- Home
- Clifford Stoll
Cuckoo's Egg Page 10
Cuckoo's Egg Read online
Page 10
His is a world of ethernets, optical fibers, and satellite links. Other computer folks measure size in megabytes of memory, and speed in megaflops—millions of floating-point-operations per second. To Dennis, size is measured by counting computers on your network; speed is measured in megabytes per second—how fast the computers talk to each other. The system isn’t the computer, it’s the network.
Dennis saw the hacker problem in terms of social morality. “We’ll always find a few dodos poking around our data. I’m worried about how hackers poison the trust that’s built our networks. After years of trying to hook together a bunch of computers, a few morons can spoil everything.”
I didn’t see how trust had anything to do with it. “Networks are little more than cables and wires,” I said.
“And an interstate highway is just concrete, asphalt, and bridges?” Dennis replied. “You’re seeing the crude physical apparatus—the wires and communications. The real work isn’t laying wires, it’s agreeing to link isolated communities together. It’s figuring out who’s going to pay for the maintenance and improvements. It’s forging alliances between groups that don’t trust each other.”
“Like the military and universities, huh?” I said, thinking of the Internet.
“Yes, and more. The agreements are informal and the networks are overloaded,” Dennis said. “Our software is fragile as well—if people built houses the way we write programs, the first woodpecker would wipe out civilization.”
With the CIA due in ten minutes, Dennis and I talked about what to say. I had no idea what they wanted, other than a listing of last Friday’s activity. I could imagine them: some secret agent looking like James Bond, or a hit man specializing in rubouts. Of course there’d be Mr. Big behind them all, pulling the puppet strings. They’d all be in dark glasses and trench coats.
Dennis gave me instructions. “Cliff, tell them what we know, but don’t speculate. Confine yourself to facts.”
“ ’S’all reet. But suppose there’s a hit man with ’em, who wants to rub me out because I found that they’re spying on the military?”
“Be serious.” Everyone told me to be serious. “And for once, be polite. They’ve got enough problems without a raving Berkeley longhair. And skip the yo-yo tricks.”
“Yes, Daddy. I’ll be good. I promise.”
“Don’t worry about them. They’re like anyone else around here, except a bit more paranoid.”
“And a bit more Republican,” I added.
OK, so they didn’t wear trench coats. Not even sunglasses. Instead, boring suits and ties. I should have warned them to dress like the natives: beat-up dungarees and flannel shirts.
Wayne saw the four of them walk up the drive and flashed a message to my terminal: “All hands on deck. Sales reps approach through starboard portal. Charcoal-gray suits. Set warp speed to avoid IBM sales pitch.” If only he knew.
The four spooks introduced themselves. One guy in his fifties said he was there as a driver, and didn’t give his name—he just sat there quietly the whole time. The second spy, Greg Fennel, I guessed to be a computer jockey, because he seemed uncomfortable in a suit.
The third agent was built like a halfback. Teejay didn’t give his last name—or did he conceal his first name? If anyone was the hit man, Teejay was. The fourth guy must be the bigwig: everyone shut up when he talked. Together, they looked more like bureaucrats than spies.
The four of them sat quietly while Dennis gave them an overview of what we’d seen. No questions. I walked to the chalkboard and drew a diagram:
Greg Fennel wouldn’t let me get away with just a drawing. “Prove the connection from the phone company to Tymnet.”
I described the phone trace and the conference calls to Ron Vivier.
“Since he’s not erasing anything, how did you detect him?”
“A hiccup in our accounting system, you see, he imbalanced our accounts when he …”
Greg interrupted, “So he’s super-user on your Unix system? Bad news, huh?” Greg seemed to be a sharp systems guy. I figured I might as well go into detail.
“It’s a bug in the Gnu-Emacs editor. Its mail utility runs with root privilege.” Technical questions were easy.
We talked Unix for a bit, and Mr. Big started playing with his pencil. “Can you give us a profile of this guy? How old is he? What’s his level of expertise?”
