💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › stoll.doc captured on 2021-12-04 at 18:04:22.
-=-=-=-=-=-=-
I grabbed these philes of a CD-ROM disk, hope you enjoy, they are interresting.
BTW, Cliff's # is 1-617-495-7149. Hehehe! L8r dudes,
Chamelion
Journal: PC-Computing Oct 1989 v2 n10 p114(9)
Title: The Cuckoo's egg. (tracing a hacker) (part 2)
Author: Stoll, Clifford.
Summary: When Astronomer Clifford Stoll discovered a subtle breach into the
computer system at the Lawrence Berkeley Labs, Stoll knew he might be dealing
with something big. The hacker was apparently after information with national
security implications. Stoll set out to find and trap the hacker. Here, in
Part 2 of his story, Stoll follows the trail to West Germany, closing in on
the invader.
Full Text:
THE STORY SO FAR : Whoever had stolen into the computer system at
the Lawrence Berkeley Labs was after something big. This hacker scanned for
military secrets, and Clifford Stoll knew he might well be a spy working for
a foreign power. Astronomer Stoll set out to snare the invader. The trail
began with 75 cents' worth of computing time left unaccounted for. Stoll
quickly discovered that the hacker was entering via the international
communications company Tymnet-he could be coming from anywhere in the world.
The hacker's dabblings in the LBL computer left other bread crumbs-his
mission was to find information about nuclear arms and SDI. Stoll assembled
a posse to catch his hacker. They trailed him as he breached the Milnet, a
network that links military computers. The hacker tapped into CIA and
National Security Agency systems, and meandered through files at the Anniston
army base and the Navy Research Labs. Stoll and company tracked his progress
by tracing his connections and phone calls. The mystery man entered Tymnet
over an ITT line, they found, one that came through a communications
satellite over the Atlantic-he was in Europe. Probing deeper, they learned
that the hacker was using the German Datex network, and they solicited the
help of the Bundespost, the German national post office, to draw the net
tighter. PART II Curious whether other people might have a similar problem
with a hacker, I spent a few hours one early December day searching bulletin
boards on the Usenet network for news about hackers and found one note from
Toronto. I called the author on the phone-I didn't trust electronic mail.
Bob Orr, the manager of the University of Toronto's physics computers, told a
familiar story.
"Some hackers from Germany have invaded our system, changing programs and
damaging our operating system."
"How'd they get in?" "We collaborate with the Swiss physics lab, CERN. And a
group of German hackers called the Chaos Club has thoroughly walked through
their computers. They probably stole passwords to our system and linked
directly to us."
As an aside, Bob mentioned that the Chaos Club might have gotten into the US
Fermilab computer as well.
"One guy uses the pseudonym Hagbard," he told me. "Another, Pengo. I don't
know their real names."
Next I called Stanford and asked one of their system managers, Dan Kolkowitz,
if he'd heard anything from Germany.
"Come to think of it, someone broke in a few months ago. I monitored what he
did and have a listing of him."
Dan read the listing over the phone. Some hacker with the nom-de-guerre of
Hagbard was sending a file of passwords to some hackers named Zombie and
Pengo.
Hagbard and Pengo again. I wrote them in my logbook.
One good thing was happening. One by one, I was making contact with other
people who were losing sleep and slugging down Maalox over the same troubles
that obsessed me. It was comforting to learn that I wasn't completely alone.
A few days later, I received a call telling me that the German Bundespost had
determined that the hacker came from the University of Bremen. Soon they
found the account he was using to connect across the Atlantic. They set a
trap on that account: the next time someone used it, they'd trace the can.
The Germans weren't sining around. The university would monitor the
suspicious account, and the Bundespost would keep track of the network
activity. More and more mouseholes were being watched.
Friday, December 19, 1986, at 1:38 p.m., the hacker showed up again. Stayed
around for two hours, fishing on the Milnet. A pleasant Friday afternoon,
trying to guess passwords to the Strategic Air Command, the European Milnet
Gateway, the West Point Geography Department, and 70 other assorted military
computers.
I phoned Steve White at Tymnet. "The hacker's on our computer. Tymnet's
logical port number 14."
"OK," Steve said. The usual keyboard clatter in the background. Twenty
seconds elapsed, and he called"Got it!"
Steve had traced a connection from California to Germany in less than a
minute.
"He's not coming from Bremen," he told me. "Today, he's dialing into
Hannover."
"So where is he? In Bremen or Hannover?" "Wolfgang Hoffman, the Datex network
manager in Germany, doesn't know. For all we know he could be in Paris,
calling long distance."
Yesterday it was Bremen. Today Hannover. Where would he hide tomorrow?
The hacker, I discovered, didn't take holidays; he even logged in on New
Year's Day. His hacker's celebration was saved on my printers. I scribbled
notes on the printouts, next to his:
WELCOME TO THE ARMY OPTIMIS DATABASE
PLEASE ENTER A WORD OR 'EXIT'.
/ SDI Looking for SDI dope
THE WORD "SDI" WAS NOT FOUND. But there's none there
PLEASE ENTER A WORD OR 'EXIT'.
/ STEALTH Any word on the Stealth bomber?
THE WORD "STEALTH" WAS NOT FOUND. No such luck
PLEASE ENTER A WORD OR 'EXIT'.
/ SAC Strategic Air Command?
THE WORD "SAC" WAS NOT FOUND. Nope
PLEASE ENTER A WORD OR 'EXIT'.
/ NUCLEAR
THANK YOU.
I HAVE FOUND 29 DOCUMENT(S) CONTAINING THE PHRASE 'NUCLEAR'.
