Cuckoo's Egg Read online

  Just one problem: there’s a bug in that software.

  In the way it was installed on our Unix computer, the Gnu-Emacs editor lets you forward a mail file from your own directory to anyone else in an unusual way. It doesn’t check to see who’s receiving it, or even whether they want the file. It just renames the file and changes its ownership label. You’ve just transferred ownership of the file from you to me.

  No problem to send a file from your area to mine. But you’d better not be able to move a file into the protected systems area: only the system manager is allowed there. Stallman’s software had better make sure this can’t happen.

  Gnu didn’t check. It let anyone move a file into protected systems space. The hacker knew this; we didn’t.

  The hacker used Gnu to swap his special atrun file for the system’s legitimate version. Five minutes later, the system hatched his egg, and he held the keys to my computer.

  He had used this technique to fool the computer into giving him power. He planted his phony program where the system expected to find a valid one. The instant that Unix executed his bogus atrun program, he became super-user. The whole operation depended on his being able to move a file anywhere he wished.

  Gnu was the hole in our system’s security. A subtle bug in an obscure section of some popular software. Installed blindly by our systems programmers, we’d never thought that it might destroy our whole system’s security.

  Now I understood. Our friend must have entered a guest account, leveraged his privileges using Gnu’s hole, and then added a new account to the computer’s files.

  In front of me, the first few feet of the printout showed the cuckoo preparing the nest, laying the egg, and waiting for it to hatch. The next seventy feet showed the fledgling cuckoo testing its wings.

  As super-user, he had the run of our system. First thing he did was erase his tracks: he switched the good copy of atrun back where it belonged. Then he listed the electronic mail of all our users, reading news, gossip, and love letters. He learned of the past month’s computer changes, grant proposals, and new hires. He searched for changes in the system managers’ files, and discovered that I’d just started work. He checked my salary and résumé. More worrisome, he realized that I was a system manager, and my account name.

  Why me? What did I do? At any rate, from now on, I’d better use a different name.

  Every ten minutes, the hacker issued the command, “who,” to list everyone logged onto the computer. Apparently, he worried that someone might see him connected, or might be watching. Later, he searched for any changes in the operating system—had I modified the daemons to record his session, as I’d first planned to do, he would surely have discovered it. I felt like a kid playing hide-and-seek, when the seeker passes within inches of his hiding place.

  Within the first hour, he wrote a program to scan everyone’s mail messages for any mention of his activity. He searched for the word, “hacker,” and “security.”

  One scientist had started a program that assembled data from an experiment over the weekend. Running under the name “gather,” this program innocuously collected information every few minutes and wrote it to a file. The hacker saw this program, spent ten minutes trying to understand what it did, and killed it.

  Yow! Here’s someone looking over his shoulder every few minutes, checking to see if anyone’s around. He kills any jobs that he thinks might monitor him. He opens my mail, checking to see if anyone’s written about hackers. Wayne was right: if you stay in the open, he’ll know you’re watching. From now on, we’d have to be subtle and invisible.

  When he wasn’t looking back over his shoulder, the hacker was reading files. By studying several scientists’ command files and scripts, he discovered pathways into other lab computers. Every night, our computer automatically calls twenty others, to exchange mail and network news. When the hacker read these phone numbers, he learned twenty new targets.

  From the mail file of an engineer:

  “Hi, Ed!

  I’ll be on vacation for the next couple weeks. If you need to get any of my data, just log into my account on the Vax computer. Account name is Wilson, password is Maryanne (that’s my wife’s name). Have fun!”

  The hacker had fun, even if Ed didn’t. He connected through our local area network into that Vax, and had no problem logging into Wilson’s account. Wilson wouldn’t notice the hacker reading his files, and probably wouldn’t care. They contained numerical data, meaningless to anyone but another nuclear physicist.