Tougher question. “Well, we’ve only watched him for three weeks, so it’s hard to say. He’s accustomed to AT&T Unix, so he’s not from around Berkeley. Perhaps he’s a high school student. He’s paranoid, always looking over his shoulder, yet patient, and not very creative.”
“Does he know English?”
“Well, we think that he once sent mail to our system manager, saying, ‘Hello.’ After sending that message, he never again used that account.”
Teejay, silent until now, asked “Is he recording his sessions?”
“I can’t tell for certain, but I think that he’s keeping a notebook. At the very least, he’s got a good memory.”
Mr. Big nodded and asked, “What keywords has he scanned for?”
“He looks for words like password, nuclear, SDI, and Norad. He’s picked some curious passwords—lblhack, hedges, jaeger, hunter, and benson. The accounts he stole, Goran, Sventek, Whitberg, and Mark don’t say much about him because the names are people here at the laboratory.”
Teejay suddenly lit up. He passed a note to Greg. Greg passed it on to Mr. Big, who nodded and asked, “Tell me what did he do at Anniston?”
“I don’t have much of a printout there,” I said. “He was into their system for several months, perhaps as long as a year. Now, since he knows they’ve detected him, he logs in only for a moment.”
Mr. Big fidgeted a bit, meaning that the meeting was about to break up. Greg asked one more question, “What machines has he attacked?”
“Ours, of course, and the Army base in Anniston. He’s tried to get into White Sands Missile Range, and some Navy shipyard in Maryland. I think it’s called Dockmaster.”
“Shit!” Greg and Teejay simultaneously exclaimed. Mr. Big looked at them quizzically. Greg said, “How do you know he hit Dockmaster?”
“About the same time he screwed up our accounting, this Dockmaster place sent us a message saying that someone had tried to break in there.” I didn’t know what the big deal was.
“Did he succeed?”
“I don’t think so. What is this Dockmaster place, anyway? Aren’t they some Navy shipyard?”
They whispered among themselves, and Mr. Big nodded. Greg explained, “Dockmaster isn’t a Navy shipyard. It’s run by the National Security Agency.”
A hacker breaking into NSA? Bizarre. This guy wanted to get into the CIA, the NSA, Army missile bases, and the North American Air Defense headquarters.
I knew a little about the NSA. They’re the secret electronics spooks that listen in on foreign radio broadcasts. They launch satellites to listen to Soviet telephone calls. I’d heard (and didn’t believe) rumors that they record every overseas phone call and telegram.
Greg explained from his standpoint. “Most of NSA works on collecting and analyzing signals from abroad. One section, however, works on protecting information belonging to the United States.”
“Yeah,” I said, “like making ciphers that you think the Commies can’t break.” Dennis shot me a glance and silently mouthed the word, “Polite.”
“Uh, yeah,” Greg said, “that group worries about computer security. They run the Dockmaster computer.”
“Sounds like Janus, the two-faced god,” I said. “One side tries to crack ciphers of foreign countries; the other side tries to make unbreakable codes. Always pulling in opposite directions.”
“Sorta like our own agency,” Greg looked around nervously. “We’re known for dirty tricks, but we’re fundamentally a news organization. Most of our work is just gathering and analyzing information, yet try saying that on campus.” Greg rolled his eyes. He’d pa
id his dues as a college recruiter. Hard to say why, but this spy seemed reasonable. Not arrogant, but sensitive and aware. If we must poke around in dark corners, I’d be more comfortable with him in charge.
“Well then, why can I reach NSA’s computers from my unclassified and obviously insecure computer?” If I could reach out and touch NSA, then they could touch me.
“Dockmaster is NSA’s only unclassified computer,” Greg said. “It belongs to their computer security group, which is actually public.”
Mr. Big started talking slowly. “There’s not much we can do about this affair. I think there’s no evidence of foreign espionage. Agents on assignment don’t send notes to adversaries.”