ITEM* MARKS* TITLE
1 20-lF IG INSPECTIONS (HEADQUARTERS, DEPART
MENT OF THE ARMY)
2 50A NUCLEAR, CHEMICAL, AND BIOLOGICAL NATION
AL SECURITY AFFAIRS
3 50B NUCLEAR, CHEMICAL, AND BIOLOGICAL WAR
FARE ARMS CONTROLS
4 50D NUCLEAR AND CHEMICAL STRATEGY
FORMULATIONS 5 50E NUCLEAR AND CHEMICAL POLITICO-MILITARY
AFFAIRS 6 5OF NUCLEAR AND CHEMICAL REQUIREMENTS
7 5OG NUCLEAR AND CHEMICAL CAPABILITIES
8 50H THEATER NUCLEAR FORCE STRUCTURE
DEVELOPMENTS 9 501 NUCLEAR AND CHEMICAL WARFARE BUDGET
FORMULATIONS 10 50J NUCLEAR AND CHEMICAL PROGRESS AND STA
TISTICAL REPORTS 11 50K ARMY NUCLEAR, CHEMICAL, AND BIOLOGICAL
DEFENSE PROGRAM 12 50M NUCLEAR AND CHEMICAL COST ANALYSES
13 5ON NUCLEAR, CHEMICAL WARFARE, AND BIOLOGI
CAL DEFENSE SCIENTIFIC AND TECHNICAL
INFORMATION 14 50P NUCLEAR COMMAND AND CONTROL
COMMUNICATIONS
15 50Q CHEMICAL AND NUCLEAR DEMILITARIZATIONS
16 5OR CHEMICAL AND NUCLEAR PLANS
17 50-5A NUCLEAR ACCIDENT/INCIDENT CONTROLS
18 50-5B NUCLEAR MANPOWER ALLOCATIONS
19 50-5C NUCLEAR SURETY FILES
20 50-5D NUCLEAR SITE RESTORATIONS
21 50,5-lA NUCLEAR SITE UPGRADING FILES
22 50-115A NUCLEAR SAFETY FILES
23 55-355FRTD DOMESTIC SHIPMENT CONTROLS
24 200-IC HAZARDOUS MATERIAL MANAGEMENT FILES
25 385-11K RADIATION INCIDENT CASES
26 385-11M RADIOACTIVE MATERIAL LICENSING
27 385-40C RADIATION INCIDENT CASES
28 700-65A INTERNATIONAL NUCLEAR LOGISTICS FILES
29 1125-2-300A PLANT DATA
And he wasn't satisfied with the titles to these documents-he dumped all 29
over the line printer. Page after page was filled with army doubletalk. At
one point, my printer jammed. The old DECwriter had paid its dues for the
past ten years and now needed an adjustment with a sledgehammer. Damn.
Right where the hacker had listed the army's plans for nuclear bombs in the
central European theater, there was only an ink blot.
Around noon on Sunday, January 4, my beeper sounded. I jumped for the
computer, checked that the hacker was around, then called Steve White.
Within a minute, he'd started the trace.
The hacker tried the Air Force Systems Command, Space Division, and managed
to log in as Field Service: not as an ordinary user but as one
with a completely privileged account.
His first command was to show what privileges he'd
garnered. The air force computer responded automatically: System Privilege,
and a slew of other rights, including the ability to read, write, or erase
any file on the system.
He was even authorized to run security audits on the air force computer. I
could imagine him sitting behind his terminal in Germany, staring in
disbelief at the screen. He didn't just have free run of the Space Command's
computer; he controlled it.
Confident that he was undetected, he probed nearby computers. In a moment,
he'd discovered four on the air force network and a pathway to connect to
others. From his high ground, none of these were hidden from him; if their
passwords weren't guessable, he could steal them by setting up Trojan horses.
This wasn't a little desktop computer he'd broken into. He found thousands
of files on the system, and hundreds of users.
He commanded the air force computer to list the names of all its files; it
went merrily along typing out names like "Laser-design-plans" and
"Shuttlelaunch-manifest." But he didn't know how to shut off the spigot. For
two hours, it poured a Niagara of information onto his terminal.
Finally, at 2:30, he hung up. While the hacker stepped through the air force
computer, Steve White traced Tymnet's lines. I asked Steve for the details.
"I checked with Wolfgang Hoffman at the Bundespost. Your visitor is coming
from Karlsruhe today. The University of Karlsruhe."
My hacker was moving around. Or maybe he was staying in one place, playing a
shell game with the telephone system. Perhaps he was a student, visiting
different campuses and showing off to his friends. Was I certain that there
was only one hacker-or was I watching several people?
Two days later, the hacker was back. He went straight over thc Milnet to the
Air Force Space Division. I watched him log in as Field Service.
He didn't waste a minute. He went straight to the authorization software,
searched for an old, unused account, and modified it, giving it system
privileges and a new password: AFHACK.
AFHACK-what arrogance. He's thumbing his nose at the United States Air
Force.
From now on, he didn't need the field service account. Disguised as an
officer in the air force, he had unlimited access to the Space Division's
computer.
A call to Steve White started a trace rolling. Within five minutes, he'd
traced the connection to Hannover and called the Bundespost.
A few minutes of silence then: "Cliff does the con
nection look like it will be
a long one?"
"I can't tell, but I think so," I said.
"OK." Steve was on another telephone; I could hear only an occasional shout.
In a minute, Steve returned to my fine. "Wolfgang is tracing the call in
Hannover. It's a local call. They're going to try to trace it all the way."
Here's news! A local call in Hannover meant that the hacker was somewhere in
Hannover.
Steve shouted instructions from Wolfgang: "Whatever you do, don't disconnect
the hacker. Keep him on the line if you can!"
But he's rifling files at the air force base. It was like letting a burglar
rob your home while you watched.
He went for operational plans. Documents describing air force payloads for
the space shuttle. Test results from satellite detection systems. SDI
research proposals. A description of an astronaut-operated camera system.
Tymnet came back on the I'm sorry, Cliff, but the trace in Germany is
stymied."
"Can't they trace the call?" "Well, the hacker's line comes from Hannover,
all right," Steve replied. "But Hannover's phone fines connect through
mechanical switches-noisy, complicated widgets-and these can be traced only
by people, not by computers."
Another opportunity lost. I cut off the hacker's connection so that he
couldn't do more harm.
Later, Steve White explained that American telephones are computer
controlled, so it's pretty easy to trace them. But in Germany they need
someone at the Hannover exchange to trace the call.
"So we can't trace him unless the hacker calls during the day or evening?" I
asked.
"Worse than that. It'll take an hour or two to make the trace once it's
started."
Lately, the hacker had been showing up for five minutes at a time. Long
enough to wake me up, but hardly enough for a two-hour trace. How could I
keep him on for a couple of hours?
The answer, I realized, was disarmingly simplegive him what he wants: all the
classified data, all the top-secret information he could gather. Not for
real, of course. Instead, I'd create a phony database. Its documents would
describe a new Star Wars project. An outsider reading them would believe
that Lawrence Berkeley Laboratories had just landed a fat government contract
to manage a new computer network. The SDI Network.
This bogus network, which would apparently link together scores of classified
computers,would extend to military bases around the world. By reading the
files, you'd find lieutenants and colonels, scientists and engineers. Here
and there, I would drop hints of meetings and classified reports.
And I invented Barbara Sherwin, the sweet, bumbling secretary trying to
figure out her new word processor and keep track of the endless stream of
documents produced by our newly invented "Strategic Defense Initiative
Network Office."
