The Cockoo's egg
------------------------------------
from Clifford Stoll
Until a week before, I had been an astronomer, contentedly
designing telescope optics. But then I found myself transferred from
the Keck Observatory at the Lawrence Berkeley Lab (LBL) down to the
computer center in the basement of the same building.
On either side of my new cubicle were the offices of two systems
people, Wayne Graves and Dave Cleveland, the old hands of the system.
Together, Wayne, Dave, and I were to run the computers as a labwide
utility. We managed a dozen mainframe computers-giant workhorses for
solving physics problems, together worth around $6 million. The
scientists using the computers were supposed to see a simple,
powerful computing system, as reliable as the electric company. This
meant keeping the machines running full-time, around the clock. And
just like a utility company, we charged for every cycle of computing
that was used.
On my second day, Dave was mumbling about a hiccup in the Unix
accounting system. Someone must have used a few seconds of computing
time without paying for it. The computer's books didn't quite
balance; last month's bills of $2,387 showed a 75-cent shortfall.
Now, an error of a few thousand dollars is obvious, and isn't hard
to find. But errors in the pennies column arise from deeply buried
problems, so finding these bugs is a natural test for a budding
software wizard.
Around about 7 p.m., my eye caught the name of one user, Hunter.
This guy didn't have a valid billing address. Ha] Hunter had used 75
cents of time in the past month, but nobody had paid for him. Here
was the source of our imbalance. Someone had screwed up while adding
a user to our system. A trivial problem caused by a trivial error.
A day later, an obscure computer named Dockmaster sent us an
electronic-mail message. Its system manager claimed that someone from
our laboratory had tried to break into his computer over the weekend.
I guessed Dockmaster was some navy shipyard. It wasn't important, but
it seemed worth spending a few minutes looking into.
The message gave the date and time when someone on our Unix
computer tried to log in to Dockmaster's computer. Our stock Unix
accounting file showed a user, Sventek, logging in to our system at
8:25, doing nothing for half an hour, and then disconnecting. No
time-stamped activity in between. Our homebrew software also recorded
Sventek's activity, but it showed him using the networks from 8:31
until 9:01 a.m.
Jeez. Another accounting problem. The timestamps didn't agree. One
recorded activity when the other account said everything was dormant.
Why were the two accounting systems keeping different times? And
why was some activity logged in one file without showing up in the
other? Was this related to the earlier accounting problem? Had I
screwed things up when I poked around before? Or was there some other
explanation-was there a hacker on the loose?
So how do you find a hacker? I figured it was simple: just watch
for anyone using Sventek's accounts, and try to trace the connection.
I spent Thursday watching people log in to the computer. I wrote a
program to beep my terminal whenever someone connected. At 12:33 on
Thursday afternoon, Sventek logged in. I felt a rush of adrenaline,
then a complete letdown when he disappeared within a minute. Where
was he? The only pointer left for me was the identifier of his
terminal: he had used terminal port tt23. I suspected a dial-in
modem, connected ftom some telephone line, but it might conceivably
be someone at the laboratory.
By lucky accident, the connection had left some footprints behind.
Paul Murray, a reclusive hardware technician who hides in thickets of
telephone wire, had been collecting statistics on how many people
used our communications switchyard. By chance he had recorded the
port numbers of each connection for the past month. Since I knew when
Sventek was active on port tt23, we could figure out where he came
from. The printout of the statistics showed a one-minute, 1,200-bit-
per-second connection had taken place at 12:33.
Any lab employee here on the hill would run at high speed-9,600 or
19,200 bps. Only someone calling through a modem would let his data
dribble out a 1,200-bps soda straw. But how to catch him? About the
only place to watch our incoming traffic was in between the modems
and the computers. Our modem lines were flat, 25-conductor wires,
snaking underneath the switchyard's false floor. A printer or
personal computer could be wired in parallel with each of these
lines, recording every keystroke that came through.
A kludge? Yes. Workable? Maybe.
All we'd need were 50 teletypes, printers, and portable computers.
I rounded them up; strewn with four dozen obsolete teletypes and
portable terminals, the floor looked like a computer engineer's
nightmare. I slept in the middle, nursing the printers and computers.
Each was grabbing data from a different line, and whenever someone
dialed our system, I'd wake up to the chatter of their typing. Every
half-hour, a printer would run out of paper or a computer out of disk
space, so I'd have to roll over and reload. Saturday morning, a
coworker shook me awake. "Well, where's your hacker? "
The first 49 printers and monitors showed nothing interesting. But
from the 50th trailed 80 feet of printout. During the night, someone
had sneaked in through a hole in the operating system.
For three hours a hacker had strolled through my system, reading
whatever he wished. Unknown to him, my DECwriter had saved his
session on singlespaced computer paper. Here was every command he
issued, every typing mistake, and every response from the computer.
This printer monitored the line from Tymnet, a communications
company that interconnected computers around the world. Our hacker
might be anywhere.
How the Cuckoo Laid Its Egg.
The hacker had become a super-user. He was like a cuckoo bird. The
cuckoo is a nesting parasite that lays her eggs in other birds'
nests: some other bird will raise her young. The survival of cuckoo
chicks depends on the ignorance of other species.
Our mysterious visitor had laid an egg-program into our computer,
letting the system hatch it and feed it privileges.
That morning, the hacker wrote a short program to grab privileges.
Normally, Unix won't allow such a program to run, since it never
gives privileges beyond what a user is assigned. But if our hacker
ran this program from a privileged account, he'd become privileged.
His problem was to masquerade this special program-the cuckoo's egg-
so that it would be hatched by the system.
Every five minutes, the Unix system executes its own program
called atrun. In turn, atnin schedules other jobs and does routine
housecleaning tasks. It runs in a privileged mode, with the full
power and trust of the operating system behind it. If a bogus atrun
program were substituted, it would be executed within five minutes,
with full system privileges. For this reason, atrun sits in a
protected area of the system, available only to the system manager.
Nobody else has license to tamper with atrun.
Here was the cuckoo's nest: for five minutes he would swap his egg
for the system's atrun program. For this attack, he needed to find a
way to move his egg-program into the protected systems nest. The
operating system's barriers are built specifically to prevent this.
But there was a wildcard that we'd never noticed.
We used a powerful editing program called GnuEmacs. But Gnu's much
more than just a text editor-it's a foundation upon which other
programs can be built. It even has its own mail facility built in.
just one problem: there's a bug in that software.