“Well, who should be working on this case?” I asked.
“The FBI. I’m sorry, but this isn’t our bailiwick. Our entire involvement has been the exposure of four names—names that are already in the public domain, I might add.”
On the way out, I showed our Vax computers to Greg and Teejay. Between rows of disk drives, Greg said, “This is the most serious hacker problem I’ve heard of. Despite what the boss says, could you keep me informed?”
I decided to trust this guy. “Sure. Want a copy of my logbook?”
“Yes. Send me anything. Even if the agency can’t do anything, we need to become aware of this type of threat.”
“Why? Do spooks have computers?”
Greg looked at Teejay and laughed. “We’ve lost count. Our building floats on computers.”
“What would the CIA use computers for? Can you overthrow foreign governments with software?” Dennis wasn’t around to tell me to be polite.
“Stop thinking that we’re arch villains and think of us instead as information gatherers. The information’s worthless until its correlated, analyzed, and summarized. That alone is a lot of word processing.”
“Personal computer stuff, I’ll bet.”
“No, not if you want to do it right. We’re trying to avoid the next Pearl Harbor, and that means getting information to the right person fast. Right off, that says networks and computers. To analyze and predict the actions of foreign governments, we use computer-based models. Again, big computers. Nowadays, everything from economic forecasts to image processing requires powerful number crunchers.”
I’d never thought of the CIA as needing really major computers. “How do you keep your systems secure?”
“Strict isolation. There’s no wires connecting to the outside.”
“Can any CIA agent read anyone else’s files?”
Greg laughed, but Teejay didn’t. “No way. In our world, everyone’s compartmentalized. So if one person turns out to be, how should I say, less than trustworthy, the amount of damage is limited.”
“Then how do you keep people from reading each other’s files?”
“We use trusted operating systems. Computers with thick walls between each individual’s data. If you want to read someone else’s files, then you’ve got to get permission. Teejay can tell you some horror stories.”
Teejay looked sideways at Greg. Greg said, “Go ahead, Teejay. It’s already public.”
“Two years ago, one of our contractors built a centralized terminal switchbox,” Teejay said. “We needed to interconnect a few thousand terminals to some of our computers.”
“Oh, like my lab’s switchyard.”
“Multiply your switchyard by fifty, and you have some idea.”
Teejay continued, “Each employee of this contractor had to pass the same tests as our regular employees—compartmentalized top secret.
“Well, one of our secretaries went on vacation for a month. When she returned and logged onto her computer, she noticed that her account had been accessed a week earlier. You see, every time you sign onto our computers, it shows the date when you last logged on.”
“We started sniffing around. The SOB that had connected the terminals wiretapped them from our computer room. He’d capture passwords and text, and then pry into our password disks.”
I knew how easy it was to watch the traffic in the LBL switchyard. “Did you bump him off?” I asked, imagining some midnight action with a silenced gun.
Teejay looked at me strangely. “Be serious. Where we come from, it’s ‘In God we trust, all others we polygraph.’ ”
Greg finished the story. “We wired him to a lie detector for a week, and the FBI indicted him. It’ll be a long time before he sees sunlight.”
Walking out of the lab, I asked Teejay, “Looks like the CIA’s not going to do much for me, huh?”
“If my superior doesn’t think it’s serious, there’s not much we can do. Ed Manning has the power to make something happen.”
“Huh? I thought Ed Manning was a programmer?”
“Hardly. He’s director of information technology. When you called him, you hit a central nerve.”
A director who knew his way around the networks? Now that’s a rare organization. No wonder they flew four people out here. There’s a bigger Mr. Big back at the headquarters.
“So when you report that there’s nothing shaking here, you’ll drop it?”
“Well, there’s not much that we can do,” Greg said. “It’s the FBI’s territory.”
“Any chance you can rattle their cages and ask them to investigate?”
“I’ll try, but don’t expect much. The FBI likes to chase bank robbers and kidnappers. Computer crime, well, let’s say they’ve got other worries.”