My snare was baited. If the hacker bit, he'd take two hours to swallow the
bait. Long enough for the Germans to track him down.
The next move was the hacker's.
My beeper sounded at 5:14 p.m., Friday, January 16. There's the hacker.
It didn't take him very long to swallow the hook; soon he broke into my phony
SDInet. Quickly, I got on the phone to Steve White.
"Steve, call Germany. The hacker's on, and it'll be a long session."
"Spot-on, Cliff. Call you back in ten minutes." For the next 45 minutes, the
hacker dumped out file after file, reading all the garbage that I had
created. Boring, tedious ore, with an occasional nugget of technical
information.
Then he dumped the file named FORM LETTER:
DEAR SIR:
THANK YOU FOR YOUR INQUIRY ABOUT SDINET. WE ARE HAPPY TO COMPLY WITH YOUR
REQUEST FOR MORE INFORMATION ABOUT THIS NETWORK. THE FOLLOWING DOCUMENTS ARE
AVAILABLE FROM THIS OFFICE. PLEASE STATE WHICH DOCUMENTS YOU WISH MAILED TO
YOU:
#37.6 SDINET OVERVIEW DESCRIPTION DOCUMENT
19 PAGES, REVISED SEPT. 1985
#41.7 STRATEGIC DEFENSE INITIATIVE AND COMPUTER NETWORKS:
PLANS AND IMPLEMENTATIONS (CONFERENCE NOTES) 227 PAGES, REVISED SEPT. 1985
#45.2 STRATEGIC DEFENSE INITIATIVE AND COMPUTER NETWORKS:
PLANS AND IMPLEMENTATIONS (CONFERENCE NOTES) 300 PAGES, JUNE 1986
#47.3 SDINET CONNECTIVITY REQUIREMENTS
65 PAGES, REVISED APRIL 1986
#48.8 How TO LINK INTO THE SDINET
25 PAGES, JULY 1986
#49.1 X.25 AND X.75 CONNECTIONS TO SDINET (INCLUDES JAPA
NESE, EUROPEAN, AND HAWAIIAN NODES) 8 PAGES, DECEMBER 1986 #55.2 SDINET
MANAGEMENT PLAN FOR 1986 TO 1988
47 PAGES, NOVEMBER 1985
#62.7 UNCLASSIFIED SDINET MEMBERSHIP LIST (INCLUDES MAJOR
MILNET CONNECTIONS) 24 PAGES, NOVEMBER 1986
#65.3 CLASSIFIED SDINET MEMBERSHIP LIST
9 PAGES, NOVEMBER 1986
#69.1 DEVELOPMENTS IN SDINET AND SDI DISNET
28 PAGES, OCTOBER 1986
SINCERELY YOURS,
MRS. BARBARA SHERWIN
DOCUMENTS SECRETARY
SDINET PROJECT
Steve White called back from Tymnet. "I've traced your connection over to
the University of Bremen. And the Bundespost has traced the Datex line from
Bremen into Hannover. In the past half hour, the technician traced the line
and has narrowed it down to one of 50 telephone numbers."
"Why can't they get the actual number?" "Wolfgang's unclear about that. It
sounds like they've determined the number to be from a group of local phones,
but the next time they make a trace, they'll zero in on the actual telephone.
From tile sound of Wolfgang's message, they're excited about solving this
case."
The next day, at 10:17 a.m., the hacker came back. This time, he wasn't
interested in SDI files. Instead, he went out over the Milnet, trying to
break into military computers.
He was concentrating on air force and army computers, though he occasionally
knocked on the navy's door as well. Places I'd never heard of, like the Air
Force Weapons Lab, Descom headquarters, Air Force CC OIS, and the CCA-amc.
Fifty places, all without success.
Then he slid across the Milnet into a computer named Buckner. He got right
in . . . didn't even need a password on the account named "guest."
He'd broken into the Army Communications Center in Building 23, Room 121, of
Fort Buckner. Fort Buckner was in Okinawa.
What a connection! From Hannover, Germany, the hacker linked to the
University of Bremen, across a transatlantic cable into Tymnet, then into my
Berkeley computer, and into the Milnet, finally reaching Okinawa.
A bit after 11 in the morning, he finally grew tired and logged off.
While he'd circled the globe with his spiderweb of connections, the German
Bundespost had homed in on him.
The phone rang-had to be Steve White. "Hi Cliff," Steve said, "The trace is
complete." "The Germans got the guy?" "They know his phone number." "Well,
who is he?" I asked.
"They can't say right now, but you're supposed to tell the FBI."
"Just tell me this much," I asked Steve. "Is it a computer or a person?"
"A person with a computer at his home. Or should I say, at his business."
Days later, Tymnet passed along a chilling message: "This is not a benign
hacker. It is quite serious. The scope of the investigation is being
extended. Thirty people are now working on this case. Instead of simply
breaking into the apartments of one or two people, locksmiths are making keys
to the houses of the hackers, and the arrests will be made when the hackers
cannot destroy the evidence. These hackers are linked to the shady dealings
of a private company."
Throughout the spring, I kept making new bait. My mythical Barbara Sherwin
created memos and letters, requisitions and travel orders. Here and there,
she sprinkled a few technical articles, explaining how the SDI network
interconnected all sorts of classified computers.
On Monday, April 27, came one of the biggest shocks. A letter arrived,
addressed to the imaginary Barbara Sherwin.
Triam International, Inc.
6512 Ventura Drive
Pittsburgh, PA 15236 April 21, 1987
Dear Mrs. Sherwin:
I am interested in the following documents. Please send me a price list and
an update on SDI Network Project. Thank you for your cooperation.
Very truly yours,
Laszlo J. Balogh
Balogh then asked for every phony document I had made up in the file called
FORM LETTER.
Someone had swallowed the bait and was asking for more information! I could
understand it if the letter came from Hannover. But Pittsburgh?
I called Mike Gibbons at the Alexandria FBI office and told him about it.
"OK," Mike said. "Listen up carefully. Don't touch that letter.
Especially, don't touch around the edges. Go find a glassine envelope.
Gently insert the paper in the envelope. Then express mail it to me.
Whatever you do, don't handle it. Wear gloves if you must."
This sounded like Dick Tracy's "Crimestoppers," but I followed orders.
A hacker in Hannover, Germany, learns a secret from Berkeley, California.
Three months later, a Hungarian named Laszlo Balogh living in Pittsburgh
writes us a letter. What's happening here? Tuesday moming, June 23, Mike
Gibbons called from the FBI.
