ЭЛЕКТРОННАЯ БИБЛИОТЕКА КОАПП
Сборники Художественной, Технической, Справочной, Английской, Нормативной, Исторической, и др. литературы.


Databet88.

The Cockoo's egg from Clifford Stoll

                            The Cockoo's egg                                
                  ------------------------------------                      
                           from Clifford Stoll                              
                                                                           
                                                                           
          Until  a  week  before,  I  had  been  an  astronomer, contentedly
       designing  telescope optics. But then I found myself transferred from
       the  Keck  Observatory at the Lawrence Berkeley Lab (LBL) down to the
       computer center in the basement of the same building.                
          On  either  side of my new cubicle were the offices of two systems
       people, Wayne Graves and Dave Cleveland, the old hands of the system.
       Together,  Wayne,  Dave, and I were to run the computers as a labwide
       utility.  We managed a dozen mainframe computers-giant workhorses for
       solving  physics  problems,  together  worth  around  $6 million. The
       scientists  using  the  computers  were  supposed  to  see  a simple,
       powerful  computing system, as reliable as the electric company. This
       meant  keeping  the machines running full-time, around the clock. And
       just  like a utility company, we charged for every cycle of computing
       that was used.                                                      
          On  my  second  day,  Dave was mumbling about a hiccup in the Unix
       accounting  system. Someone must have used a few seconds of computing
       time  without  paying  for  it.  The  computer's  books  didn't quite
       balance; last month's bills of $2,387 showed a 75-cent shortfall.    
          Now, an error of a few thousand dollars is obvious, and isn't hard
       to  find.  But  errors in the pennies column arise from deeply buried
       problems,  so  finding  these  bugs  is  a natural test for a budding
       software wizard.                                                    
          Around  about  7 p.m., my eye caught the name of one user, Hunter.
       This  guy didn't have a valid billing address. Ha] Hunter had used 75
       cents  of  time  in the past month, but nobody had paid for him. Here
       was  the source of our imbalance. Someone had screwed up while adding
       a user to our system. A trivial problem caused by a trivial error.  
          A  day  later,  an  obscure  computer  named Dockmaster sent us an
       electronic-mail message. Its system manager claimed that someone from
       our laboratory had tried to break into his computer over the weekend.
       I guessed Dockmaster was some navy shipyard. It wasn't important, but
       it seemed worth spending a few minutes looking into.                
          The  message  gave  the  date  and  time  when someone on our Unix
       computer  tried  to  log  in to Dockmaster's computer. Our stock Unix
       accounting  file  showed a user, Sventek, logging in to our system at
       8:25,  doing  nothing  for  half  an hour, and then disconnecting. No
       time-stamped activity in between. Our homebrew software also recorded
       Sventek's  activity,  but  it showed him using the networks from 8:31
       until 9:01 a.m.                                                      
          Jeez. Another accounting problem. The timestamps didn't agree. One
       recorded activity when the other account said everything was dormant.
          Why  were  the two accounting systems keeping different times? And
       why  was  some  activity logged in one file without showing up in the
       other?  Was  this  related  to  the earlier accounting problem? Had I
       screwed things up when I poked around before? Or was there some other
       explanation-was there a hacker on the loose?                        
          So  how  do you find a hacker? I figured it was simple: just watch
       for anyone using Sventek's accounts, and try to trace the connection.
       I  spent  Thursday  watching people log in to the computer. I wrote a
       program  to  beep my terminal whenever someone connected. At 12:33 on
       Thursday  afternoon,  Sventek logged in. I felt a rush of adrenaline,
       then  a  complete  letdown when he disappeared within a minute. Where
       was  he?  The  only  pointer  left  for  me was the identifier of his
       terminal:  he  had  used  terminal  port  tt23. I suspected a dial-in
       modem,  connected  ftom some telephone line, but it might conceivably
       be someone at the laboratory.                                        
          By lucky accident, the connection had left some footprints behind.
       Paul Murray, a reclusive hardware technician who hides in thickets of
       telephone  wire,  had  been  collecting statistics on how many people
       used  our  communications  switchyard.  By chance he had recorded the
       port numbers of each connection for the past month. Since I knew when
       Sventek  was  active  on port tt23, we could figure out where he came
       from.  The printout of the statistics showed a one-minute, 1,200-bit-
       per-second connection had taken place at 12:33.                      
