Book Read Free

Cuckoo's Egg

Page 32

by Clifford Stoll


  “With a ninty-four-inch telescope in space, we’ll be able to see phenomenal detail on planets,” I remarked.

  “Just think what you could do if you pointed it at the earth,” Greg said.

  “Why bother? All the interesting things are in the sky. And anyway, the Space Telescope physically can’t point to the earth. Its sensors will burn out if you try.”

  “What if someone made such a telescope and pointed it to the earth. What could you see?”

  I fiddled a few numbers in my head. Say, three hundred miles up in orbit, a ninty-four-inch telescope. The wavelength of light is about four hundred nanometers.… “Oh, you could easily see detail of a couple feet across. The limit would be around a couple inches. Not quite good enough to recognize a face.”

  Greg smiled and said nothing. It took a while, but it eventually sunk in: the astronomical Space Telescope wasn’t the only big telescope in orbit. Greg was probably talking about some spy satellite. The secret KH-11, most likely.

  I returned home, wondering if I should tell Martha what happened. I didn’t feel any different—I’d still rather be doing astronomy than chasing some hacker—but I worried that Martha might not approve of who I’d been rubbing shoulders with.

  “Have fun?” she asked when I returned.

  “Yeah, in a weird way,” I answered. “You don’t want to know who I met.”

  “Makes no difference. You’ve been crunched up in an airplane all day. Let me rub your back.”

  Home sweet home.

  I still seethed with frustration when I thought of the eight months that we’d been stuck to this tar baby. My boss wouldn’t let me forget that I was doing nothing useful.

  Then on Wednesday, April 22, Mike Gibbons called to say that FBI Headquarters had decided we should keep monitoring the hacker. It seems the German police wanted to catch this guy; the only way this could happen was if we notified the Germans immediately when our alarms sounded.

  Meanwhile, the FBI had put in an official request for cooperation and speedy telephone traces. They were talking to the administrator of justice in Germany, via the U.S. State Department.

  Well, yippee. Why this sudden change in policy? Had the NTISSIC committee made a decision? Or was it due to my constant pestering? Or had the Germans finally contacted the FBI?

  Although the FBI was only now interested, I’d never disabled my monitoring station. Even when I was away for a couple days, the monitors remained on guard. Last week’s printouts showed him on the system from 9:03 to 9:04 A.M. on Saturday, April 19. Later that day, he appeared again for a couple minutes. Quiet for a few days, then he popped up, checked that the SDINET files were still around, and left.

  For the past month, I’d been leaving new bait for the hacker. He saw it—at least he glanced at the names of the files—but he didn’t read any of it. Was he worried that he was being watched? Did he know?

  But if he thought we were watching him, he’d be a fool to show up at all. Maybe he couldn’t afford longer connections? No, the Bundespost told us that he was charging these calls to a small company in Hannover.

  Throughout the spring, I kept making new bait. To an outsider, the bogus SDINET files were the product of a functioning office. My mythical Barbara Sherwin created memos and letters, requisitions and travel orders. Here and there she sprinkled a few technical articles, explaining how the SDI network interconnected all sorts of classified computers. One or two notes implied that you could use the LBL computers to link into the network.

  Everyday, I wasted an hour juggling these SDINET files. My hopes were to keep the hacker occupied here, rather than going out into military systems. At the same time, it gave us an opportunity to trace the hacker.

  On Monday, April 27, I’d biked in late and began writing a program to let our Unix system talk to Macintosh computers on people’s desk tops. If I could connect those together, any of our scientists could use the Macintosh’s printer. A fun project.

  By 11:30, I’d fouled up two programs—what had worked an hour ago wasn’t working now—when Barbara Schaefer called from five floors upstairs.

  “Hey, Cliff,” the astronomer said, “a letter just arrived for Barbara Sherwin.”

  “Be serious.” For once, it was my turn to say that.

  “Really. Come on up and let’s open it.” I had told Barbara about the dummy SDINET project and mentioned that I was using her mailbox as a mail drop. But I never really expected the hacker to actually send something in the mail.

  Good grief! Had this hacker greeted us with a letter?