"You can close up shop, Cliff." "What's happened?" "Arrest warrants were
issued this morning at IO." "Anyone arrested?" "I can't say." Something was
happening. But Mike wouldn't say what.
A few hours later, Wolfgang Hoffman sent a message: "An apartment and a
company were searched, and nobody was home at the time. Printouts, disks,
and tapes were seized and will be analyzed in the next few days. Expect no
further break-ins."
Finally, it was over. The FBI still wasn't talking, but I managed to fmd out
who the Germans had fingered; I could now attach a name to the shadowy hacker
I had chased across two continents: Markus Hess.
So what really happened? Was Hess working alone, or was he in league with
others? And why was he breaking into defense department computers? Here's my
estimate, based on interviews, police reports, newspaper accounts, and
messages from German computer programmers.
In the mid-1980s, a dozen hackers started the Chaos Computer Club, whose
members specialized in creating viruses, breaking into computers, and serving
as a computer counterculture. Through electronic bulletin boards and
telephone links, they anonymously exchanged phone numbers of hacked
computers, as well as stolen passwords and credit cards.
Markus Hess knew of the Chaos Club, although he was never a central figure
there. Rather, he kept his distance as a freelance hacker. During thc day,
he worked at a small software firm in downtown Hannover.
Over a crackling phone connection, an astronomer friend in Hannover explained
to me, "You see, Hess knew Hagbard, who kept in touch with other hackers in
Germany, Eke Pengo and Frimp. Hagbard is a pseudonym, of course, his real
name is . . . "
Hagbard. I'd heard that name before-he'd broken into Fermilab and Stanford.
Hagbard worked closely with Markus Hess. The two drank beers together at
Hannover bars and spent evenings behind Hess's computer.
Apparently, Hess apparently just played around the networks at first,
searching for ways to connect around the world. Like a ham-radio operator,
he started out a hobbyist, trying to reach as far away as possible. In the
beginning, he managed to connect to Karlsruhe; later he reached Bremen over
the Datex network.
Soon he discovered that many system managers hadn't locked their back doors.
Usually these were university computers, but Markus Hess began to wonder: how
many other systems were wide open? What other ways could you sneak into
computers?
By September 1985, Hagbard and Pengo were routinely breaking into computers
in North America: mostly high energy physics labs, but a few NASA sites as
well. Excitedly, Hagbard described his exploits to Hess.
Hess began to explore outside of Germany. But he no longer cared about
universities and physics laboratories-he wanted some real excitement. Hess
now targeted the military.
The leaders of the Chaos Computer Club had issued a warning to their members:
"Never penetrate a military computer. The security people on the other side
will be playing a game with you almost like chess. Remember that they've
practiced this game for a long time. . . . " Markus Hess wasn't
listening.
Hess apparently found his way into an unprotected computer belonging to a
German subsidiary of U.S. defense contractor Mitre. Once inside that
system, he discovered detailed instructions to link into Mitre's computers in
Bedford, Massachusetts, and McLean, Virginia.
By summer 1986, Hess and Hagbard were operating separately but frequently
comparing notes. Meanwhile, Hess worked in Hannover, programming VAX
computers and managing several systems.
Hess soon expanded his beachhead at Mitre. He explored the system
internally, then sent out tentacles into other American computers. He
collected telephone numbers and network addresses and methodically attacked
these systems. On August 20, he struck Lawrence Berkeley Labs.
Even then, Hess was only fooling around. He'd realized that he was privy to
secrets, both industrial and national, but kept his mouth shut. Then, around
the end of September, in a smoky Hannover beergarden, he described his latest
exploit to Hagbard.
Hagbard smelled money. And Hagbard knew who to contact: Pengo, in West
Berlin.
Pengo, with his contacts to hackers across Germany, knew how to use Hess's
information. Carrying Hess's printouts, one of the Berlin hackers crossed
into East Berlin and met with agents from the East German
Staatssicherheitsdienst-the Secret Service.
The deal was. made: around 30,000 deutschemarks-$18,000-for printouts and
passwords.
From there, who knows what happened to the information? The East German
Secret Service cooperates closely with the Soviet KGB; surely the
Staatssicherheitsdienst would tell the KGB about this new form of espionage.
The KGB wasn't just paying for printouts, though. Hess and company
apparently sold their techniques as well: how to break into VAX computers;
which networks to use when crossing the Atlantic; details on how the Milnet
operates.
Even more important to the KGB was obtaining research data about Western
technology, including integrated circuit design, computer-aided
manufacturing, and, especially, operating system software that was under U.S.
export control. They offered 250,000 deutschemarks for copies of Digital
Equipment's VMS operating system.
According to the German television station NDR, the Berlin hackers supplied
much of this order, including source code to the Unix operating system
designs for high-speed gallium-arsenide integrated circuits, and computer
programs used to engineer computer memory chips. Hagbard wanted more than
money. He demanded co
caine. The East German Secret Service was a willing supplier.
Hagbard passed some of the money (but none of the cocaine) to Hess in retum
for printouts, passwords, and network information. Hagbard's cut went toward
paying his telephone bill which sometimes ran over $1,000 a month as he
called computers around the world.
Hess saved everything. He kept a detailed notebook and saved every session
on a floppy disk. This way, after he disconnected from a military computer,
he could print out the interesting parts and pass these along to Hagbard and
on to the KGB.
Also on the KGB's wish list was SDI data. As Hess searched for it, I
naturally detected SDI showing up in his requests. And I had fed Hess plenty
of SDI fodder.
But could the East Germans (or KGB?) trust these printouts? How could they be
sure Hagbard wasn't inventing all of this to feed his own coke habit?
The KGB decided to verify the German hacker ring. The mythical Barbara
Sherwin served as a perfect way to test the validity of this new form of
espionage. She had, after all, invited people to write to her for more
information.
But secret services don't handle things directly. They use intermediaries.
The East Germans (KGB?) contacted another agency-either the Hungarian or
Bulgarian intelligence service. They, in tum, apparently had a professional
relationship with a contact in Pittsburgh: Laszlo Balogh.
Does the FBI have enough evidence to indict Laszlo Balogh? They won't tell
me. But the way I see it, Laszlo's in deep trouble: the FBI is watching him,
and whoever's pulling his puppet strings isn't pleased.
The West German police, though, have plenty of evidence against Markus Hess.
Printouts, phone traces, and my logbook. When they broke into his apartment
on June 29, 1987, they seized a hundred floppy disks, a computer, and
documentation describing the U.S. Milnet.
But when the police raided Hess's apartment, nobody was home. Though I was
waiting patiently for him to appear on my computer, the German police entered
his place when he wasn't connected.