  Our visitor knew about our lab’s internal networks. Our dozen big computers were tied to a hundred laboratory computers using ethernets, serial lines, and chewing gum. When physicists wanted to get data from a computer at the cyclotron into our big computer, elegance meant nothing. They’d use any port, any line, any network. Over the years technicians had woven a web of cables around the lab, interconnecting most of the computers with whatever seemed to work. This local area network reached into every office, connecting PC’s, Macintoshes, and terminals to our mainframe computers.

  Often, these networked computers had been arranged to trust each other. If you’re OK on that computer, then you’re OK on this one. This saved a bit of time: people wouldn’t need to present more than one password when using several computers.

  The hacker exploited that trust to enter a half dozen computers. As super-user on our main Unix computer, he disguised himself under someone else’s account name. Then he just knocked on the door of another networked machine, and he was admitted without even whispering the password. Our visitor couldn’t know what these systems were used for; still, he felt his way around the net, searching for connections into unexplored computers.

  By the end of the session, the printer’s ribbon had run out of ink. By rubbing a pencil lightly over the paper, I could just make out the impressions left from the printhead: the hacker had copied our password file, then disconnected.

  A bass guitar note took my attention from the hacker’s trail. The Grateful Dead were playing outdoors at the Berkeley Greek Theater, only a hundred yards downhill from the lab. The police couldn’t keep people from sitting in the field overlooking the concert, so I skipped over there, mingling with a thousand others in tie-dyed shirts. Burnt-out panhandlers, left over from the sixties, walked the crowd, begging tickets and selling posters, buttons, and grass. The drum solo in the second set echoed from Strawberry Canyon, adding a weird backbeat appreciated only by us cheapskates in the fields. Life was full: no hacker is worth missing a Dead concert for.

  Monday morning marked my second week on the job. I was an uneasy computer jockey: surrounded by overworked experts, yet not knowing what tasks I ought to be doing. Something fun would turn up, in the meantime, I might as well finish this hacker project.

  Like a freshman in physics lab, I wrote about the weekend’s activity in a logbook. Not that I planned to use this logbook: it was a chance to learn a word processor on my Macintosh. The astronomer’s rule of thumb: if you don’t write it down, it didn’t happen.

  I passed the results to the gang, hoping nobody would notice that I’d slept overnight in the machine room.

  The boss wanted to see me as soon as he arrived.

  I suspected he was mad about my grabbing all those terminals. Management might be loose, but computer jocks still weren’t supposed to borrow piles of lab equipment without telling anyone.

  But Roy didn’t even grinch about the terminals. He wanted to know about the hacker.

  “When did he show up?”

  “Sunday morning at five for three hours.”

  “Delete any files?”

  “Killed one program that he thought was monitoring him.”

  “Are we in danger?”

  “He’s super-user. He can wipe out all our files.”

  “Can we shut him down?”

  “Probably. We know the one hole, it’s a quick patch.”

  “Think that’ll stop him?”

  I could sense where
his thoughts were leading. Roy wasn’t concerned about slamming the door. He knew we could easily deactivate the stolen Sventek account. And now that we understood it, fixing the Gnu-Emacs hole wasn’t difficult: just add a couple lines of code to check the target directory.

  Should we close our doors or remain open? Closing up shop was the obvious reaction. We knew how this hacker entered our system and knew how to kick him out.

  But what else was wrong? What other gifts had our mysterious visitor left for us? How many other accounts did he access? What other computers did he break into?

  There was the worry. The printout showed the hacker to be a competent systems programmer, able to exploit obscure bugs that we’d never seen before. What else had he done?

  When you’re super-user, you can modify any file in the system. Did the hacker modify a system program to open a backdoor entrance? Had he patched our system to recognize a magic password?

  Did he plant a computer virus? On home computers, viruses spread by copying themselves into other pieces of software. When you give an infected piece of software to someone else, the virus copies itself into other software, spreading from disk to disk.