  I ran up the five flights of stairs—the elevator’s too slow. Barb and I looked at the letter. Addressed to Mrs. Barbara Sherwin, SDINET project, Mail Stop 50-351, LBL, Berkeley, CA. Postmarked from Pittsburgh, Pennsylvania.

  My heart was thumping from the run up the stairs, but I felt the adrenaline rush when I saw that envelope.

  We carefully slit the envelope and shook out this letter:

  Triam International, Inc.

  6512 Ventura Drive

  Pittsburgh, PA 15236

  April 21, 1987

  SDI Network Project

  LBL, Mail Stop 50-351

  1 Cyclotrov Road

  Berkley, California 94720

  ATTENTION: Mrs. Barbara

  Sherwin

  Document

  Secretary

  SUBJECT: SDI Network Project

  Dear Mrs. Sherwin:

  I am interested in the following documents. Please send me a price list and an update on the SDI Network Project. Thank you for your cooperation.

  Very truly yours,

  Laszlo J. Balogh

  #37.6 SDI Network Overview Description Document, 19 pages, December 1986

  #41.7 SDI Network Functional Requirement Document, 227 pages, Revised September 1985

  #45.2 Strategic Defense Initiations and Computer Network Plans and Implementations of Conference Notes, 300 pages, June 1986

  #47.3 SDI Network Connectivity Requirements, 65 pages, Revised April 1986

  #48.8 How to Link to SDI Network, 25 pages, July 1986

  #49.1 X.25 and X.75 Connection to SDI Network (includes Japanese, European, Hawaiian, 8 pages, December 1986)

  #55.2 SDI Network Management Plan for 1986 to 1988, 47 pages, November Membership list (includes major connection, 24 pages, November 1986)

  #65.3 List, 9 pages, November 1986

  Son of a bitch! Someone had swallowed our bait and was asking for more information! I could understand it if the letter came from Hannover. But Pittsburgh? What’s happening here?

  I asked Barb Schaeffer to tell this to nobody and called Mike Gibbons at the Alexandria FBI office.

  “Hey Mike, remember those carrots I left out for bait in January?”

  “You mean those SDI files you concocted?”

  “Yeah,” I said. “Well, my dear, sweet, nonexistent secretary just received a letter.”

  “Be serious.”

  “Someone in Pittsburgh wants to learn about SDI.”

  “And you’ve got that letter?”

  “Right in front of me.”

  “OK,” Mike said. “Listen up carefully. Don’t touch that letter. Especially, don’t touch around the edges. Go find a glassine envelope. Gently insert the paper in the envelope. Then fed-ex it to me. Whatever you do, don’t handle it. Wear gloves if you must.”

  “Well, the real Barb Schaeffer’s already touched it.”

  “We may have to fingerprint her, then. Oh, before you put it in the envelope, initial the middle of the back side.”

  This sounded like Dick Tracy’s “Crimestoppers,” but I followed orders. I handled it like an astronomical negative—except that I made a photocopy for myself. I suspected that Mike might forget to return the original.

  After I’d chased around for an hour (ever hunt for glassine envelopes?) and shipped the letter to the FBI, I dug out my logbook.

  The information in that letter showed up in exactly one of my bogus files. That file,
named form-letter, had been read only once. On Friday, January 16, the hacker had read that file.

  I could prove that nobody else had seen it. I’d protected that file, form-letter, so nobody could read it except the system manager. Or someone who’d illegitimately become system manager.

  Well, maybe someone else had figured out a way to read that file. Nope. Whenever the computer touched that file, for any reason, my alarm sounded and I got a printout. Only one person set off that alarm. The hacker.

  I compared Laszlo Balogh’s letter from Pittsburgh with my fabricated letter of January 16. He’d pretty much asked for everything that the bait mentioned.

  Identical.

  Except he’d carefully deleted the word “classified” when asking for document #65.3.

  Several errors jumped out: it’s Cyclotron, not Cyclotrov. Berkeley, not Berkley. I wondered if the writer’s native tongue might not be English—who would say, “Plans and Implementations of Conference Notes”?

  Strange. Who’s behind this?

  Oh—I know what’s happening! This hacker lives in Pittsburgh, Pennsylvania. He calls Hannover, connects to the German telephone system, and then invades my computer. What a way to hide!