At his first trial, Hess got off on appeal. His lawyer argued that since
Hess wasn't connected at the moment his apartment was raided, he might not
have done the hacking. This, along with a problem in the search warrants,
was enough to overtum the case against Hess on computer theft. But the
German federal police continued to investigate.
On March 2, 1989, German authorities charged five people with espionage:
Pengo, Hagbard, Peter Carl, Dirk Bresinsky, and Markus Hess.
Peter Carl met regularly with KGB agents in East Berlin, selling any data the
others could find.
When the German officials caught up with him, he was about to run off to
Spain. He's now in jail, waiting for trial, along with Dirk Bresinsky, who
was jailed for desertion from the German army.
Pengo is having second thoughts about his years working for the KGB. He says
that he hopes he "did the right thing by giving the German police detailed
information about my involvement." But as long as there's an active criminal
case, he'll say no more.
All the same, the publicity hasn't helped Pengo's professional life as a
computer consultant. His business partners have shied away from backing him,
and several of his computing projects have been canceled. Outside of his
business losses, I'm not sure that he feels there's anything wrong with what
he did.
Today, Markus Hess is walking the streets of Hannover, free on bail while
awaiting a trial for espionage.
Hagbard, who hacked with Hess for a year, tried to kick his cocaine habit in
late 1988. But not before spending his profits from the KGB: he was deep in
debt and without a job. In spring 1989 he found a job at the office of a
political party in Hannover. By cooperating with the police, he and Pengo
avoided prosecution for espionage.
Hagbard was last seen alive on May 23, 1989. In an isolated forest outside
of Hannover, police found his chaffed bones next to a melted can of gasoline.
A borrowed car was parked nearby, keys still in the ignition.
No suicide note was found.
Journal: PC-Computing Sept 1989 v2 n9 p112(8)
Title: The cuckoo's egg. (excerpts from book on hacker espionage)
Author: Stoll, Clifford.
Full Text:
Me, a wizard?
Until a week before, I had been an astronomer, contentedly designing
telescope optics. But then I found myself transferred from the Keck
Observatory at the Lawrence Berkeley Lab (LBL) down to the computer center in
the basement of the same building.
On either side of my new cubicle were the offices of two systems people,
Wayne Graves and Dave Cleveland, the old hands of the system. Together,
Wayne, Dave, and I were to run the computers as a labwide utility. We
managed a dozen mainframe computers-giant workhorses for solving physics
problems, together worth around $6 million. The scientists using the
computers were supposed to see a simple, powerful computing system, as
reliable as the electric company. This meant keeping the machines running
full-time, around the clock. And just like a utility company, we charged for
every cycle of computing that was used.
On my second day, Dave was mumbling about a hiccup in the Unix accounting
system. Someone must have used a few seconds of computing time without
paying for it. The computer's books didn't quite balance; last month's bills
of $2,387 showed a 75-cent shortfall.
Now, an error of a few thousand dollars is obvious, and isn't hard to find.
But errors in the pennies column arise from deeply buried problems, so
finding these bugs is a natural test for a budding software wizard.
Around about 7 p.m., my eye caught the name of one user, Hunter. This guy
didn't have a valid billing address. Ha! Hunter had used 75 cents of time in
the past month, but nobody had paid for him. Here was the source of our
imbalance. Someone had screwed up while adding a user to our system. A
trivial problem caused by a trivial error.
A day later, an obscure computer named Dockmaster sent us an electronic-mail
message. Its system manager claimed that someone from our laboratory had
tried to break into his computer over the weekend. I guessed Dockmaster was
some navy shipyard. It wasn't important, but it seemed worth spending a few
minutes looking into.
The message gave the date and time when someone on our Unix computer tried to
log in to Dockmaster's computer. Our stock Unix accounting file showed a
user, Sventek, logging in to our system at 8:25, doing nothing for half an
hour, and then disconnecting. No time-stamped activity in between. Our
homebrew software also recorded Sventek's activity, but it showed him using
the networks from 8:31 until 9:01 a.m.
Jeez. Another accounting problem. The timestamps didn't agree. One recorded
activity when the other account said everything was dormant.
Why were the two accounting systems keeping different times? And why was some
activity logged in one file without showing up in the other? Was this related
to the earlier accounting problem? Had I screwed things up when I poked
around before? Or was there some other explanation-was there a hacker on the
loose?
So how do you find a hacker? I figured it was simple: just watch for anyone
using Sventek's accounts, and try to trace the connection. I spent Thursday
watching people log in to the computer. I wrote a program to beep my
terminal whenever someone connected.
At 12:33 on Thursday afternoon, Sventek logged in. I felt a rush of
adrenaline, then a complete letdown when he disappeared within a minute.
Where was he? The only pointer left for me was the identifier of his
terminal: he had used terminal port tt23. I suspected a dial-in modem,
connected fRom some telephone line, but it might conceivably be someone at
the laboratory.
By lucky accident, the connection had left some footprints behind. Paul
Murray, a reclusive hardware technician who hides in thickets of telephone
wire, had been collecting statistics on how many people used our
communications switchyard. By chance he had recorded the port numbers of
each connection for the past month. Since I knew when Sventek was active on
port tt23, we could figure out where he came from. The printout of the
statistics showed a one-minute, 1,200-bit-per-second connection had taken
place at 12:33.
Any lab employee here on the hill would run at high speed-9,600 or 19,200
bps. Only someone calling through a modem would let his data dribble out a
1,200-bps soda straw. But how to catch him? About the only place to watch
our incoming traffic was in between the modems and the computers. Our modem
lines were flat, 25-conductor wires, snaking underneath the switchyard's
false floor. A printer or personal computer could be wired in parallel with
each of these lines, recording every keystroke that came through.
A kludge? Yes. Workable? Maybe.
All we'd need were 50 teletypes, printers, and portable computers. I rounded
them up; strewn with four dozen obsolete teletypes and portable terminals,
the floor looked like a computer engineer's nightmare. I slept in the
middle, nursing the printers and computers. Each was grabbing data from a
different line, and whenever someone dialed our system, I'd wake up to the
chatter of their typing. Every half-hour, a printer would run out of paper
or a computer out of disk space, so I'd have to roll over and reload.
Saturday morning, a coworker shook me awake. "Well, where's your hacker?"
The first 49 printers and monitors showed nothing interesting. But from the
50th trailed 80 feet of printout. During the night, someone had sneaked in
through a hole in the operating system.
For three hours a hacker had strolled through my system, reading whatever he
wished. Unknown to him, my DECwriter had saved his session on singlespaced
computer paper. Here was every command he issued, every typing mistake, and
every response from the computer.