Because of the way it was installed on our Unix computer, the Gnu-
Emacs editor lets you forward a mail file from your own directory to
anyone else's. It doesn't check to see who's receiving it, or even
whether they want the file. No problem to send a file from your area
to mine. But you'd better not be able to move a file into the
protected systems area: only the systems manager is allowed there.
Gnu didn't check. It let anyone move a file into protected systems
space. The hacker knew this; we didn't. He used Gnu to swap his
special atrun file for the system's legitimate version. Five minutes
later, the system hatched his egg, and he held the keys to my
computer.
In front of me, the first few feet of the printout showed the
cuckoo preparing the nest, laying the egg, and waiting for it to
hatch. The next 70 feet showed the fledgling cuckoo testing its
wings.
As a super-user, he had the run of our system and could read
anybody's work. By studying several scientists' command files and
scripts, he discovered pathways into other lab computers. Every
night, our computer automatically calls 20 others, to exchange mail
and network news. When the hacker read these phone numbers, he
learned 20 new targets.
I had to weave a net fine enough to catch the hacker but coarse
enough to let our scientists through. I'd have to detect the hacker
as soon as he came online and call Tymnet's technicians to trace the
call.
If I knew the stolen account names, it would be easy to write a
program that watched for the bad guy to show up. No need to check out
every person using the computer; just ring a bell when a stolen
account was in use. But I also had to stay invisible to the hacker,
so I wrote the program for a new Unix-8 system we had just installed.
I could connect it to our local area network, secure it against all
possible attacks, and let it watch the other computers, all the while
recording the traffic on printers.
Wednesday afternoon, September 3, 1986, marked a week since we'd
first detected the hacker. Suddenly, the terminal beeped twice:
Sventek's account was active. I ran to the switchyard; the top of the
ream of paper showed that the hacker had logged in at 2:26 and was
still active.
Logged in as Sventek, he first listed the names of everyone
connected. Lucky-there was nobody but the usual gang of physicists
and astronomers; my watchdog program was well concealed within the
Unix-8 computer.
He didn't become a super-user; rather, he checked that the Gnu-
Emacs file hadn't been modified. At 2:37, 11 minutes after logging
in, he abruptly logged off. But not before we'd started the trace.
Ron Vivier traces Tymnet's network within North America 'In a
couple of minutes he had traced the connection from LBL's Tymnet port
into an Oakland Tymnet office, where someone had dialed in.
It's easier to call straight into our Berkeley lab than to go
through Oakland's Tymnet office. Calling the local Tymnet access
number instead of our lab was like taking the interstate to drive
three blocks. But calling via Tymnet added one more layer to trace.
Whoever was at the other end of the line knew how to hide.
The morning after we had watched the hacker break in to our
system, my boss met with Aletha Owens, the lab's attorney. She wasted
no time in calling the FBI.
Our local FBI office didn't raise an eyebrow. Fred Wyniken,
special agent with the Oakland resident agency, asked incredulously
"You're calling us because you've lost 75 cents in computer time? "
Owens tried explaining information security and the value of our
data. Wyniken interrupted, "Look, if you can demonstrate a loss of
more than a million dollars, or that someone's prying through
classified data, then we'll open an investigation. Until then, leave
us alone."
Wednesday, September 10, at 7:51 a.m., the hacker appeared in our
system for six minutes. I wasn't at the lab to watch, but the printer
saved three pages of his trail. He logged in to our computer from
Tymnet as Sventek, then jumped into another network. Using Milnet, a
network that links military computers, he connected to address
26.0.0.113. He logged in there as Hunter, checked that they had a
copy of Gnu-Emacs, and disappeared.
The hacker left an indelible trail downstream to the Redstone Army
Depot in Anniston, Alabama, the home of the army's Redstone missile
complex2,000 miles from Berkeley. He listed files at the Anniston
system. judging from the dates of these files, he'd been in
Anniston's computers since early June. For four months, an
illegitimate system manager had been using an army computer. Yet he'd
been discovered by accident, not through some logic bomb or lost
information.
Looking closely at the morning's printout, I saw that, on the
Anniston computer, the hacker had changed Hunter's password to
Hedges. A clue at last: of zillions of possible passwords, he'd
chosen Hedges. Hedges Hunter? Hunter Hedges? A hedge hunter?
Time was running out; if I didn't catch the hacker soon, the lab
would shut down my tracking operation and put me on other work. At
2:30 in the afternoon, the printer advanced a page and the hacker
logged in with a new stolen account, Goran. A minute after the hacker
connected, I called the phone company and Ron Vivier at Tymnet. I
took notes as Ron mumbled. "He's coming into your port 14 and
entering Tymnet from Oakland. It's our port 322, which is, uh, let me
see here." I could hear him tapping his keyboard. "Yeah, it's 2902.
430-2902. That's the number to trace.'
The phone company, by law, couldn't reveal information about the
trace to me, but my printers showed his every move. While I talked to
Tymnet and the telephone techs, the hacker had prowled through my
computer. He wasn't satisfied reading the system manager's mail; he
also snooped through mail for several nuclear physicists.
After 15 minutes of reading our mail, he jumped back into Goran's
stolen account, using a new password, Benson. He started a program
that searched our users' files for passwords; while that executed, he
called up the Milnet Network Information Center and asked for a
pathway into the CIA.
Instead of their computer, though, he found four people who worked
at the CIA. Later, I phoned one of them.
I didn't know where to begin. How do you introduce yourself to a
spy?
"Uh, you don't know me, but I'm a computer manager, and we've been
following a computer hacker."
"Uh-huh." "Well, he searched for a pathway to try to get into the
CIA's computers. He found your name and phone number."
"Who are you? " Nervously, I told him, expecting him to send over
a gang of hit men in trench coats. I described our laboratory, making
sure he understood that the People's Republic of Berkeley didn't have
official diplomatic relations with his organization. He sent over a
delegation several days later. OK, so they didn't wear trench coats.
Not even sunglasses. just boring suits and ties. Wayne saw the four
of them walk up the drive and flashed a message to my terminal: "All
hands on deck. Sales reps approach through starboard portal. Charcoal
gray suits. Set warp speed to avoid IBM sales pitch." If only he
knew.
