Cuckoo's Egg
Page 37
Now, with my computers secured and holes patched, I biked home, picked a few strawberries, and mixed some milkshakes for Martha and Claudia.
Cuckoos will lay their eggs in other nests. I’m returning to astronomy.
While I was desperately trying to wrap up the hacker chase, we also had a wedding to plan. It was a hectic time, and I cursed my work (and Hess) for distracting me from my home life. We were going to be married at the end of May, so the April revelations were particularly awkward, Martha ending up with more than her share of the preparations.
She was coping, however, firmly resolved to make the wedding true to who we were. We silk-screened our own invitations, saying that the two of us, along with our families, were doing the inviting. Naturally, the ink on the silk-screen leaked through, and half the invitations had our fingerprints, but that’s a part of the home brew.
Martha decked out in a white dress and veil, and me in a tux? Absurd. And Laurie in a bridesmaid’s outfit? Nobody ever made Laurie wear a dress for any reason. Somehow we managed. Laurie wore white linen pants and a tailored jacket, Martha made a simple pale yellow dress, and I sewed my own cotton shirt. (Try sewing your own shirt sometime. You’ll learn a new respect for shirtmakers, especially after you sew the cuffs on backward.)
So it rained on our wedding and there wasn’t a place to hide in the rose garden. Claudia’s string quartet unraveled a tarp, protecting their violins from the downpour. My sister Jeannie showed up, straight from her last class at Navy War College—and straight into a political argument with Laurie. Of course, after the ceremony, we got lost driving to a remote inn by the ocean.
It was wonderful, all the same. Say what you will about marriage, this was the happiest day of my life.
Sure, I could have just stayed living with Martha, never quite committing myself beyond next month’s rent. I’d lived with several other people in this casual way, saying we were in love, but always ready to split if things got tough. We dressed it up with talk about openness and freedom from oppressive conventions, but for me it was just an excuse. The truth was, I had never dared to give myself fully to anyone, committing myself to make it work no matter what. But now I’d found someone I loved and trusted enough to gather my courage and stand by, not just for now but forever.
But domestic happiness doesn’t solve everything—I still had to figure out what to do next. With Hess unmasked, I could return to astronomy, or at least, computing. Not quite tracking an international spy ring, but then, there’s research to do everywhere. The best part is not knowing where your science will lead you.
It wasn’t the same. The computer people felt I’d wasted the past couple years rubbing shoulders with spies. The spies didn’t have much use for me—who needs an astronomer? And the astronomers knew I’d been away from the field for two years. Where do I go from here?
Martha had passed her bar exam and was clerking for a judge across the bay, in San Francisco. She loved it—taking notes on trials, researching case law, helping to write decisions. A sort of grad school for law.
She found another clerkship in Boston, starting in August ’88. Over a strawberry milkshake, she described her possibilities:
“I’d clerk for the circuit court in Boston. It’ll be more academic there—no trials, just appeals. Might be fun.”
“And the alternatives?”
“Well, I’m thinking about returning to school, to finish my degree in jurisprudence. That’ll take a few more years.” Always the academic.
Would I leave Berkeley to follow her to Massachusetts?
Simple decision: I’d follow her anywhere. If she’s going to Boston, I’d dredge up a job there. Fortunately, the Harvard Smithsonian Center for Astrophysics was looking for a half-breed astronomer-computer jockey, someone to play with their X-ray astronomy database.
I can mess up a database as well as the next person, and they didn’t mind my hiatus from astronomy. And, being astronomers, they were already accustomed to people showing up late and sleeping under desks.
It wasn’t easy to leave Berkeley—the strawberries, the street vendors, the sunshine—but we signed a nonaggression pact with our roommates: we could visit anytime and wouldn’t have to wash the dishes. In return, they could stay at our place in Massachusetts, so long as they brought some California kiwi fruit.