This printer monitored the line from Tymnet, a communications company that
interconnected computers around the world. Our hacker might be anywhere.
How the Cuckoo Laid Its Egg
The hacker had become a super-user. He was like a cuckoo bird. The cuckoo
is a nesting parasite that lays her eggs in other birds' nests: some other
bird will raise her young. The survival of cuckoo chicks depends on the
ignorance of other species. Our mysterious visitor had laid an egg-program
into our computer, letting the system hatch it and feed it privileges.
That morning, the hacker wrote a short program to grab privileges. Normally,
Unix won't allow such a program to run, since it never gives privileges
beyond what a user is assigned. But if our hacker ran this program from a
privileged account, he'd become privileged. His problem was to masquerade
this special program-the cuckoo's egg-so that it would be hatched by the
system.
Every five minutes, the Unix system executes its own program called atrun.
In turn, atnin schedules other jobs and does routine housecleaning tasks. It
runs in a privileged mode, with the full power and trust of the operating
system behind it. If a bogus atrun program were substituted, it would be
executed within five minutes, with full system privileges. For this reason,
atrun sits in a protected area of the system, available only to the system
manager. Nobody else has license to tamper with atrun.
Here was the cuckoo's nest: for five minutes he would swap his egg for the
system's atrun program. For this attack, he needed to find a way to move his
egg-program into the protected systems nest. The operating system's barriers
are built specifically to prevent this. But there was a wildcard that we'd
never noticed.
We used a powerful editing program called GnuEmacs. But Gnu's much more than
just a text editor-it's a foundation upon which other programs can be built.
It even has its own mail facility built in. just one problem: there's a bug
in that software.
Because of the way it was installed on our Unix computer, the Gnu-Emacs
editor lets you forward a mail file from your own directory to anyone else's.
It doesn't check to see who's receiving it, or even whether they want the
file. No problem to send a file from your area to mine. But you'd better
not be able to move a file into the protected systems area: only the systems
manager is allowed there.
Gnu didn't check. It let anyone move a file into protected systems space.
The hacker knew this; we didn't. He used Gnu to swap his special atrun file
for the system's legitimate version. Five minutes later, the system hatched
his egg, and he held the keys to my computer.
In front of me, the first few feet of the printout showed the cuckoo
preparing the nest, laying the egg, and waiting for it to hatch. The next 70
feet showed the fledgling cuckoo testing its wings.
As a super-user, he had the run of our system and could read anybody's work.
By studying several scientists' command files and scripts, he discovered
pathways into other lab computers. Every night, our computer automatically
calls 20 others, to exchange mail and network news. When the hacker read
these phone numbers, he learned 20 new targets.
I had to weave a net fine enough to catch the hacker but coarse enough to let
our scientists through. I'd have to detect the hacker as soon as he came
online and call Tymnet's technicians to trace the call.
If I knew the stolen account names, it would be easy to write a program that
watched for the bad guy to show up. No need to check out every person using
the computer; just ring a bell when a stolen account was in use. But I also
had to stay invisible to the hacker, so I wrote the program for a new Unix-8
system we had just installed. I could connect it to our local area network,
secure it against all possible attacks, and let it watch the other computers,
all the while recording the traffic on printers.
Wednesday afternoon, September 3, 1986, marked a week since we'd first
detected the hacker. Suddenly, the terminal beeped twice: Sventek's account
was active. I ran to the switchyard; the top of the ream of paper showed
that the hacker had logged in at 2:26 and was still active.
Logged in as Sventek, he first listed the names of everyone connected.
Lucky-there was nobody but the usual gang of physicists and astronomers; my
watchdog program was well concealed within the Unix-8 computer.
He didn't become a super-user; rather, he checked that the Gnu-Emacs file
hadn't been modified. At 2:37, 11 minutes after logging in, he abruptly
logged off. But not before we'd started the trace.
Ron Vivier traces Tymnet's network within North America 'In a couple of
minutes he had traced the connection from LBL's Tymnet port into an Oakland
Tymnet office, where someone had dialed in.
It's easier to call straight into our Berkeley lab than to go through
Oakland's Tymnet office. Calling the local Tymnet access number instead of
our lab was like taking the interstate to drive three blocks. But calling
via Tymnet added one more layer to trace. Whoever was at the other end of
the line knew how to hide.
The morning after we had watched the hacker break in to our system, my boss
met with Aletha Owens, the lab's attorney. She wasted no time in calling the
FBI.
Our local FBI office didn't raise an eyebrow. Fred Wyniken, special agent
with the Oakland resident agency, asked incredulously"You're calling us
because you've lost 75 cents in computer time?" Owens tried explaining
information security and the value of our data. Wyniken interrupted, "Look,
if you can demonstrate a loss of more than a million dollars, or that
someone's prying through classified data, then we'll open an investigation.
Until then, leave us alone."
Wednesday, September 10, at 7:51 a.m., the hacker appeared in our system for
six minutes. I wasn't at the lab to watch, but the printer saved three pages
of his trail. He logged in to our computer from Tymnet as Sventek, then
jumped into another network. Using Milnet, a network that links military
computers, he connected to address 26.0.0.113. He logged in there as Hunter,
checked that they had a copy of Gnu-Emacs, and disappeared.
The hacker left an indelible trail downstream to the Redstone Army Depot in
Anniston, Alabama, the home of the army's Redstone missile complex2,000 miles
from Berkeley. He listed files at the Anniston system. judging from the
dates of these files, he'd been in Anniston's computers since early June.
For four months, an illegitimate system manager had been using an army
computer. Yet he'd been discovered by accident, not through some logic bomb
or lost information.
Looking closely at the morning's printout, I saw that, on the Anniston
computer, the hacker had changed Hunter's password to Hedges. A clue at
last: of zillions of possible passwords, he'd chosen Hedges. Hedges Hunter?
Hunter Hedges? A hedge hunter?
Time was running out; if I didn't catch the hacker soon, the lab would shut
down my tracking operation and put me on other work. At 2:30 in the
afternoon, the printer advanced a page and the hacker logged in with a new
stolen account, Goran. A minute after the hacker connected, I called the
phone company and Ron Vivier at Tymnet. I took notes as Ron mumbled. "He's
coming into your port 14 and entering Tymnet from Oakland. It's our port
322, which is, uh, let me see here." I could hear him tapping his keyboard.
"Yeah, it's 2902. 430-2902. That's the number to trace.'