          Any lab employee here on the hill would run at high speed-9,600 or
       19,200  bps.  Only someone calling through a modem would let his data
       dribble  out  a 1,200-bps soda straw. But how to catch him? About the
       only  place  to  watch our incoming traffic was in between the modems
       and  the  computers.  Our  modem lines were flat, 25-conductor wires,
       snaking  underneath  the  switchyard's  false  floor.  A  printer  or
       personal  computer  could  be  wired  in  parallel with each of these
       lines, recording every keystroke that came through.                  
          A kludge? Yes. Workable? Maybe.                                  
          All we'd need were 50 teletypes, printers, and portable computers.
       I  rounded  them  up;  strewn  with four dozen obsolete teletypes and
       portable  terminals,  the  floor  looked  like  a computer engineer's
       nightmare. I slept in the middle, nursing the printers and computers.
       Each  was  grabbing  data from a different line, and whenever someone
       dialed  our system, I'd wake up to the chatter of their typing. Every
       half-hour, a printer would run out of paper or a computer out of disk
       space,  so  I'd  have  to  roll  over and reload. Saturday morning, a
       coworker shook me awake. "Well, where's your hacker? "              
          The first 49 printers and monitors showed nothing interesting. But
       from  the 50th trailed 80 feet of printout. During the night, someone
       had sneaked in through a hole in the operating system.              
          For  three  hours a hacker had strolled through my system, reading
       whatever  he  wished.  Unknown  to  him,  my  DECwriter had saved his
       session  on  singlespaced  computer  paper. Here was every command he
       issued, every typing mistake, and every response from the computer.  
          This  printer  monitored  the  line  from Tymnet, a communications
       company  that  interconnected  computers around the world. Our hacker
       might be anywhere.                                                  
          How the Cuckoo Laid Its Egg.                                      
          The hacker had become a super-user. He was like a cuckoo bird. The
       cuckoo  is  a  nesting  parasite  that  lays her eggs in other birds'
       nests:  some  other bird will raise her young. The survival of cuckoo
       chicks depends on the ignorance of other species.                    
        Our  mysterious  visitor  had laid an egg-program into our computer,
       letting the system hatch it and feed it privileges.                  
          That morning, the hacker wrote a short program to grab privileges.
       Normally,  Unix  won't  allow  such  a program to run, since it never
       gives  privileges  beyond  what a user is assigned. But if our hacker
       ran  this  program from a privileged account, he'd become privileged.
       His  problem was to masquerade this special program-the cuckoo's egg-
       so that it would be hatched by the system.                          
          Every  five  minutes,  the  Unix  system  executes its own program
       called  atrun.  In  turn, atnin schedules other jobs and does routine
       housecleaning  tasks.  It  runs  in  a privileged mode, with the full
       power  and  trust of the operating system behind it. If a bogus atrun
       program  were  substituted, it would be executed within five minutes,
       with  full  system  privileges.  For  this  reason,  atrun  sits in a
       protected  area  of the system, available only to the system manager.
       Nobody else has license to tamper with atrun.                        
          Here was the cuckoo's nest: for five minutes he would swap his egg
       for  the system's atrun program. For this attack, he needed to find a
       way  to  move  his  egg-program  into the protected systems nest. The
       operating  system's  barriers are built specifically to prevent this.
       But there was a wildcard that we'd never noticed.                    
          We used a powerful editing program called GnuEmacs. But Gnu's much
       more  than  just  a  text  editor-it's  a foundation upon which other
       programs  can  be  built. It even has its own mail facility built in.
       just one problem: there's a bug in that software.                    
          Because of the way it was installed on our Unix computer, the Gnu-
       Emacs  editor lets you forward a mail file from your own directory to
       anyone  else's.  It  doesn't check to see who's receiving it, or even
       whether  they want the file. No problem to send a file from your area
       to  mine.  But  you'd  better  not  be  able  to move a file into the
       protected systems area: only the systems manager is allowed there.  