The hardest part was leaving our roommate Claudia. I’d grown accustomed to her late-night Mozart practicing (a long way from the Berkeley Grateful Dead concerts!). She hadn’t quite settled down with a mate, although several promising musicians were courting her just as we left. The latest gossip? Oh, there’s this handsome orchestra conductor that’s simply lusting after her …
So, in August 1988, we packed a couple suitcases for a year in Massachusetts.
Being uprooted and towed to the East Coast had a few advantages. My computer network address changed … a good thing, since several hackers had tried to break into it after I published my article. One or two had threatened me in various ways—better not to give ’em a standing target. And various three-letter agencies stopped calling me, asking for advice, opinions, and rumors. Now, in Cambridge, I could concentrate on astronomy, and forget about computer security and hackers.
Over the past two years, I’d become an expert on computer security, but hadn’t learned a thing about astronomy. Worse, the physics of X-ray astronomy was totally foreign to me: I’m accustomed to planetary science, and planets don’t give off X-rays.
So what do X-ray astronomers look at? The sun. Stars and quasars. And exploding galaxies.
“Exploding galaxies?” I asked Steve Murray, my new boss at the Center for Astrophysics. “Galaxies don’t explode. They just sit there in spirals.”
“Bah. You learned your astronomy in the ’70s,” Steve replied. “Why, we’re looking at stars exploding into supernovas, bursts of X-rays from neutron stars, even stuff falling into black holes. Hang around here for a while and we’ll teach you some real astronomy.”
They didn’t fool around. Within a week, I was settled behind a computer, building databases of X-ray observations. Classical computing, but there’s good physics in there. Yow! There really are black holes in the middle of galaxies. I’ve seen the data.
The Smithsonian Astrophysical Laboratory shares buildings with Harvard Observatory. Naturally, everyone’s heard of Harvard Observatory. But the Smithsonian? That’s in Washington, isn’t it? Only after I moved to Cambridge did I realize that the Smithsonian had a hot-damn astronomy section, the Center for Astrophysics. Makes no difference to me, so long as they’re doing good astronomy.
Cambridge, Massachusetts, might be across the country, but culturally, it’s just around the corner from Berkeley. Lots of ’60s hippies, left-wing politics, bookstores, and coffeehouses. There’s street musicians most every night, and you’re serenaded at the downtown subway stations by guitars and mandolins. And the neighborhoods—some of these houses are a hundred years old. Bicycling in Cambridge is sheer excitement—the drivers aim right at you. History, weird people, good astronomy, cheap pizza … all the ingredients for a good place to live.
Marriage? Except that Martha keeps me away from microwave ovens, it’s been a kicker.
Wednesday, November 2, 1988, Martha and I stayed up late, reading a novel out loud. Around midnight we pulled up the quilt and fell asleep.
I was dreaming about floating through the air on an oak leaf when the phone rang. Damn. The glow-in-the-dark clock said 2:25 A.M.
“Hi, Cliff. It’s Gene. Gene Miya at NASA Ames Laboratory. No apologies for waking you up. Our computers are under attack.” The excitement in his voice woke me up.
“Wake up and check your system,” Gene said. “Better yet, stay asleep and check it. But call me back if you see anything strange.”
I’d hung up the phone for ten seconds when it rang again. This time, the line just beeped. A Morse code beep.
My computer was calling. It wanted my attention.
Oh hell. Can’t hide
. I stumbled over to the trusty old Macintosh, dialed into Harvard Observatory’s computer, and typed in my account name, Cliff. Then my non-dictionary password, “Robotcat.”
Slow logging in. After five minutes, I gave up. My computer just wasn’t responding. Something was wrong.
Well, as long as I was awake, I might as well see what’s on the West Coast. Maybe there’s some electronic mail waiting for me. I connected over Tymnet into Lawrence Berkeley Labs—no long-distance phone calls for me.
The Unix system at Berkeley was slow, too. Frustratingly slow. But only one other guy was using it. Darren Griffiths.