The four spooks introduced themselves. One guy in his fifties said
he was there as a "navigator" and didn't give his name-he just sat
there quietly the whole time. The second spy, Greg Fennel, I guessed
to be a computer jockey, because he seemed uncomfortable in a suit.
The third agent, Teejay, was built like a halfback. The fourth guy
must have been the bigwig: everyone shut up when he talked. Together,
they looked more like bureaucrats than spies.
The four of them sat quietly while we gave them an overview of
what we'd seen. Mr. Big nodded and asked, "What keywords has he
scanned for? "
"He looks for words like password, nuclear, SDI, and Norad He's
picked some curious passwords: lblhack hedges, jaeger, hunter, and
benson. The accounts he stole, Goran, Sventek, Whitberg, and Mark
don't say much about him, because the names are people here at the
laboratory."
Mr. Big nodded and asked, "Tell me, what did he do at Anniston? "
"I don't have much of a printout there, " I said. "He was into
their system for several months, perhaps as long as a year. Now,
since he knows they've detected him, he logs in only for a moment."
Mr. Big fidgeted a bit, meaning that the meeting was about to
break up. Greg asked one more question. "What machines has he
attacked? "
"Ours, of course, and the army base in Anniston. He's tried to get
into White Sands Missile Range, and some navy shipyard in Maryland. I
think it's called Dockmaster." "Shit] " Greg and Teejay
simultaneously exclaimed. Greg said, "How do you know he hit
Dockmaster? "
"About the same time he screwed up our accounting, this Dockmaster
place sent us a message saying that someone had tried to break in
there.".
"Did he succeed? " "I don't think so. What is this Dockmaster
place, anyway? Aren't they some navy shipyard? "
They whispered among themselves, and Mr. Big nodded. Greg
explained: "Dockmaster isn't a navy shipyard. It's run by the
National Security Agency."
A hacker breaking into the NSA? Bizarre. This wanted to get into
the CIA, the NSA, army missile bases, and the North
American Air Defense headquarters. "Dockmaster is NSA's only
unclassified computer, " Greg said.
"It belongs to its computer security group, which is actually public
." Mr. Big started talking slowly. "There's not much we can do about
this affair. I think there's no evidence of foreign espionage."
"Well, who should be working on this case? " I asked.
"The FBI. I'm sorry, but this isn't our bailiwick. Our entire
involvement has been the exposure of four names-names that are
already in the public domain, I might add."
Then they were gone.
The spooks were no help, so I was on my own again. I searched the
Berkeley phone book for Jaegers and Bensons; I figured I ought to try
Stanford as well. So I stopped by the library. Maggie Morley, our 45-
year-old documentmeister, plays rough-and-tumble Scrabble: posted on
her door is a list of all legal three-letter Scrabble words.
"I need a Stanford telephone book, " I I'm looking for everyone in
Silicon Valley named Jaeger or Benson."
'Jaeger. A word that's been kind to me, " Maggie smiled. "Worth 16
points, but I once won a game with it, when the \J\ landed on a
triple-letter score. Turned into 75 points."
"Yeah, but I need it because it's the hacker's password. Hey, I
didn't know names were legal in Scrabble."
"Jaeger's not a name. Well, maybe it's a nameEllsworth jaeger, the
famous omithologist, for instance-but it's a type of bird. Gets its
name from the German word meaning hunter."
"Huh? Did you say hunter? "
"Yes. Jaegers are hunting birds that badger other birds with full
beaks. They harass weaker birds until they drop their prey."
"Hot ziggity] You answered my question. I don't need the phone
book." "Well, what else I can do for you? "
"How about explaining the relationship between the words hedges,
jaeger, hunter, and benson? "
"Well, jaeger and hunter is obvious to anyone who knows German.
And smokers know Benson & Hedges."
Omigod-my hacker smokes Benson & Hedges. Maggie had won on a
triple-word score.
During one of the phone traces, I had copied down all the numbers
and digits I heard from the technician. I called all combinations of
them and ended up at a computer modem at Mitre, a defense contractor
just down the road from CIA headquarters in McLean, Virginia. How
deeply was Mitre's system infested? By listing its directory, I saw
that the hacker had created a Trojan horse there on June 17. For six
months, someone had silently booby-trapped Mitre's computers.
In alllikelihood, Mitre served as a way station, a stepping-stone
on the way to breaking into other computers. Someone dialed into
Mitre, turned around, and dialed out from it. This way, Mitre paid
the bills both ways: the incoming Tymnet connection and the outgoing
long-distance phone call. Even nicer, Mitre served as a hiding place,
a hole in the wall that couldn't be traced.
Monday morning, I called a man named Bill Chandler at Mitre and
told him the news. Bill wanted me to be quiet about the problems I
had found. Well, yes, but I had a price.
"Say, Bill, could you send me copies of your computer's phone
bills? " "What for? " "It might be fun to see where else this hacker
got into." Two weeks later, a thick envelope arrived, stuffed with
long-distance bills from Chesapeake and Potomac. Six months of phone
bills. Dates, times, phone numbers, and cities. Probably 5,000 in
all. So many that I couldn't analyze them by hand. Perfect for
analyzing on a computer-there's plenty of software designed to search
out correlations. All I had to do was enter them into my Macintosh
computer and run a few programs.
Ever type 5,000 phone numbers? It's as boring as it sounds. And I
had to do it twice, to make sure I didn't make any mistakes. Took me
two days.
After running an analysis, I found that this hacker hadn't just
broken into my computer. He was into more than six, and possibly a
dozen.
From Mitre, the hacker had made long connections to Norfolk, Oak
Ridge, Omaha, San Diego, Pasadena, Livermore, and Atlanta.
At least as interesting: he had made hundreds of one-minute phone
calls, all across the country.
To air force bases, navy shipyards, aircraft builders, and defense
contractors. What can you learn from a oneminute phone call to an
army proving ground?
For six months, this hacker had been breaking into bases and
computers all across the country. Nobody knew it. He was out there,
alone, silent, anonymous, persistent, and apparently successful-but
why? What was he after? What had he already learned? And what was he
doing with this information? Friday, December 5, the hacker showed up
again at 1:21 in the afternoon. Nine minutes later, he disappeared.
Enough time for me to trace the connection to Tymnet. But the
network's sorcerer, Ron Vivier, was taking a long lunch that day, so
Tymnet couldn't make the trace. Another chance lost.