          Gnu didn't check. It let anyone move a file into protected systems
       space.  The  hacker  knew  this;  we  didn't. He used Gnu to swap his
       special  atrun file for the system's legitimate version. Five minutes
       later,  the  system  hatched  his  egg,  and  he  held the keys to my
       computer.                                                            
          In  front  of  me,  the  first few feet of the printout showed the
       cuckoo  preparing  the  nest,  laying  the egg, and waiting for it to
       hatch.  The  next  70  feet  showed  the fledgling cuckoo testing its
       wings.                                                              
          As  a  super-user,  he  had  the  run of our system and could read
       anybody's  work.  By  studying  several scientists' command files and
       scripts,  he  discovered  pathways  into  other  lab computers. Every
       night,  our  computer automatically calls 20 others, to exchange mail
       and  network  news.  When  the  hacker  read  these phone numbers, he
       learned 20 new targets.                                              
          I  had  to  weave a net fine enough to catch the hacker but coarse
       enough  to  let our scientists through. I'd have to detect the hacker
       as  soon as he came online and call Tymnet's technicians to trace the
       call.                                                                
          If  I  knew  the stolen account names, it would be easy to write a
       program that watched for the bad guy to show up. No need to check out
       every  person  using  the  computer;  just  ring a bell when a stolen
       account  was  in use. But I also had to stay invisible to the hacker,
       so I wrote the program for a new Unix-8 system we had just installed.
       I  could  connect it to our local area network, secure it against all
       possible attacks, and let it watch the other computers, all the while
       recording the traffic on printers.                                  
          Wednesday  afternoon,  September 3, 1986, marked a week since we'd
       first  detected  the  hacker.  Suddenly,  the  terminal beeped twice:
       Sventek's account was active. I ran to the switchyard; the top of the
       ream  of  paper  showed that the hacker had logged in at 2:26 and was
       still active.                                                        
          Logged  in  as  Sventek,  he  first  listed  the names of everyone
       connected.  Lucky-there  was  nobody but the usual gang of physicists
       and  astronomers;  my  watchdog program was well concealed within the
       Unix-8 computer.                                                    
          He  didn't  become  a super-user; rather, he checked that the Gnu-
       Emacs  file  hadn't  been modified. At 2:37, 11 minutes after logging
       in, he abruptly logged off. But not before we'd started the trace.  
          Ron  Vivier  traces  Tymnet's  network  within North America 'In a
       couple of minutes he had traced the connection from LBL's Tymnet port
       into an Oakland Tymnet office, where someone had dialed in.          
          It's  easier  to  call  straight  into our Berkeley lab than to go
       through  Oakland's  Tymnet  office.  Calling  the local Tymnet access
       number  instead  of  our  lab was like taking the interstate to drive
       three blocks. But calling via Tymnet added one more layer to trace.  
        Whoever was at the other end of the line knew how to hide.          
          The  morning  after  we  had  watched  the  hacker break in to our
       system, my boss met with Aletha Owens, the lab's attorney. She wasted
       no time in calling the FBI.                                          
          Our  local  FBI  office  didn't  raise  an  eyebrow. Fred Wyniken,
       special  agent  with the Oakland resident agency, asked incredulously
       "You're  calling  us because you've lost 75 cents in computer time? "
       Owens  tried  explaining  information  security  and the value of our
       data.  Wyniken  interrupted,  "Look, if you can demonstrate a loss of
       more  than  a  million  dollars,  or  that  someone's  prying through
       classified  data, then we'll open an investigation. Until then, leave
       us alone."                                                          
          Wednesday,  September 10, at 7:51 a.m., the hacker appeared in our
       system for six minutes. I wasn't at the lab to watch, but the printer
       saved  three  pages  of  his trail. He logged in to our computer from
       Tymnet  as Sventek, then jumped into another network. Using Milnet, a
       network  that  links  military  computers,  he  connected  to address
       26.0.0.113.  He  logged  in  there as Hunter, checked that they had a
       copy of Gnu-Emacs, and disappeared.                                  
          The hacker left an indelible trail downstream to the Redstone Army
       Depot  in  Anniston, Alabama, the home of the army's Redstone missile
       complex2,000  miles  from  Berkeley.  He listed files at the Anniston
       system.  judging  from  the  dates  of  these  files,  he'd  been  in
       Anniston's   computers   since   early  June.  For  four  months,  an
       illegitimate system manager had been using an army computer. Yet he'd
       been  discovered  by  accident,  not  through some logic bomb or lost
       information.                                                        
          Looking  closely  at  the  morning's  printout, I saw that, on the
       Anniston  computer,  the  hacker  had  changed  Hunter's  password to
       Hedges.  A  clue  at  last:  of  zillions of possible passwords, he'd
       chosen Hedges. Hedges Hunter? Hunter Hedges? A hedge hunter?        