Over the screen, we exchanged a couple notes:
Hi Darren–It’s Cliff. How’s things :-)
Cliff, call me on the phone right away. We’re under attack.
OK O-O
O-O means Over and Out. And the :-) is a crude smiley face. You look at it sideways, and it smiles at you.
2:15 A.M. in Massachusetts isn’t yet midnight in Berkeley. Darren was nowhere near asleep.
“Hi, Darren. What’s this attack?”
“Something’s eating our system, starting a lot of processes running. Slowing the system down.”
“A hacker?”
“No. I’d guess a virus, but I can’t tell right now.” Darren spoke slowly as he typed. “I’ve been working on it for ten minutes, so I’m not sure.”
Then I remembered Gene Miya’s call. “NASA Ames Labs says the same thing.”
“Yeah. I bet we’re under attack from the Arpanet,” Darren said. “Yeah, look at all these network connections!”
I couldn’t see any—as long as I talked on the phone, my computer was disconnected and I was blind. With a single phone line, either I could speak on the phone, or my Macintosh could talk to another computer, but not both. I hung up and dialed into my Harvard computer, a desktop computer made by Sun. Slow. Something was chewing on it.
I looked at the processes running (with a ps command, like the hacker had taught me). There was the virus. But not just running one or two jobs. Hundreds of connections to other computers.
Each process was trying to talk to some other computer. The connections came from all over: nearby systems at Harvard, distant computers from the Arpanet.
As fast as I’d kill one program, another would take its place. I stomped them all out at once; not a minute later, one reappeared. Within three minutes, there were a dozen. Holy smoke!
What’s crawling around my computer?
A biological virus is a molecule which sneaks into a cell and convinces the cell to copy the virus molecule, instead of the cell’s DNA molecules. Once duplicated, the virus then breaks out of the cell to infect other cells.
Similarly, a computer virus is a program that replicates itself. Like its biological namesake, it enters a system, duplicates itself, and sends copies of itself to other systems.
To the host computer, a virus looks like a series of commands which appear perfectly legitimate, yet have dire consequences. Often these commands are buried within ordinary programs, hibernating until the program is executed. When the infected program is run, all seems fine until the virus is executed. Then the computer is tricked into copying the virus instructions elsewhere.
Where? Probably the virus will copy itself into another program on the same computer, making it tough to eradicate. Or maybe onto another disk, so that someone will transport it to another computer.
Perhaps the virus will do nothing more than duplicate itself into other programs. A malicious virus maker, however, might throw in a side effect: “Copy yourself four times, then erase all the word processing files.”
Computer viruses spread most easily on personal computers: these machines have no protections built into their operating systems. At a PC, you can run any program you wish and change any part of memory. On small computers, it’s hard to tell if a program has been changed on a disk.
Bigger computers, like Unix systems, are more resistant: their operating systems isolate one user from another, and set limits on how much you can modify. In addition, you can’t change system programs without permission—the operating system’s walls seal you out of those sensitive areas.
The virus writer must carefully tailor the program to a target computer. A program that runs on your IBM PC won’t work on my Macintosh, or my lab’s Unix system. Then too, the virus program can’t occupy much space, or it’ll easily be discovered and removed.
A virus is a good place to hide time bombs. It’s easy to design a virus whose instructions work like this:
“Copy me into four other programs.”
“Wait until February 13.”
“Erase all the files on the system.”
The virus must find a way to propagate. Simply infecting programs on one computer will only hurt one person. The creator of a malicious virus wants the virus to infect hundreds of systems. How do you pass a program to hundreds of others?
People exchange software on disks. Infect one program on a disk, and it’ll infect every system that runs that program. As the disk is passed from office to office, dozens of computers can be infected and possibly wiped out.
Public bulletin boards also exchange software. These dial-in computers are run by hobbyists, schools, and a few companies. You dial their number and copy programs from the bulletin board into your home computer. You can just as easily copy a program from your home system into the bulletin board. There it’ll wait until someone requests it. And if your program has a virus buried inside, well, you won’t discover it until it’s too late.
