise out of Mike Gibbons in Alexandria, Virginia. But Mike was on vacation, so I left a message, figuring he’d hear it in a couple of weeks. “Just tell him that Cliff called. And that my friend has a return address in Germany.” You can’t fit much on a yellow while-you-were-out note.
My second pitch was to the Air Force OSI—the air force narcs. Two people got on the line, a woman’s voice and a gravelly man’s voice.
The woman, Ann Funk, was a special agent specializing in family crimes. In a serious tone, she explained, “Wife beating, child abuse. The Air Force has the same ugly problems as the rest of the world.” Not hi-tech stuff, but even over the phone, her presence inspired respect and sympathy. Now, she worked with the OSI’s computer crime group.
A month ago, I’d spoken with Jim Christy. Today, his first question to me was the same as I’d asked Steve: “East or West Germany?”
“West,” I answered. “We’ll know more in the next couple days.”
“Where’d did he get into?” Ann asked.
“Nowhere, at least that I saw. Not that he didn’t try.” I rattled off some of the places he tried to sneak into.
“We’ll have to call you back,” Jim said. “We have an office in Europe that might be able to work on this.”
I’d given the Air Force a heads-up warning. Let’s see what they’d do.
Time to call the CIA. Teejay’s office answered—he wasn’t in. Whew. Off the hook. I felt like a kid who had to give a report to the class, only to find that the teacher was sick.
But having made up my mind to tell the spooks, I called Teejay’s fellow spy, Greg Fennel. Greg was in, all right.
“Look, I’ve got a meeting in three minutes. Keep it short.” A busy day at the CIA.
“In short, we traced the hacker to Germany. Goodbye!”
“Huh? Wait! How’d you do it? Are you sure it’s the same guy?”
“You’ve got a meeting now. We can talk tomorrow.”
“Forget the meeting. Just tell me what happened. Don’t embellish, don’t interpret.”
Easy to do when you keep a logbook. I read off my
weekend’s summary. An hour later, Greg was still asking questions, and had forgotten his meeting. It hit him where he lived.
“Fascinating,” the spy thought out loud. “Someone in West Germany is breaking into our networks. Or at least they’re coming through a West German gateway.” He understood that we’d identified one link in the chain. The hacker still could be anywhere.
“Any chance that you’ll take action?” I asked.
“That’s for someone else to decide. I’ll pass it up the chain of command, but I really don’t know what will happen.”
What did I expect? The CIA couldn’t do much to solve the problem—they were information gatherers. I hoped they’d take over the whole mess, but that seemed unlikely. The hacker wasn’t in their machines, he was in ours.
Lawrence Berkeley Laboratory was tired of wasting time on the chase. I hid my hacker work, but everyone could see that I wasn’t tending to our system. Scientific software slowly decayed while I built programs to analyze what the hacker was doing.
Fearing my vitriolic boss, I polished up on quantum mechanics before talking to Roy Kerth. Maybe if we talked physics for a while, he might overlook my work on the hacker front. After all, he seemed pleased by my graphics software, even though I thought it was comparatively trivial.
But no amount of shop talk could deflect Roy’s anger. He was irritated about the time I’d spent tracking this hacker. I wasn’t contributing to the department—nothing that he could show off, nothing he could quantify.
At least he didn’t shut me down. If anything, he seemed more eager than ever to nail this eggsucker.
I spent a few hours searching bulletin boards on the Usenet network for news about hackers, and found one note from Canada. I called the author on the phone—I didn’t trust electronic mail. Bob Orr, a scientist at the University of Toronto, told a sad story.
“We connect to lots of networks, and it’s tough to convince funding agencies to pay for it. Some hackers from Germany have invaded our system, changing programs and damaging our operating system.”
“How’d they get in?” I asked, already suspecting the answer.