The phone company, by law, couldn't reveal information about the trace to me,
but my printers showed his every move. While I talked to Tymnet and the
telephone techs, the hacker had prowled through my computer. He wasn't
satisfied reading the system manager's mail; he also snooped through mail for
several nuclear physicists.
After 15 minutes of reading our mail, he jumped back into Goran's stolen
account, using a new password, Benson. He started a program that searched
our users' files for passwords; while that executed, he called up the Milnet
Network Information Center and asked for a pathway into the CIA.
Instead of their computer, though, he found four people who worked at the
CIA. Later, I phoned one of them.
I didn't know where to begin. How do you introduce yourself to a spy?
"Uh, you don't know me, but I'm a computer manager, and we've been following
a computer hacker."
"Uh-huh." "Well, he searched for a pathway to try to get into the CIA's
computers. He found your name and phone number."
"Who are you?" Nervously, I told him, expecting him to send over a gang of
hit men in trench coats. I described our laboratory, making sure he
understood that the People's Republic of Berkeley didn't have official
diplomatic relations with his organization.
He sent over a delegation several days later. OK, so they didn't wear trench
coats. Not even sunglasses. just boring suits and ties. Wayne saw the four
of them walk up the drive and flashed a message to my terminal: "All hands on
deck. Sales reps approach through starboard portal. Charcoal gray suits.
Set warp speed to avoid IBM sales pitch." If only he knew.
The four spooks introduced themselves. One guy in his fifties said he was
there as a "navigator" and didn't give his name-he just sat there quietly the
whole time. The second spy, Greg Fennel, I guessed to be a computer jockey,
because he seemed uncomfortable in a suit. The third agent, Teejay, was
built like a halfback. The fourth guy must have been the bigwig: everyone
shut up when he talked. Together, they looked more like bureaucrats than
spies.
The four of them sat quietly while we gave them an overview of what we'd
seen. Mr. Big nodded and asked, "What keywords has he scanned for?"
"He looks for words like password, nuclear, SDI, and Norad He's picked some
curious passwords: lblhack hedges, jaeger, hunter, and benson. The accounts
he stole, Goran, Sventek, Whitberg, and Mark don't say much about him,
because the names are people here at the laboratory."
Mr. Big nodded and asked, "Tell me, what did he do at Anniston?"
"I don't have much of a printout there," I said. "He was into their system
for several months, perhaps as long as a year. Now, since he knows they've
detected him, he logs in only for a moment."
Mr. Big fidgeted a bit, meaning that the meeting was about to break up.
Greg asked one more question. "What machines has he attacked?"
"Ours, of course, and the army base in Anniston. He's tried to get into
White Sands Missile Range, and some navy shipyard in Maryland. I think it's
called Dockmaster."
"Shit!" Greg and Teejay simultaneously exclaimed. Greg said, "How do you
know he hit Dockmaster?"
"About the same time he screwed up our accounting, this Dockmaster place sent
us a message saying that someone had tried to break in there."
"Did he succeed?" "I don't think so. What is this Dockmaster place, anyway?
Aren't they some navy shipyard?"
They whispered among themselves, and Mr. Big nodded. Greg explained:
"Dockmaster isn't a navy shipyard. It's run by the National Security
Agency."
A hacker breaking into the NSA? Bizarre. This wanted to get into the CIA,
the NSA, army missile bases, and the North
American Air Defense headquarters. "Dockmaster is NSA's only unclassified
computer," Greg said.
"It belongs to its computer security group, which is actually public."
Mr. Big started talking slowly. "There's not much we can do about this
affair. I think there's no evidence of foreign espionage."
"Well, who should be working on this case?" I asked.
"The FBI. I'm sorry, but this isn't our bailiwick. Our entire involvement
has been the exposure of four names-names that are already in the public
domain, I might add."
Then they were gone.
The spooks were no help, so I was on my own again. I searched the Berkeley
phone book for Jaegers and Bensons; I figured I ought to try Stanford as
well. So I stopped by the library. Maggie Morley, our 45-year-old
documentmeister, plays rough-and-tumble Scrabble: posted on her door is a
list of all legal three-letter Scrabble words.
"I need a Stanford telephone book," I I'm looking for everyone in Silicon
Valley named Jaeger or Benson."
'Jaeger. A word that's been kind to me," Maggie smiled. "Worth 16 points,
but I once won a game with it, when the [J] landed on a triple-letter score.
Turned into 75 points."
"Yeah, but I need it because it's the hacker's password. Hey, I didn't know
names were legal in Scrabble."
"Jaeger's not a name. Well, maybe it's a nameEllsworth jaeger, the famous
omithologist, for instance-but it's a type of bird. Gets its name from the
German word meaning hunter."
"Huh? Did you say hunter?"
"Yes. Jaegers are hunting birds that badger other birds with full beaks.
They harass weaker birds until they drop their prey."
"Hot ziggity! You answered my question. I don't need the phone book."
"Well, what else I can do for you?"
"How about explaining the relationship between the words hedges, jaeger,
hunter, and benson?"
"Well, jaeger and hunter is obvious to anyone who knows German. And smokers
know Benson & Hedges."
Omigod-my hacker smokes Benson & Hedges. Maggie had won on a triple-word
score.
During one of the phone traces, I had copied down all the numbers and digits
I heard from the technician. I called all combinations of them and ended up
at a computer modem at Mitre, a defense contractor just down the road from
CIA headquarters in McLean, Virginia. How deeply was Mitre's system
infested? By listing its directory, I saw that the hacker had created a
Trojan horse there on June 17. For six months, someone had silently
booby-trapped Mitre's computers.
In alllikelihood, Mitre served as a way station, a stepping-stone on the way
to breaking into other computers. Someone dialed into Mitre, turned around,
and dialed out from it. This way, Mitre paid the bills both ways: the
incoming Tymnet connection and the outgoing long-distance phone call. Even
nicer, Mitre served as a hiding place, a hole in the wall that couldn't be
traced.
Monday morning, I called a man named Bill Chandler at Mitre and told him the
news. Bill wanted me to be quiet about the problems I had found. Well, yes,
but I had a price.
"Say, Bill, could you send me copies of your computer's phone bills?"
"What for?" "It might be fun to see where else this hacker got into."
Two weeks later, a thick envelope arrived, stuffed with long-distance bills
from Chesapeake and Potomac. Six months of phone bills. Dates, times, phone
numbers, and cities. Probably 5,000 in all. So many that I couldn't analyze
them by hand. Perfect for analyzing on a computer-there's plenty of software
designed to search out correlations. All I had to do was enter them into my
Macintosh computer and run a few programs.