Ron returned my call an hour later.
"Hey, Cliff, how come you never call me at night? "
"Guess the hacker doesn't show up at night. I wonder why." He
started me thinking. My logbook recorded every time the hacker had
shown up. On the average, when was he active?
I'd remembered him on at 6 a.m. and at 7 p.m. But never at
midnight. Isn't midnight operation the very image of a hacker?
On the average, the hacker showed up at noon, Pacific time. So
what did this mean? Suppose he lives in California. Then he's hacking
during the day. If he's on the East Coast, he's three hours ahead of
us, so he works around 3 or 4 in the afternoon.
This didn't make sense. He'd work at night to save on long-
distance telephone fees. To avoid network congestion. And to avoid
detection. Yet he brazenly breaks in during the day. Why?
When it's noon in California, I wondered, where is it evening?
Lunchtime in Berkeley is bedtime in Europe. Was the hacker coming
from Europe?
On a Saturday afternoon, the hacker hit again. I called Tymnet's
Ron Vivier at home.
"I've got a live one for you, " I gasped. "Just trace my port 14."
"Right. It'll take a minute." A couple of eons passed, and Ron came
back on the line. "Hey, Cliff, are you certain that it's the same
guy?, ".
I watched the hacker searching for the word \DI on our computer
"Yes, it's him."
"He's coming in from a gateway that I've never heard of. I'm
locked onto his network address, so it doesn't matter if he hangs up.
But the guy's coming from somewhere strange."
"Where's that? "
"I don't know. It's Tymnet node 3513, which is a strange one. I'll
have to look it up in our directory." In the background, Ron's
keyboard clicked. "Here it is.
Your hacker is coming from outside the Tymnet system. He's entering
Tymnet from a communications line operated by the International
Telephone and Telegraph company."
"So what? "
"ITT takes a Westar downlink, the communications satellite over
the Atlantic. It handles ten or twenty thousand phone calls at once."
"So my hacker is coming from Europe? "
"For sure."
"Where? "
"That's the part I don't know, and I probably can't find out. But
hold on, and I'll see what's there." More keyboard clicks.
Ron came back to the phone. "Well, ITT identifies the line as DSEA
744031. That's their line number. It can connect to either Spain,
France, Germany, or Britain.".
"Well, which is it? " "Sorry, I don't know. In three days they'll
send us billing information, and then I can find out. Meantime, I
can't tell you much more than that." Ron rang off, but the hacker was
still on my computer, trying to chisel into the Navy Research Labs,
when one of Tymnet's international specialists, Steve White, called.
"Ron can't trace any farther, " Steve said. "I'll do the trace myself
" I kept watching the hacker on my screen, hoping that he wouldn't
hang up while Steve made the trace.
Steve came back on the line. In his modulated, almost theatrical
British accent, he said, "Your hacker has the calling address DNIC
dash 2624 dash 542104214."
"So where's the hacker coming from? "
"West Germany. The German Datex network."
"What's that? "
"It's their national network to connect computers together. We'll
have to call the Bundespost to find out more."
"Who's the Bundespost? "
"They're the German national postal office. The government
communications monopoly."
Steve seemed pessimistic about completing a successful "We know
where he connects into the system. But there's a couple of
possibilities there. The hacker might be at a computer in Germany,
simply connected over the German Datex network. If that's the case,
then we've got him cold, We know his address, the address points to
his computer, and the computer points to him.".
"It is unlikely. More likely, the hacker is coming into the German
Datex network through a dial-in modem."
Just like Tymnet, Datex let anyone dial into its system and
connect to computers on the network.
Perfect for businesspeople and scientists. And hackers.
"The real problem is in German law, " Steve said. "I don't think
they recognize hacking as a crime."
"You're kidding, of course." "No, " he said. "A lot of countries
have outdated laws. In Canada, a hacker who broke into a computer was
convicted of stealing electricity, rather
than trespassing. He was prosecuted only because the connection
had used a microwatt of power from the computer."
Steve's pessimism was contagious. But his trace jogged my spirits.
So what if we couldn't nail the hacker-our circle was closing around
him.
Germany. I remembered my librarian recognizing the hacker's
password. "Jaeger-it's a German word meaning hunter." The answer had
been right in front of me, but I'd been blind.
Some details were still fuzzy, but I understood how he operated.
Somewhere in Europe, the hacker called into the German Datex network.
He asked for Tymnet, and the Bundespost made the connection. Once he
reached the States, he connected to my laboratory and hacked his way
around Milnet.
Mitre must have been his stopover point. Now I realized why Mitre
paid for a thousand one-minutelong phone calls. The hacker would
connect to Mitre and instruct the system to phone another computer.
When it answered, he would try to log in with a default name and
password. Usually he failed and went on to another phone number. He'd
been scanning computers, with Mitre picking up the tab.
But he'd left a trail. On Mitre's phone bills.
The path led back to Germany, but it might not end there.
Conceivably, someone in Berkeley could have called Berlin, connected
to the Datex network, connected through Tymnet, and come back to
Berkeley. Maybe the start of the path was in Mongolia. Or Moscow. I
couldn't tell. For the present, my working hypothesis would be
Germany.
And he scanned for militaly secrets. Could I be following a spy? A
real spy, working for them-but who's "them"?
Three months ago, I'd seen some mouse droppings in my accounting
files. Quietly we'd watched this mouse sneak through our computer,
out through a hole, and into the military networks and computers.
At last I knew what this rodent was after. And where he was from.
I'd been mistaken.
This wasn't a mouse. It was a rat.
Curious whether other people might have a similar problem with a
hacker, I spent a few hours one early December day searching bulletin
boards on the Usenet network for news about hackers and found one
note from Toronto. I called the author on the phone - I didn't trust
electronic mail. Bob Orr, the manager of the University of Toronto's
physics computers, told a familiar story.
"Some hackers from Germany have invaded our system, changing
programs and damaging our operating system."
"How'd they get in? " "We collaborate with the Swiss physics lab,
CERN. And a group of German hackers called the Chaos Club has
thoroughly walked through their computers. They probably stole
passwords to our system and linked directly to us."
As an aside, Bob mentioned that the Chaos Club might have gotten
into the US Fermilab computer as well.
"One guy uses the pseudonym Hagbard, " he told me. "Another,
Pengo. I don't know their real names."