          Time  was  running out; if I didn't catch the hacker soon, the lab
       would  shut  down  my tracking operation and put me on other work. At
       2:30  in  the  afternoon,  the printer advanced a page and the hacker
       logged in with a new stolen account, Goran. A minute after the hacker
       connected,  I  called  the  phone company and Ron Vivier at Tymnet. I
       took  notes  as  Ron  mumbled.  "He's  coming  into  your port 14 and
       entering Tymnet from Oakland. It's our port 322, which is, uh, let me
       see  here."  I could hear him tapping his keyboard. "Yeah, it's 2902.
       430-2902. That's the number to trace.'                              
          The  phone  company, by law, couldn't reveal information about the
       trace to me, but my printers showed his every move. While I talked to
       Tymnet  and  the  telephone  techs, the hacker had prowled through my
       computer.  He  wasn't satisfied reading the system manager's mail; he
       also snooped through mail for several nuclear physicists.            
          After  15 minutes of reading our mail, he jumped back into Goran's
       stolen  account,  using  a new password, Benson. He started a program
       that searched our users' files for passwords; while that executed, he
       called  up  the  Milnet  Network  Information  Center and asked for a
       pathway into the CIA.                                                
          Instead of their computer, though, he found four people who worked
       at the CIA. Later, I phoned one of them.                            
          I  didn't  know where to begin. How do you introduce yourself to a
       spy?                                                                
          "Uh, you don't know me, but I'm a computer manager, and we've been
       following a computer hacker."                                        
          "Uh-huh."  "Well, he searched for a pathway to try to get into the
       CIA's computers. He found your name and phone number."              
          "Who  are you? " Nervously, I told him, expecting him to send over
       a gang of hit men in trench coats. I described our laboratory, making
       sure he understood that the People's Republic of Berkeley didn't have
       official  diplomatic  relations with his organization. He sent over a
       delegation  several days later. OK, so they didn't wear trench coats.
       Not  even  sunglasses. just boring suits and ties. Wayne saw the four
       of  them walk up the drive and flashed a message to my terminal: "All
       hands on deck. Sales reps approach through starboard portal. Charcoal
       gray  suits.  Set  warp  speed  to avoid IBM sales pitch." If only he
       knew.                                                                
          The four spooks introduced themselves. One guy in his fifties said
       he  was  there  as a "navigator" and didn't give his name-he just sat
       there  quietly the whole time. The second spy, Greg Fennel, I guessed
       to  be  a computer jockey, because he seemed uncomfortable in a suit.
       The  third  agent,  Teejay, was built like a halfback. The fourth guy
       must have been the bigwig: everyone shut up when he talked. Together,
       they looked more like bureaucrats than spies.                        
          The  four  of  them  sat quietly while we gave them an overview of
       what  we'd  seen.  Mr.  Big  nodded  and asked, "What keywords has he
       scanned for? "                                                      
          "He  looks  for  words like password, nuclear, SDI, and Norad He's
       picked  some  curious  passwords: lblhack hedges, jaeger, hunter, and
       benson.  The  accounts  he  stole, Goran, Sventek, Whitberg, and Mark
       don't  say  much  about him, because the names are people here at the
       laboratory."                                                        
          Mr. Big nodded and asked, "Tell me, what did he do at Anniston? "
          "I  don't  have  much  of a printout there, " I said. "He was into
       their  system  for  several  months,  perhaps as long as a year. Now,
       since he knows they've detected him, he logs in only for a moment."  
          Mr.  Big  fidgeted  a  bit,  meaning that the meeting was about to
       break  up.  Greg  asked  one  more  question.  "What  machines has he
       attacked? "                                                          
          "Ours, of course, and the army base in Anniston. He's tried to get
       into White Sands Missile Range, and some navy shipyard in Maryland. I
       think   it's   called   Dockmaster."   "Shit]   "   Greg  and  Teejay
       simultaneously  exclaimed.  Greg  said,  "How  do  you  know  he  hit
       Dockmaster? "                                                        
          "About the same time he screwed up our accounting, this Dockmaster
       place  sent  us  a  message saying that someone had tried to break in
       there.".                                                            
          "Did  he  succeed?  "  "I  don't think so. What is this Dockmaster
       place, anyway? Aren't they some navy shipyard? "                    
          They   whispered  among  themselves,  and  Mr.  Big  nodded.  Greg
       explained:  "Dockmaster  isn't  a  navy  shipyard.  It's  run  by the
       National Security Agency."                                          
          A  hacker  breaking into the NSA? Bizarre. This wanted to get into
       the CIA, the NSA, army missile bases, and the North                  
          American  Air  Defense  headquarters.  "Dockmaster  is  NSA's only
       unclassified computer, " Greg said.                                  