  If the virus is benign, it’ll be hard to detect and probably won’t do much damage. But it’s easy to build malicious viruses which duplicate themselves and then erase data files. Just as easy to create a virus that lies dormant for months and then erupts some day in the future.

  Viruses are the creatures that haunt programmers’ nightmares.

  As super-user, the hacker could infect our system in a way that would be almost impossible to eradicate. His virus could copy itself into systems software and hide in obscure areas of the computer. By copying itself from program to program, it would defy our efforts to erase it.

  Unlike a home computer, where you can rebuild the operating system from scratch, we had extensively modified our operating system. We couldn’t go to a manufacturer and say, “Give us an original copy.” Once infected, we could only rebuild our system from backup tapes. If he’d planted a virus six months ago, our tapes would be infected as well.

  Maybe he’d planted a logic bomb—a program timed to blow up sometime in the future. Or perhaps this intruder had only rifled our files, killed a couple jobs, and screwed up our accounting. But how could we tell that he hadn’t done much worse? For a week, our computer was wide open to this hacker. Could we prove that he hadn’t tampered with our databases?

  How could we again trust our programs and data?

  We couldn’t. Trying to shut him out wouldn’t work, as he’d only find another way in. We needed to find out what he had done and what he was doing.

  Most of all, we needed to know who was at the other end of the line.

  “It’s gotta be some student on the Berkeley campus,” I said to Roy. “They’re the Unix wizards, and they think of us as bozos.”

  “I wouldn’t be too sure.” Roy leaned back in his chair. “Why would someone from Berkeley come in through Tymnet, when they could more easily have dialed our system over the telephone lines?”

  “Maybe Tymnet is just a cover,” I said. “A place to hide. If he dialed the lab directly, we’d trace him. But now, we’ve got to trace both Tymnet and a telephone call.”

  My hand waving didn’t convince the boss. Perhaps from his scientific experience or maybe as a cynical ploy, Roy kept an open mind: it’s not a student until he’s dragged in. Sure, the weekend’s printouts showed a good programmer, but we might be watching any competent computer jockey, anywhere. Tracking the guy meant tracing telephone lines. The price of hard evidence was hard work.

  Confronted with traces of a mysterious visitor, Roy only saw footprints. I saw an intruder.

  Roy decided not to decide. “Let’s close down all network connections for the day. Tomorrow morning, I’ll talk to the lab director, and get a sense of what to do.” We could delay, but sooner or later we’d have to either start tracing, or lock the guy out.

  Did I want to track someone through the city? It would keep me from scientific computing. It had nothing to do with astronomy or physics. And it sounded like cops and robbers—or a game of hide-and-seek.

  On the plus side, though, I might learn about phone traces and networks. Best of all was imagining the look on some kid’s face when we barged into his dorm room, shouting, “Freeze! Drop that keyboard!”

  Tuesday afternoon, Roy called. “The director says, ‘This is electronic terrorism. Use all the resources you need to catch the bastard. Take all the time you want. Spend three weeks, if you have to. Nail the bastard.’ ”

  If I wanted to hunt the hacker, management backed me.

  I biked home, thinking of devious hacker-trapping schemes. As I came closer to home, though, my thoughts turned to dinner. So great to have someone to come home to.

  Martha Matthews and I had lived together for a few years now, and been friends for almost ten. We’d known each other so well that it was hard to remember a time before I knew her.

  Old friends shook their heads. They’d never seen me stay with one woman this long. I’d fall in love, hang around for a couple years, and then we’d grow tired of each other and move on. I was still good friends with several former lovers, but the romance never seemed to last. I’d always been cynical and sarcastic, protecting myself from getting too close to anyone.

  But life with Martha felt different. Barrier after barrier came down, slowly, over time. She insisted on talking out our differences, demanded to know the reasons for my moods and tempers, demanded that we think of ways to get along better. It was unbearable sometimes—I hated to talk when I was mad—but it usually seemed to work.