  Naw. That one doesn’t hold water. Why wouldn’t he call directly—straight from Pittsburgh to Berkeley?

  I reread my logbook of January 18. On that day, we’d traced the connection all the way back to the hacker’s phone in Hannover. That confirms it. The electronic connection went to someone’s home in Hannover, not Pittsburgh.

  Information had moved from my computer in Berkeley, across Tymnet, into Hannover, Germany. Three months later, a letter arrives from Pittsburgh.

  I scratched my head and looked for a phone number on the letter. None. Maybe Laszlo’s listed in the Pittsburgh directory service? Nope. Triam isn’t listed either.

  That name, though … I called my sister Jeannie.

  “Hey, sister, what kind of name is Balogh?” Jeannie knows this kind of thing.

  “Sounds like Central or Southern Europe. Hungary or Bulgaria. Have a first name?”

  “Laszlo.”

  “Hungary for sure. Why, I had a boyfriend, once, whose father …”

  “Any chance it’s German?” I interrupted.

  “Doesn’t sound like it to me.”

  I told her about the letter and the misspellings. “Substituting ‘trov’ for ‘tron’ sounds like a Hungarian error,” she said. “I’ll bet on Hungary.”

  “Ever hear of the name ‘Langman?’ ”

  “No, can’t say I have. It means long man in German, if that’s any consolation.”

  “The hacker once created an account for T. G. Langman.”

  “Sounds like an alias to me,” Jeannie said. “And how do you know this Laszlo character is real? Might well be another pseudonym.”

  Computer hackers hide behind pseudonyms. In the past seven months, I’d come across Pengo, Hagbard, Frimp, Zombie … but T. G. Langman and Laszlo Balogh? Maybe.

  A hacker in Hannover, Germany, learns a secret from Berkeley, California. Three months later, a Hungarian, living in Pittsburgh, writes us a letter. Fascinating.

  Three months, huh? I thought on this for a while. Suppose two friends were communicating with each other. News would take a couple of days to move between them. A week or two, perhaps. But not three months.

  So Laszlo in Pittsburgh probably wasn’t a close friend of the Hannover hacker.

  Now suppose that the information was filtered through some third party. How many people were involved? If two or three people meet, make a decision, and act, it’ll only take a week or two. But if five or ten people meet, decide, and act, it’ll take a month or two.

  Yet I’m pretty sure that only one person is operating the computer. Nobody else would have such a tedious, methodical, and persistent manner. The German Bundespost says they’re following two guys and a “company with shady dealings.” What’s happening here?

  Whatever’s going on, I’m in over my head. They don’t teach you this kind of stuff in graduate school. Seemed like the CIA’s bailiwick. I called Teejay and got two sentences into my description.

  “Wait a second. Let me call you back on a different line.” A secured phone line.

  No doubt, this latest wrinkle hit him where he lived. I had to explain it to him twice—he also wanted an express copy of Laszlo’s letter. News travels fast in certain circles: half an hour later, Greg Fennel of the CIA called, asking if Laszlo might have logged into my computer. I explained about my alarms and tripwires. “No, the only guy that’s seen that file is a hacker in Hannover.”

  Greg was quiet on the phone for a second, then said, “A real smoking gun.”

  That reminded me of the NSA guy’s comment. Time to call Bob Morris. I told him about the letter and he seemed mildly interested. “Want me to send you a copy by Federal Express?”

  “That won’t be necessary. First class is good enough.”

  He seemed more interested in my techniques of setting alarms than the content of the letter. In a way, that’s not surprising—he’d already concluded that something serious was happening.

  Air Force OSI sent an investigator over to examine the letter. Their man, Steve Shumaker, had the common sense to show up in dungarees and a T-shirt, so as not to alarm the natives. He asked for a copy of the letter and the printouts from the Air Force System Command Space Division. They were going to do a postmortem analysis of the hacker’s break-in.

  “I’ll give you a copy of the letter—that’s no problem,” I told Shumaker, “but I can’t let you have the original printouts. The FBI’s warned me to keep all of this locked up since it might be used as evidence.”

  “Can you Xerox it?”