Next I called Stanford and asked one of their system managers, Dan
Kolkowitz, if he'd heard anything from Germany.
"Come to think of it, someone broke in a few months ago. I
monitored what he did and have a listing of him."
Dan read the listing over the phone. Some hacker with the nom-de-
guerre of Hagbard was sending a file of passwords to some hackers
named Zombie and Pengo.
Hagbard and Pengo again. I wrote them in my logbook.
One good thing was happening. One by one, I was making contact
with other people who were losing sleep and slugging down Maalox over
the same troubles that obsessed me. It was comforting to learn that I
wasn't completely alone.
A few days later, I received a call telling me that the German
Bundespost had determined that the hacker came from the University of
Bremen. Soon they found the account he was using to connect across
the Atlantic. They set a trap on that account: the next time someone
used it, they'd trace the can.
The Germans weren't sining around. The university would monitor
the suspicious account, and the Bundespost would keep track of the
network activity. More and more mouseholes were being watched.
Friday, December 19, 1986, at 1:38 p.m., the hacker showed up
again. Stayed around for two hours, fishing on the Milnet. A pleasant
Friday afternoon, trying to guess passwords to the Strategic Air
Command, the European Milnet Gateway, the West Point Geography
Department, and 70 other assorted military computers.
I phoned Steve White at Tymnet. "The hacker's on our computer.
Tymnet's logical port number 14."
"OK, " Steve said. The usual keyboard clatter in the background.
Twenty seconds elapsed, and he called"Got it] "
Steve had traced a connection from California to Germany in less
than a minute.
"He's not coming from Bremen, " he told me. "Today, he's dialing
into Hannover.".
"So where is he? In Bremen or Hannover? " "Wolfgang Hoffman, the
Datex network manager in Germany, doesn't know. For all we know he
could be in Paris, calling long distance."
Yesterday it was Bremen. Today Hannover. Where would he hide
tomorrow? The hacker, I discovered, didn't take holidays; he even
logged in on New Year's Day. His hacker's celebration was saved on my
printers. I scribbled notes on the printouts, next to his:
WELCOME TO THE ARMY OPTIMIS DATABASE
PLEASE ENTER A WORD OR 'EXIT'.
/ SDI Looking for SDI dope
THE WORD "SDI" WAS NOT FOUND. But there's none there
PLEASE ENTER A WORD OR 'EXIT'.
/ STEALTH Any word on the Stealth bomber?
THE WORD "STEALTH" WAS NOT FOUND. No such luck
PLEASE ENTER A WORD OR 'EXIT'.
/ SAC Strategic Air Command?
THE WORD "SAC" WAS NOT FOUND. Nope
PLEASE ENTER A WORD OR 'EXIT'.
/ NUCLEAR
THANK YOU.
I HAVE FOUND 29 DOCUMENT(S) CONTAINING THE PHRASE 'NUCLEAR'.
ITEM* MARKS* TITLE
1 20-lF IG INSPECTIONS (HEADQUARTERS, DEPART
MENT OF THE ARMY).
2 50A NUCLEAR, CHEMICAL, AND BIOLOGICAL NATION
AL SECURITY AFFAIRS
3 50B NUCLEAR, CHEMICAL, AND BIOLOGICAL WAR
FARE ARMS CONTROLS
4 50D NUCLEAR AND CHEMICAL STRATEGY
FORMULATIONS 5 50E NUCLEAR AND CHEMICAL POLITICO-MILITARY
AFFAIRS 6 5OF NUCLEAR AND CHEMICAL REQUIREMENTS
7 5OG NUCLEAR AND CHEMICAL CAPABILITIES
8 50H THEATER NUCLEAR FORCE STRUCTURE
DEVELOPMENTS 9 501 NUCLEAR AND CHEMICAL WARFARE BUDGET
FORMULATIONS 10 50J NUCLEAR AND CHEMICAL PROGRESS AND STA
TISTICAL REPORTS 11 50K ARMY NUCLEAR, CHEMICAL, AND BIOLOGICAL
DEFENSE PROGRAM 12 50M NUCLEAR AND CHEMICAL COST ANALYSES
13 5ON NUCLEAR, CHEMICAL WARFARE, AND BIOLOGI
CAL DEFENSE SCIENTIFIC AND TECHNICAL
INFORMATION 14 50P NUCLEAR COMMAND AND CONTROL
COMMUNICATIONS
15 50Q CHEMICAL AND NUCLEAR DEMILITARIZATIONS
16 5OR CHEMICAL AND NUCLEAR PLANS
17 50-5A NUCLEAR ACCIDENT/INCIDENT CONTROLS
18 50-5B NUCLEAR MANPOWER ALLOCATIONS
19 50-5C NUCLEAR SURETY FILES
20 50-5D NUCLEAR SITE RESTORATIONS
21 50,5-lA NUCLEAR SITE UPGRADING FILES
22 50-115A NUCLEAR SAFETY FILES
23 55-355FRTD DOMESTIC SHIPMENT CONTROLS
24 200-IC HAZARDOUS MATERIAL MANAGEMENT FILES.
25 385-11K RADIATION INCIDENT CASES
26 385-11M RADIOACTIVE MATERIAL LICENSING
27 385-40C RADIATION INCIDENT CASES
28 700-65A INTERNATIONAL NUCLEAR LOGISTICS FILES
29 1125-2-300A PLANT DATA
And he wasn't satisfied with the titles to these documents-he
dumped all 29 over the line printer. Page after page was filled with
army doubletalk. At one point, my printer jammed. The old DECwriter
had paid its dues for the past ten years and now needed an adjustment
with a sledgehammer. Damn. Right where the hacker had listed the
army's plans for nuclear bombs in the central European theater, there
was only an ink blot.
Around noon on Sunday, January 4, my beeper sounded. I jumped for
the computer, checked that the hacker was around, then called Steve
White. Within a minute, he'd started the trace.
The hacker tried the Air Force Systems Command, Space Division,
and managed to log in as Field Service: not as an ordinary user but
as one
with a completely privileged account.
His first command was to show what privileges he'd
garnered. The air force computer responded automatically: System
Privilege, and a slew of other rights, including the ability to read,
write, or erase any file on the system.
He was even authorized to run security audits on the air force
computer. I could imagine him sitting behind his terminal in Germany,
staring in disbelief at the screen. He didn't just have free run of
the Space Command's computer; he controlled it.