Ever type 5,000 phone numbers? It's as boring as it sounds. And I had to do
it twice, to make sure I didn't make any mistakes. Took me two days.
After running an analysis, I found that this hacker hadn't just broken into
my computer. He was into more than six, and possibly a dozen.
From Mitre, the hacker had made long connections to Norfolk, Oak Ridge,
Omaha, San Diego, Pasadena, Livermore, and Atlanta.
At least as interesting: he had made hundreds of one-minute phone calls, all
across the country.
To air force bases, navy shipyards, aircraft builders, and defense
contractors. What can you learn from a oneminute phone call to an army
proving ground?
For six months, this hacker had been breaking into bases and computers all
across the country. Nobody knew it. He was out there, alone, silent,
anonymous, persistent, and apparently successful-but why? What was he after?
What had he already learned? And what was he doing with this information?
Friday, December 5, the hacker showed up again at 1:21 in the afternoon.
Nine minutes later, he disappeared.
Enough time for me to trace the connection to Tymnet. But the network's
sorcerer, Ron Vivier, was taking a long lunch that day, so
Tymnet couldn't make the trace. Another chance lost.
Ron returned my call an hour later.
"Hey, Cliff, how come you never call me at night?"
"Guess the hacker doesn't show up at night. I wonder why." He started me
thinking. My logbook recorded every time the hacker had shown up. On the
average, when was he active?
I'd remembered him on at 6 a.m. and at 7 p.m. But never at midnight. Isn't
midnight operation the very image of a hacker?
On the average, the hacker showed up at noon, Pacific time. So what did this
mean? Suppose he lives in California. Then he's hacking during the day. If
he's on the East Coast, he's three hours ahead of us, so he works around 3 or
4 in the afternoon.
This didn't make sense. He'd work at night to save on long-distance
telephone fees. To avoid network congestion. And to avoid detection. Yet
he brazenly breaks in during the day. Why?
When it's noon in California, I wondered, where is it evening? Lunchtime in
Berkeley is bedtime in Europe. Was the hacker coming from Europe?
On a Saturday afternoon, the hacker hit again. I called Tymnet's Ron Vivier
at home.
"I've got a live one for you," I gasped. "Just trace my port 14."
"Right. It'll take a minute." A couple of eons passed, and Ron came back on
the line. "Hey, Cliff, are you certain that it's the same guy?,"
I watched the hacker searching for the word ]DI on our computer"Yes, it's
him."
"He's coming in from a gateway that I've never heard of. I'm locked onto his
network address, so it doesn't matter if he hangs up. But the guy's coming
from somewhere strange."
"Where's that?"
"I don't know. It's Tymnet node 3513, which is a strange one. I'll have to
look it up in our directory." In the background, Ron's keyboard clicked.
"Here it is. Your hacker is coming from outside the Tymnet system. He's
entering Tymnet from a communications line operated by the International
Telephone and Telegraph company."
"So what?"
"ITT takes a Westar downlink, the communications satellite over the Atlantic.
It handles ten or twenty thousand phone calls at once."
"So my hacker is coming from Europe?"
"For sure."
"Where?"
"That's the part I don't know, and I probably can't find out. But hold on,
and I'll see what's there." More keyboard clicks.
Ron came back to the phone. "Well, ITT identifies the line as DSEA 744031.
That's their line number. It can connect to either Spain, France, Germany,
or Britain."
"Well, which is it?" "Sorry, I don't know. In three days they'll send us
billing information, and then I can find out. Meantime, I can't tell you
much more than that."
Ron rang off, but the hacker was still on my computer, trying to chisel into
the Navy Research Labs, when one of Tymnet's international specialists, Steve
White, called.
"Ron can't trace any farther," Steve said. "I'll do the trace myself"
I kept watching the hacker on my screen, hoping that he wouldn't hang up
while Steve made the trace.
Steve came back on the line. In his modulated, almost theatrical British
accent, he said, "Your hacker has the calling address DNIC dash 2624 dash
542104214."
"So where's the hacker coming from?"
"West Germany. The German Datex network."
"What's that?"
"It's their national network to connect computers together. We'll have to
call the Bundespost to find out more."
"Who's the Bundespost?"
"They're the German national postal office. The government communications
monopoly."
Steve seemed pessimistic about completing a successful "We know where he
connects into the system. But there's a couple of possibilities there. The
hacker might be at a computer in Germany, simply connected over the German
Datex network. If that's the case, then we've got him cold, We know his
address, the address points to his computer, and the computer points to him."
"It is unlikely. More likely, the hacker is coming into the German Datex
network through a dial-in modem."
Just like Tymnet, Datex let anyone dial into its system and connect to
computers on the network.
Perfect for businesspeople and scientists. And hackers.
"The real problem is in German law," Steve said. "I don't think they
recognize hacking as a crime."
"You're kidding, of course." "No," he said. "A lot of countries have
outdated laws. In Canada, a hacker who broke into a computer was convicted
of stealing electricity, rather
than trespassing. He was prosecuted only because the connection had used a
microwatt of power from the computer."
Steve's pessimism was contagious. But his trace jogged my spirits. So what
if we couldn't nail the hacker-our circle was closing around him.
Germany. I remembered my librarian recognizing the hacker's password.
"Jaeger-it's a German word meaning hunter." The answer had been right in
front of me, but I'd been blind.
Some details were still fuzzy, but I understood how he operated. Somewhere in
Europe, the hacker called into the German Datex network. He asked for
Tymnet, and the Bundespost made the connection. Once he reached the States,
he connected to my laboratory and hacked his way around Milnet.
Mitre must have been his stopover point. Now I realized why Mitre paid for a
thousand one-minutelong phone calls. The hacker would connect to Mitre and
instruct the system to phone another computer. When it answered, he would
try to log in with a default name and password. Usually he failed and went on
to another phone number. He'd been scanning computers, with Mitre picking up
the tab.
But he'd left a trail. On Mitre's phone bills.
The path led back to Germany, but it might not end there. Conceivably,
someone in Berkeley could have called Berlin, connected to the Datex network,
connected through Tymnet, and come back to Berkeley. Maybe the start of the
path was in Mongolia. Or Moscow. I couldn't tell. For the present, my
working hypothesis would be Germany.
And he scanned for militaly secrets. Could I be following a spy? A real spy,
working for them-but who's "them"?
Three months ago, I'd seen some mouse droppings in my accounting files.
Quietly we'd watched this mouse sneak through our computer, out through a
hole, and into the military networks and computers.
At last I knew what this rodent was after. And where he was from. I'd been
mistaken.
This wasn't a mouse. It was a rat.