So computer viruses spread by interchanging programs. Someone brings an infected program—a fun game—into work and runs it on her office machine. The virus copies itself into her word processing program. Later she gives her word processing disk to a friend. Her friend’s system gets infected. Oh, each program appears to work properly. But when February 13 rolls around …
The obvious way to prevent viruses is to avoid exchanging programs. Don’t take candy from strangers—don’t accept untrusted programs. By keeping your computer isolated from others, no virus program can infect it.
This canonical wisdom overlooks our daily needs. Unless we exchange programs and data, our computers won’t be much use to us. There’s a wealth of public-domain software—much of it ideal for solving our problems.
Viruses and logic bombs poison this communal well. People stop trusting public software, and eventually the sources of public software dry up.
But there’s another way for a virus to propagate: directly over a network.
Our Arpanet interconnects eighty thousand computers across the country. You can send mail to anyone on these computers, send or receive files over the Arpanet, or (as Markus Hess showed) interactively log into computers connected to the Arpanet.
Could a virus propagate over the Arpanet? A program that copies itself from one computer, out over the network, into another …
I’d thought of this before, but had always dismissed the possiblity. Arpanet computers have defenses against viruses: you need passwords to log into them. Hess got around this by guessing passwords. Could a virus guess passwords?
At 3:30 in the morning, shivering behind my Macintosh at home, I dialed into my observatory’s computer. It’s a Sun workstation, running the popular Berkeley flavor of Unix. All those hundreds of jobs were still running … my system was grossly overloaded. No hacker was logged in. Just me.
Same symptom at Lawrence Berkeley Labs. And NASA Ames. Smells like a virus.
I called Darren Griffiths at LBL. “It’s a virus,” he affirmed. “I can watch it replicate. Try killing the jobs. They’ll come right back.”
“From where?”
“I’m getting connections from five places. Stanford, University of Rochester, Aerospace Company, the Berkeley campus, and somewhere called BRL.”
“That’s the Army’s Ballistics Research Lab,” I said, remembering a conversation with BRL’s Mike Muuss. “How’s the virus getting into y
our system?”
“I can’t tell, Cliff. The connections are all from the Arpanet, but it’s not the usual way of logging into the system. Looks like the virus is breaking in through a hole in the mail system.”
Someone’s built a virus that exploits a security hole in Unix systems. The hole is in the mail system, and the virus spreads over the network. What’s the virus doing? Just copying itself, or does it have a time bomb built in?
It’s 4 A.M. What to do? I’d better call the Arpanet controllers and warn them. There’s a twenty-four-hour duty officer at the Network Operations Center that watches over the network. This morning, they’ve heard nothing of this virus. “Better call around, because it’ll be all over the place by nine this morning.”
The Networks Operations Center hasn’t heard. The virus is only a few hours old. I’m seeing viruses coming from a dozen other sites. Virulent. By morning it will have spread to scores or even hundreds of systems. We’ve got a problem. A major problem.
An epidemic.
We’ve got to understand this virus and spread the word. For the next thirty-six hours I knocked myself out, trying to understand and defeat this thing. I knew I wasn’t alone. At the same time, groups at Berkeley, MIT, and Purdue University were already hot on the trail.
Here I’m only describing what I saw, but my struggle was minor compared to the work of Unix wizards across the country. One by one, programmers reacted—gurus like Keith Bostic, Peter Yee, Gene Spafford, Jon Rochlis, Mark Eichin, Donn Seeley, Ed Wang, and Mike Muuss. I was but a small part of an unorganized but dedicated response to this disaster.
I dig into the code in my system in Cambridge. Right off I can see two versions of the virus. One’s customized for Vax computers running Unix. The other’s for Sun workstations. Each file is forty-five thousand bytes long. If it were English, it would fit in about thirty pages. But it’s not text—I dump the file and it looks like gibberish. It doesn’t even look like machine code.