Confident that he was undetected, he probed nearby computers. In a
moment, he'd discovered four on the air force network and a pathway
to connect to others. From his high ground, none of these were hidden
from him; if their passwords weren't guessable, he could steal them
by setting up Trojan horses.
This wasn't a little desktop computer he'd broken into. He found
thousands of files on the system, and hundreds of users.
He commanded the air force computer to list the names of all its
files; it went merrily along typing out names like "Laser-design-
plans" and "Shuttlelaunch-manifest." But he didn't know how to shut
off the spigot. For two hours, it poured a Niagara of information
onto his terminal.
Finally, at 2:30, he hung up. While the hacker stepped through the
air force computer, Steve White traced Tymnet's lines. I asked Steve
for the details.
"I checked with Wolfgang Hoffman at the Bundespost. Your visitor
is coming from Karlsruhe today. The University of Karlsruhe.".
My hacker was moving around. Or maybe he was staying in one place,
playing a shell game with the telephone system. Perhaps he was a
student, visiting different campuses and showing off to his friends.
Was I certain that there was only one hacker-or was I watching
several people?
Two days later, the hacker was back. He went straight over thc
Milnet to the Air Force Space Division. I watched him log in as Field
Service.
He didn't waste a minute. He went straight to the authorization
software, searched for an old, unused account, and modified it,
giving it system privileges and a new password: AFHACK.
AFHACK-what arrogance. He's thumbing his nose at the United States
Air Force.
From now on, he didn't need the field service account. Disguised
as an officer in the air force, he had unlimited access to the Space
Division's computer.
A call to Steve White started a trace rolling. Within five
minutes, he'd traced the connection to Hannover and called the
Bundespost.
A few minutes of silence then: "Cliff does the con
nection look like it will be
a long one? "
"I can't tell, but I think so, " I said.
"OK." Steve was on another telephone; I could hear only an
occasional shout.
In a minute, Steve returned to my fine. "Wolfgang is tracing the
call in Hannover. It's a local call. They're going to try to trace it
all the way."
Here's news] A local call in Hannover meant that the hacker was
somewhere in Hannover.
Steve shouted instructions from Wolfgang: "Whatever you do, don't
disconnect the hacker. Keep him on the line if you can] "
But he's rifling files at the air force base. It was like letting
a burglar rob your home while you watched.
He went for operational plans. Documents describing air force
payloads for the space shuttle. Test results from satellite detection
systems. SDI research proposals. A description of an astronaut-
operated camera system.
Tymnet came back on the I'm sorry, Cliff, but the trace in Germany
is stymied."
"Can't they trace the call? " "Well, the hacker's line comes from
Hannover, all right, " Steve replied. "But Hannover's phone fines
connect through mechanical switches-noisy, complicated widgets-and
these can be traced only by people, not by computers."
Another opportunity lost. I cut off the hacker's connection so
that he couldn't do more harm.
Later, Steve White explained that American telephones are computer
controlled, so it's pretty easy to trace them. But in Germany they
need someone at the Hannover exchange to trace the call.
"So we can't trace him unless the hacker calls during the day or
evening? " I asked.
"Worse than that. It'll take an hour or two to make the trace once
it's started."
Lately, the hacker had been showing up for five minutes at a time.
Long enough to wake me up, but hardly enough for a two-hour trace.
How could I keep him on for a couple of hours?
The answer, I realized, was disarmingly simplegive him what he
wants: all the classified data, all the top-secret information he
could gather. Not for real, of course. Instead, I'd create a phony
database. Its documents would describe a new Star Wars project. An
outsider reading them would believe that Lawrence Berkeley
Laboratories had just landed a fat government contract to manage a
new computer network. The SDI Network.
This bogus network, which would apparently link together scores of
classified computers, would extend to military bases around the
world. By reading the files, you'd find lieutenants and colonels,
scientists and engineers. Here and there, I would drop hints of
meetings and classified reports.
And I invented Barbara Sherwin, the sweet, bumbling secretary
trying to figure out her new word processor and keep track of the
endless stream of documents produced by our newly invented "Strategic
Defense Initiative Network Office.".
My snare was baited. If the hacker bit, he'd take two hours to
swallow the bait. Long enough for the Germans to track him down.
The next move was the hacker's.
My beeper sounded at 5:14 p.m., Friday, January 16. There's the
hacker. It didn't take him very long to swallow the hook; soon he
broke into my phony SDInet. Quickly, I got on the phone to Steve
White.
"Steve, call Germany. The hacker's on, and it'll be a long session
." "Spot-on, Cliff. Call you back in ten minutes." For the next 45
minutes, the hacker dumped out file after file, reading all the
garbage that I had created. Boring, tedious ore, with an occasional
nugget of technical information.
Then he dumped the file named FORM LETTER:
DEAR SIR:
THANK YOU FOR YOUR INQUIRY ABOUT SDINET. WE ARE HAPPY TO COMPLY
WITH YOUR REQUEST FOR MORE INFORMATION ABOUT THIS NETWORK. THE
FOLLOWING DOCUMENTS ARE AVAILABLE FROM THIS OFFICE. PLEASE STATE
WHICH DOCUMENTS YOU WISH MAILED TO YOU:
#37.6 SDINET OVERVIEW DESCRIPTION DOCUMENT
19 PAGES, REVISED SEPT. 1985
#41.7 STRATEGIC DEFENSE INITIATIVE AND COMPUTER NETWORKS:
PLANS AND IMPLEMENTATIONS (CONFERENCE NOTES) 227 PAGES, REVISED
SEPT. 1985.