        "It belongs to its computer security group, which is actually public
       ."  Mr. Big started talking slowly. "There's not much we can do about
       this affair. I think there's no evidence of foreign espionage."      
          "Well, who should be working on this case? " I asked.            
          "The  FBI.  I'm  sorry,  but  this isn't our bailiwick. Our entire
       involvement  has  been  the  exposure  of  four  names-names that are
       already in the public domain, I might add."                          
          Then they were gone.                                              
          The  spooks were no help, so I was on my own again. I searched the
       Berkeley phone book for Jaegers and Bensons; I figured I ought to try
       Stanford as well. So I stopped by the library. Maggie Morley, our 45-
       year-old  documentmeister, plays rough-and-tumble Scrabble: posted on
       her door is a list of all legal three-letter Scrabble words.        
          "I need a Stanford telephone book, " I I'm looking for everyone in
       Silicon Valley named Jaeger or Benson."                              
          'Jaeger. A word that's been kind to me, " Maggie smiled. "Worth 16
       points,  but  I  once  won  a  game with it, when the \J\ landed on a
       triple-letter score. Turned into 75 points."                        
          "Yeah,  but  I  need it because it's the hacker's password. Hey, I
       didn't know names were legal in Scrabble."                          
          "Jaeger's not a name. Well, maybe it's a nameEllsworth jaeger, the
       famous  omithologist,  for instance-but it's a type of bird. Gets its
       name from the German word meaning hunter."                          
          "Huh? Did you say hunter? "                                      
          "Yes.  Jaegers are hunting birds that badger other birds with full
       beaks. They harass weaker birds until they drop their prey."        
          "Hot  ziggity]  You  answered  my question. I don't need the phone
       book." "Well, what else I can do for you? "                          
          "How  about  explaining the relationship between the words hedges,
       jaeger, hunter, and benson? "                                        
          "Well,  jaeger  and  hunter is obvious to anyone who knows German.
       And smokers know Benson & Hedges."                                  
          Omigod-my  hacker  smokes  Benson  &  Hedges.  Maggie had won on a
       triple-word score.                                                  
          During  one of the phone traces, I had copied down all the numbers
       and  digits I heard from the technician. I called all combinations of
       them  and ended up at a computer modem at Mitre, a defense contractor
       just  down  the  road  from CIA headquarters in McLean, Virginia. How
       deeply  was  Mitre's system infested? By listing its directory, I saw
       that  the hacker had created a Trojan horse there on June 17. For six
       months, someone had silently booby-trapped Mitre's computers.        
          In  alllikelihood, Mitre served as a way station, a stepping-stone
       on  the  way  to  breaking  into other computers. Someone dialed into
       Mitre,  turned  around,  and dialed out from it. This way, Mitre paid
       the  bills both ways: the incoming Tymnet connection and the outgoing
       long-distance phone call. Even nicer, Mitre served as a hiding place,
       a hole in the wall that couldn't be traced.                          
          Monday  morning,  I  called a man named Bill Chandler at Mitre and
       told  him  the  news. Bill wanted me to be quiet about the problems I
       had found. Well, yes, but I had a price.                            
          "Say,  Bill,  could  you  send  me copies of your computer's phone
       bills?  " "What for? " "It might be fun to see where else this hacker
       got  into."  Two  weeks later, a thick envelope arrived, stuffed with
       long-distance  bills from Chesapeake and Potomac. Six months of phone
       bills.  Dates,  times,  phone  numbers, and cities. Probably 5,000 in
       all.  So  many  that  I  couldn't  analyze  them by hand. Perfect for
       analyzing on a computer-there's plenty of software designed to search
       out  correlations.  All  I had to do was enter them into my Macintosh
       computer and run a few programs.                                    