  I found myself feeling nesting instincts. The perfect afternoon was to tinker around the house, rewiring a switch, planting some bulbs, or soldering a stained glass window. We spent many a quiet evening, sewing or reading or playing scrabble. I began to feel …

  Married? Who, me? No. Definitely not. Marriage was stultifying, a trap for the conventional. You married someone and they expected you to stay the same forever, never changing, never doing anything new. There’d be fights and you couldn’t leave, you’d get tired of the same person every evening, every morning. Limiting, dreary, artificial, and conventional.

  Living together was different. We were both free. We freely chose to share each day, and either of us could leave if the relationship was no longer good for us. It was better this way, and Martha seemed content.

  Uh, right.

  I wondered if she’d remain cheerful if I spent the next few weeks sleeping at work.

  Three weeks to catch a hacker. How long should this take? Perhaps a couple days to set up traces, another few days to track him through the networks, and then bust him. Probably we’d need the cooperation of the police, so add a day or two. We could wrap it up in two weeks, then I’d be back to managing a computer, and maybe a bit of astronomy on the side.

  We needed to weave a net fine enough to catch the hacker, but coarse enough to let our scientists through. I’d have to detect the hacker as soon as he came on line and call Tymnet’s technicians to trace the call.

  Detecting the hacker was easy: I’d just camp out in my office alongside two terminals. One terminal for working, another to watch the system. Each time someone logged onto the computer, two beeps would tell me to check out the new user. As soon as a stranger showed up, I’d run down to the switchyard and see what they were doing.

  Theoretically foolproof. Impossible in practice. From a thousand users, I knew about twenty. The other 980? Well, I had to check each one. So every two minutes I’d jog down the hall, thinking that I’d caught someone. And since I’d miss the signal if I went home, I ignored Martha and slept under the desk.

  The rug smelled like a seat on a crosstown bus and whenever the terminal beeped, I’d sit up and gouge my head on the bottom of a drawer. A couple nights of slicing my forehead convinced me that there had to be an easier way.

  If I knew the stolen account names, it wou
ld be easy to write a program that watched for the bad guy to show up. No need to check out every person using the computer; just ring a bell when a stolen account was in use. But I also remembered Wayne Graves’ warning—stay invisible.

  That meant no jobs running on the main computer. But I could watch from another computer. We’d just installed a new Unix computer, our Unix-8 system. Nobody had used it yet, so it might not be secure, but it surely wasn’t contaminated. I could connect it to our local area network, secure it against all possible attacks, and let it watch the Unix-4 and Unix-5 computers.

  I’d protect my Unix-8 castle with a one-way moat. Information could come into the computer, but nothing could go out. Dave Cleveland, hardly excited about chasing a hacker, smiled slightly and told me how to set Unix-8 to reject all log-in attempts, yet covertly scan the other Unix machines for signs of bad guys.

  The program wasn’t hard—just a few dozen lines of code to get a status block from each of the local computers. From long tradition, astronomers have programmed in Fortran, so I wasn’t surprised when Dave gave me the hairy eyeball for using such an antiquated language. He challenged me to use the C language; in a few minutes he’d reduced it to twenty lines of tightly written code.

  We fired up Dave’s watchdog program on the Unix-8 computer. From the outside, it looked like just one more laboratory system. Anyone inquiring about its status received an invitation to log in. But you couldn’t log on, since that computer rejected everyone except Dave and me. The hacker shouldn’t be suspicious, since that computer didn’t appear to be hooked up.

  From this high ground, a network messenger asked each of the other Unix computers, “Hey, who’s logged on?” Each minute, the Unix-8 program analyzed these reports, and searched for Sventek’s name. When Sventek showed up, my terminal beeped, and it was forehead-gouging time.

  But alarms alone wouldn’t catch the hacker. We needed to track him through our system, and back to his lair. And to protect ourselves, we had to know what he was doing.