#45.2 STRATEGIC DEFENSE INITIATIVE AND COMPUTER NETWORKS:
PLANS AND IMPLEMENTATIONS (CONFERENCE NOTES) 300 PAGES, JUNE 1986
#47.3 SDINET CONNECTIVITY REQUIREMENTS
65 PAGES, REVISED APRIL 1986
#48.8 How TO LINK INTO THE SDINET
25 PAGES, JULY 1986
#49.1 X.25 AND X.75 CONNECTIONS TO SDINET (INCLUDES JAPA
NESE, EUROPEAN, AND HAWAIIAN NODES) 8 PAGES, DECEMBER 1986 #55.2
SDINET MANAGEMENT PLAN FOR 1986 TO 1988
47 PAGES, NOVEMBER 1985
#62.7 UNCLASSIFIED SDINET MEMBERSHIP LIST (INCLUDES MAJOR
MILNET CONNECTIONS) 24 PAGES, NOVEMBER 1986
#65.3 CLASSIFIED SDINET MEMBERSHIP LIST
9 PAGES, NOVEMBER 1986
#69.1 DEVELOPMENTS IN SDINET AND SDI DISNET
28 PAGES, OCTOBER 1986
SINCERELY YOURS,
MRS. BARBARA SHERWIN
DOCUMENTS SECRETARY
SDINET PROJECT
Steve White called back from Tymnet. "I've traced your connection
over to the University of Bremen. And the Bundespost has traced the
Datex line from Bremen into Hannover. In the past half hour, the
technician traced the line and has narrowed it down to one of 50
telephone numbers.".
"Why can't they get the actual number? " "Wolfgang's unclear about
that. It sounds like they've determined the number to be from a group
of local phones, but the next time they make a trace, they'll zero in
on the actual telephone. From tile sound of Wolfgang's message,
they're excited about solving this case."
The next day, at 10:17 a.m., the hacker came back. This time, he
wasn't interested in SDI files. Instead, he went out over the Milnet,
trying to break into military computers.
He was concentrating on air force and army computers, though he
occasionally knocked on the navy's door as well. Places I'd never
heard of, like the Air Force Weapons Lab, Descom headquarters, Air
Force CC OIS, and the CCA-amc. Fifty places, all without success.
Then he slid across the Milnet into a computer named Buckner. He
got right in . . . didn't even need a password on the account named
"guest."
He'd broken into the Army Communications Center in Building 23,
Room 121, of Fort Buckner. Fort Buckner was in Okinawa.
What a connection] From Hannover, Germany, the hacker linked to
the University of Bremen, across a transatlantic cable into Tymnet,
then into my Berkeley computer, and into the Milnet, finally reaching
Okinawa.
A bit after 11 in the morning, he finally grew tired and logged
off. While he'd circled the globe with his spiderweb of connections,
the German Bundespost had homed in on him.
The phone rang-had to be Steve White. "Hi Cliff, " Steve said,
"The trace is complete." "The Germans got the guy? " "They know his
phone number." "Well, who is he? " I asked.
"They can't say right now, but you're supposed to tell the FBI."
"Just tell me this much, " I asked Steve. "Is it a computer or a
person? " "A person with a computer at his home. Or should I say, at
his business." Days later, Tymnet passed along a chilling message:
"This is not a benign hacker. It is quite serious. The scope of the
investigation is being extended. Thirty people are now working on
this case. Instead of simply breaking into the apartments of one or
two people, locksmiths are making keys to the houses of the hackers,
and the arrests will be made when the hackers cannot destroy the
evidence. These hackers are linked to the shady dealings of a private
company."
Throughout the spring, I kept making new bait. My mythical Barbara
Sherwin created memos and letters, requisitions and travel orders.
Here and there, she sprinkled a few technical articles, explaining
how the SDI network interconnected all sorts of classified computers.
On Monday, April 27, came one of the biggest shocks. A letter
arrived, addressed to the imaginary Barbara Sherwin.
Triam International, Inc.
6512 Ventura Drive
Pittsburgh, PA 15236 April 21, 1987
Dear Mrs. Sherwin:
I am interested in the following documents. Please send me a price
list and an update on SDI Network Project. Thank you for your
cooperation.
Very truly yours,
Laszlo J. Balogh
Balogh then asked for every phony document I had made up in the
file called FORM LETTER.
Someone had swallowed the bait and was asking for more
information] I could understand it if the letter came from Hannover.
But Pittsburgh?
I called Mike Gibbons at the Alexandria FBI office and told him
about it.
"OK, " Mike said. "Listen up carefully. Don't touch that letter.
Especially, don't touch around the edges. Go find a glassine
envelope. Gently insert the paper in the envelope. Then express mail
it to me. Whatever you do, don't handle it. Wear gloves if you must."
This sounded like Dick Tracy's "Crimestoppers, " but I followed
orders.
A hacker in Hannover, Germany, learns a secret from Berkeley,
California. Three months later, a Hungarian named Laszlo Balogh
living in Pittsburgh writes us a letter. What's happening here?
Tuesday moming, June 23, Mike Gibbons called from the FBI.
"You can close up shop, Cliff." "What's happened? " "Arrest
warrants were issued this morning at IO." "Anyone arrested? " "I
can't say." Something was happening. But Mike wouldn't say what.
A few hours later, Wolfgang Hoffman sent a message: "An apartment
and a company were searched, and nobody was home at the time.
Printouts, disks, and tapes were seized and will be analyzed in the
next few days. Expect no further break-ins."
Finally, it was over. The FBI still wasn't talking, but I managed
to fmd out who the Germans had fingered; I could now attach a name to
the shadowy hacker I had chased across two continents: Markus Hess.
So what really happened? Was Hess working alone, or was he in
league with others? And why was he breaking into defense department
computers? Here's my estimate, based on interviews, police reports,
newspaper accounts, and messages from German computer programmers. In
the mid-1980s, a dozen hackers started the Chaos Computer Club, whose
members specialized in creating viruses, breaking into computers, and
serving as a computer counterculture. Through electronic bulletin
boards and telephone links, they anonymously exchanged phone numbers
of hacked computers, as well as stolen passwords and credit cards.
Markus Hess knew of the Chaos Club, although he was never a
central figure there. Rather, he kept his distance as a freelance
hacker. During thc day, he worked at a small software firm in
downtown Hannover.
Over a crackling phone connection, an astronomer friend in
Hannover explained to me, "You see, Hess knew Hagbard, who kept in
touch with other hackers in Germany, Eke Pengo and Frimp. Hagbard is
a pseudonym, of course, his real name is . . . "
Hagbard. I'd heard that name before-he'd broken into Fermilab and
Stanford.
Hagbard worked closely with Markus Hess. The two drank beers
together at Hannover bars and spent evenings behind Hess's computer.
Apparently, Hess apparently just played around the networks at
first, searching for ways to connect around the world. Like a ham-
radio operator, he started out a hobbyist, trying to reach as far
away as possible. In the beginning, he managed to connect to
Karlsruhe; later he reached Bremen over the Datex network.