“What I hear you saying is, ‘Stop watching and zipper things up.’ ”
“Not quite. You’re watching an extensive attack on our networks. Someone’s going after the very heart of our information systems. We’ve expected minor attacks for several years, but I’ve never heard of anything this far reaching. The convoluted connections, the singleminded search for sensitive targets … it points to an adversary who’s determined to get into our computers. If you close your doors, he’ll just find another way in.”
“So you’re saying, ‘Stay open and keep monitoring’ even though the FBI ignores us.”
Greg looked at Teejay. “I can’t buck my management. But you’re doing an important piece of, well, research. The FBI will eventually wake up. Until then, keep at it.”
I was astonished—these guys saw the severity of the situation but couldn’t do anything. Or were they just saying that?
Encouraging words from the CIA.
It would have been a fun show for the spooks if the hacker appeared while they were visiting. Instead he showed up the next morning at 9:10. Once again we started the traces through Tymnet and the phone company; once again we struck a brick wall somewhere in Virginia. If only our California search warrant were good in Virginia …
That day the hacker seemed confident, even arrogant. He performed his usual tricks: checking who’s on the system, sneaking through the hole in our operating system, listing electronic mail. In the past he made occasional mistakes as he tried new commands. Today he used no new commands. He was smooth, determined. No mistakes.
As if he were showing off.
He went straight for the Anniston Army Depot and printed out a short file about the combat readiness of Army missiles. He then tried the Army’s Ballistic Research Lab’s computers in Aberdeen, Maryland. The Milnet took only a second to connect, but BRL’s passwords defeated him: he couldn’t get through.
He wasted the rest of my morning by raking through my scientists’ files, searching for passwords. In a physicist’s area, he found one: an old file that described the way to get into a Cray supercomputer at Lawrence Livermore Labs.
To keep people from guessing passwords into their supercomputer, Livermore also used random computer-generated passwords, like agnitfom or ngagk. Naturally, nobody can remember these passwords. Result? Some people save their passwords in computer files. What good is a combination lock when the combination’s scribbled on the wall?
Dave Cleveland, our Unix Guru, watched the hacker. “At least he can’t get into the classified
computers at Livermore,” Dave said.
“Why not?”
“Their classified system is completely off net. It’s isolated.”
“Then what’s the password lead to?”
“Livermore has a few unclassified computers, where they research fusion energy.”
“Sounds like bomb making to me,” I said. Any kind of fusion seemed like bomb making.
“They’re trying to build fusion energy reactors to generate cheap electricity. You know, fusion reactions inside donut-shaped magnetic fields.”
“Sure. I played with one when I was a kid.”
“I thought so. Since it’s not weapons research, that computer’s accessible from networks.”
“We’d better warn Livermore to disable that account.”
“Just wait. You can’t reach the Magnetic Fusion Energy computer from here. Your hacker friend’s going to wear himself out trying.”
“Uh, the ranger’s not gonna like this, Yogi …”
“Trust me.”
The hacker stayed around for a few more minutes, then disconnected. Never even tried to get into Livermore.
“So much for that theory,” Dave shrugged.
In hopes that they might be used as evidence, Dave and I signed the printouts. We left the printers in the switchyard and I wandered back to my office. Within an hour my terminal beeped: the hacker was back.
But none of the printers showed him. Checking the Unix systems, I saw him, logged in as Sventek. But he wasn’t entering through our Tymnet ports!
Quickly, I scanned the dial-in modems. Two scientists editing programs, a bureaucrat listing boilerplate from a contract, and a student writing a love letter. No obvious hacking.
I ran back to my office and glanced at the Unix computer’s status. Sventek, all right. But coming from where?
There: the hacker’s port wasn’t an ordinary 1200-baud line. That’s why he didn’t show up in the switchyard. No, he was coming from our local network. Our ethernet. The green cable that interconnected a hundred terminals and workstations around our laboratory.