  Aargh. Xerox five hundred pages of computer printout?

  Well, we spent an hour in front of the copier, feeding the damned paper through the machine. I asked the OSI detective what he thought of the letter from Pittsburgh.

  “We’ve been warning everyone that this was bound to happen. Maybe they’ll wake up now.”

  “What have you been doing so far?”

  “We visit sites and try to raise their security awareness,” he said. “We’ve formed a team to test their computer security by trying to break into Air Force systems. What we found isn’t encouraging.”

  “You mean you’re the only ones who test Air Force computers for security?” I asked. “You must have thousands of computers.”

  “Well, there’s also a group in San Antonio, the Air Force Electronic Security Command, that searches for electronic security breaches,” Shumaker said. “They mostly worry about communications security—you know, keeping radio transmissions secret. They’re sharpies over there, all right.”

  Gibbons of the FBI was a sharpie, too. Finally, now that he was actively committed, he wanted to know everything. Every time the hacker appeared, Mike wanted to know about it immediately. Throughout the day, he called repeatedly, asking for my logs and notes, floppy disks and printouts. Descriptions of the monitors. Everything. That’s the way to make progress.

  I couldn’t get this letter out of my mind. I kept searching for some innocent explanation, some way that it might be written off as a fluke.

  Finally I gave up and admitted victory. I couldn’t explain it any other way: the letter must mean my plan had worked. No, not my plan, it was Claudia’s. My sweet, guileless roommate, who didn’t know a computer from a toaster, had trapped this cunning hacker!

  Cycling home, I swerved suddenly from my usual route, scooted into the Double-Rainbow ice cream store and the video rental place. Then I hurried home, waving a copy of Laszlo’s letter. Elated at the news, Martha and Claudia cackled evilly and dropped into Boris and Natasha accents. Zecret plan 35B vas a success!

  We crowded into Claudia’s room, munched out on popcorn and ice cream, and cheered the monsters in Godzilla Versus Monster Zero.

  “Don’t say anything to anyone!”

  It was Mike Gibbons on the
phone, telling me not to spread the word to the CIA.

  “Uh, I’m sorry, Mike, but I’ve already told this guy Teejay.” I wondered if Mike had heard of Teejay.

  “I’ll take care of it, then. This letter you sent us is intriguing. We ran it through some lab tests.”

  “What’d you learn?” Mike was being more communicative than usual, so I might as well push my luck.

  “Can’t tell you, but we’re not treating this case lightly. Aspects of it are quite, well, intriguing.” That’s the second time Mike used that word. Something’s up. “Oh, by the way, could you send me a half-dozen sheets of your letterhead?”

  The FBI wants my lab’s letterhead? Sounds like they’re going to reply to Laszlo’s letter.

  What would “I” tell this guy? How about,

  Dear Mr. Balogh:

  You have been selected as a grand prize winner in the SDINET sweepstakes.…

  The hacker played hide-and-seek for the next few days. He’d show up for three minutes, look at our password file, then log out. My bait grew tastier every day. Yet he wasn’t nibbling.

  Monday morning, May 18, he came into our system at 6:54 A.M. Awakened by an insistent beep, I reached over and whapped the alarm clock. Wrong noisemaker—the beep continued. Three beeps. S for Sventek. It’s the hacker, over on the Unix-4 computer.

  Mechanically I ran to my Macintosh, switched it on, and called Steve White at Tymnet.

  “Steve, someone’s tripped my alarm,” I said, still a bit hazy. “I haven’t checked it out yet, but could you start the trace?”

  “Right-o. It’ll be up in ten seconds,” he said. “Here it is. Coming through the Westar satellite. Calling address 2624 DNIC 5421-0421. That’s Bremen. I’ll ring the Bundespost.”

  I copied down the number; by now my home computer was warmed up. Steve had just completed an international trace in less than a minute. I dialed my lab’s system from my pipsqueak home computer and examined the Unix-4 computer. There was Sventek, just leaving.

  He’d been on for four minutes. Long enough to detect him and complete a trace. Long enough to ruin my morning. I wouldn’t be able to get back to sleep, so I biked up to the lab. Over in the east, the morning star kept me company. Venus.

 

‹ Prev