Soon he discovered that many system managers hadn't locked their
back doors. Usually these were university computers, but Markus Hess
began to wonder: how many other systems were wide open? What other
ways could you sneak into computers?
By September 1985, Hagbard and Pengo were routinely breaking into
computers in North America: mostly high energy physics labs, but a
few NASA sites as well. Excitedly, Hagbard described his exploits to
Hess.
Hess began to explore outside of Germany. But he no longer cared
about universities and physics laboratories-he wanted some real
excitement. Hess now targeted the military. The leaders of the Chaos
Computer Club had issued a warning to their members: "Never penetrate
a military computer. The security people on the other side will be
playing a game with youalmost like chess. Remember that they've
practiced this game for a long time. . . . " Markus Hess wasn't
listening.
Hess apparently found his way into an unprotected computer
belonging to a German subsidiary of U.S. defense contractor Mitre.
Once inside that system, he discovered detailed instructions to link
into Mitre's computers in Bedford, Massachusetts, and McLean,
Virginia. By summer 1986, Hess and Hagbard were operating separately
but frequently comparing notes. Meanwhile, Hess worked in Hannover,
programming VAX computers and managing several systems.
Hess soon expanded his beachhead at Mitre. He explored the system
internally, then sent out tentacles into other American computers. He
collected telephone numbers and network addresses and methodically
attacked these systems. On August 20, he struck Lawrence Berkeley
Labs.
Even then, Hess was only fooling around. He'd realized that he was
privy to secrets, both industrial and national, but kept his mouth
shut. Then, around the end of September, in a smoky Hannover
beergarden, he described his latest exploit to Hagbard.
Hagbard smelled money. And Hagbard knew who to contact: Pengo, in
West Berlin.
Pengo, with his contacts to hackers across Germany, knew how to
use Hess's information. Carrying Hess's printouts, one of the Berlin
hackers crossed into East Berlin and met with agents from the East
German Staatssicherheitsdienst-the Secret Service.
The deal was. made: around 30,000 deutschemarks-$18,000-for
printouts and passwords.
From there, who knows what happened to the information? The East
German Secret Service cooperates closely with the Soviet KGB; surely
the Staatssicherheitsdienst would tell the KGB about this new form of
espionage.
The KGB wasn't just paying for printouts, though. Hess and company
apparently sold their techniques as well: how to break into VAX
computers; which networks to use when crossing the Atlantic; details
on how the Milnet operates.
Even more important to the KGB was obtaining research data about
Western technology, including integrated circuit design, computer-
aided manufacturing, and, especially, operating system software that
was under U.S. export control. They offered 250,000 deutschemarks for
copies of Digital Equipment's VMS operating system.
According to the German television station NDR, the Berlin hackers
supplied much of this order, including source code to the Unix
operating system designs for high-speed gallium-arsenide integrated
circuits, and computer programs used to engineer computer memory
chips. Hagbard wanted more than money. He demanded co
caine. The East German Secret Service was a willing supplier.
Hagbard passed some of the money (but none of the cocaine) to Hess
in retum for printouts, passwords, and network information. Hagbard's
cut went toward paying his telephone bill which sometimes ran over
$1,000 a month as he called computers around the world. Hess saved
everything. He kept a detailed notebook and saved every session on a
floppy disk. This way, after he disconnected from a military
computer, he could print out the interesting parts and pass these
along to Hagbard and on to the KGB.
Also on the KGB's wish list was SDI data. As Hess searched for it,
I naturally detected SDI showing up in his requests. And I had fed
Hess plenty of SDI fodder. But could the East Germans (or KGB?) trust
these printouts? How could they be sure Hagbard wasn't inventing all
of this to feed his own coke habit?
The KGB decided to verify the German hacker ring. The mythical
Barbara Sherwin served as a perfect way to test the validity of this
new form of espionage. She had, after all, invited people to write to
her for more information.
But secret services don't handle things directly. They use
intermediaries. The East Germans (KGB?) contacted another agency-
either the Hungarian or Bulgarian intelligence service. They, in tum,
apparently had a professional relationship with a contact in
Pittsburgh: Laszlo Balogh.
Does the FBI have enough evidence to indict Laszlo Balogh? They
won't tell me. But the way I see it, Laszlo's in deep trouble: the
FBI is watching him, and whoever's pulling his puppet strings isn't
pleased.
The West German police, though, have plenty of evidence against
Markus Hess. Printouts, phone traces, and my logbook. When they broke
into his apartment on June 29, 1987, they seized a hundred floppy
disks, a computer, and documentation describing the U.S. Milnet. But
when the police raided Hess's apartment, nobody was home. Though I
was waiting patiently for him to appear on my computer, the German
police entered his place when he wasn't connected.
At his first trial, Hess got off on appeal. His lawyer argued that
since Hess wasn't connected at the moment his apartment was raided,
he might not have done the hacking. This, along with a problem in the
search warrants, was enough to overtum the case against Hess on
computer theft. But the German federal police continued to
investigate.
On March 2, 1989, German authorities charged five people with
espionage: Pengo, Hagbard, Peter Carl, Dirk Bresinsky, and Markus
Hess.
Peter Carl met regularly with KGB agents in East Berlin, selling
any data the others could find.
When the German officials caught up with him, he was about to run
off to Spain. He's now in jail, waiting for trial, along with Dirk
Bresinsky, who was jailed for desertion from the German army.
Pengo is having second thoughts about his years working for the
KGB. He says that he hopes he "did the right thing by giving the
German police detailed information about my involvement." But as long
as there's an active criminal case, he'll say no more.
All the same, the publicity hasn't helped Pengo's professional
life as a computer consultant. His business partners have shied away
from backing him, and several of his computing projects have been
canceled. Outside of his business losses, I'm not sure that he feels
there's anything wrong with what he did.
Today, Markus Hess is walking the streets of Hannover, free on
bail while awaiting a trial for espionage.
Hagbard, who hacked with Hess for a year, tried to kick his
cocaine habit in late 1988. But not before spending his profits from
the KGB: he was deep in debt and without a job. In spring 1989 he
found a job at the office of a political party in Hannover. By
cooperating with the police, he and Pengo avoided prosecution for
espionage.
Hagbard was last seen alive on May 23, 1989. In an isolated forest
outside of Hannover, police found his chaffed bones next to a melted
can of gasoline. A borrowed car was parked nearby, keys still in the
ignition.
No suicide note was found.