          Ever  type 5,000 phone numbers? It's as boring as it sounds. And I
       had  to do it twice, to make sure I didn't make any mistakes. Took me
       two days.                                                            
          After  running  an  analysis, I found that this hacker hadn't just
       broken  into  my  computer. He was into more than six, and possibly a
       dozen.                                                              
          From  Mitre,  the hacker had made long connections to Norfolk, Oak
       Ridge, Omaha, San Diego, Pasadena, Livermore, and Atlanta.          
          At  least as interesting: he had made hundreds of one-minute phone
       calls, all across the country.                                      
        To  air  force bases, navy shipyards, aircraft builders, and defense
       contractors.  What  can  you  learn from a oneminute phone call to an
       army proving ground?                                                
          For  six  months,  this  hacker  had  been breaking into bases and
       computers  all  across the country. Nobody knew it. He was out there,
       alone,  silent,  anonymous, persistent, and apparently successful-but
       why?  What was he after? What had he already learned? And what was he
       doing with this information? Friday, December 5, the hacker showed up
       again at 1:21 in the afternoon. Nine minutes later, he disappeared.  
          Enough  time  for  me  to  trace the connection to Tymnet. But the
       network's sorcerer, Ron Vivier, was taking a long lunch that day, so
          Tymnet couldn't make the trace. Another chance lost.              
          Ron returned my call an hour later.                              
          "Hey, Cliff, how come you never call me at night? "              
          "Guess  the  hacker  doesn't  show  up at night. I wonder why." He
       started  me  thinking.  My logbook recorded every time the hacker had
       shown up. On the average, when was he active?                        
          I'd  remembered  him  on  at  6  a.m.  and  at 7 p.m. But never at
       midnight. Isn't midnight operation the very image of a hacker?      
          On  the  average,  the  hacker showed up at noon, Pacific time. So
       what did this mean? Suppose he lives in California. Then he's hacking
       during  the day. If he's on the East Coast, he's three hours ahead of
       us, so he works around 3 or 4 in the afternoon.                      
          This  didn't  make  sense.  He'd  work  at  night to save on long-
       distance  telephone  fees.  To avoid network congestion. And to avoid
       detection. Yet he brazenly breaks in during the day. Why?            
          When  it's  noon  in  California, I wondered, where is it evening?
       Lunchtime  in  Berkeley  is  bedtime in Europe. Was the hacker coming
       from Europe?                                                        
          On  a  Saturday afternoon, the hacker hit again. I called Tymnet's
       Ron Vivier at home.                                                  
          "I've got a live one for you, " I gasped. "Just trace my port 14."
       "Right.  It'll  take a minute." A couple of eons passed, and Ron came
       back  on  the  line.  "Hey, Cliff, are you certain that it's the same
       guy?, ".                                                            
          I  watched  the  hacker searching for the word \DI on our computer
       "Yes, it's him."                                                    
          "He's  coming  in  from  a  gateway  that I've never heard of. I'm
       locked onto his network address, so it doesn't matter if he hangs up.
       But the guy's coming from somewhere strange."                        
          "Where's that? "                                                  
          "I don't know. It's Tymnet node 3513, which is a strange one. I'll
       have  to  look  it  up  in  our  directory." In the background, Ron's
       keyboard clicked. "Here it is.                                      
        Your  hacker is coming from outside the Tymnet system. He's entering
       Tymnet  from  a  communications  line  operated  by the International
       Telephone and Telegraph company."                                    
          "So what? "                                                      
          "ITT  takes  a  Westar downlink, the communications satellite over
       the Atlantic. It handles ten or twenty thousand phone calls at once."
          "So my hacker is coming from Europe? "                            
          "For sure."                                                      
          "Where? "                                                        
          "That's  the part I don't know, and I probably can't find out. But
       hold on, and I'll see what's there." More keyboard clicks.          
          Ron came back to the phone. "Well, ITT identifies the line as DSEA
       744031.  That's  their  line  number. It can connect to either Spain,
       France, Germany, or Britain.".                                      
          "Well,  which is it? " "Sorry, I don't know. In three days they'll
       send  us  billing  information,  and then I can find out. Meantime, I
       can't tell you much more than that." Ron rang off, but the hacker was
       still  on  my computer, trying to chisel into the Navy Research Labs,
       when  one of Tymnet's international specialists, Steve White, called.
       "Ron can't trace any farther, " Steve said. "I'll do the trace myself
       "  I  kept  watching the hacker on my screen, hoping that he wouldn't
       hang up while Steve made the trace.                                  
          Steve  came  back on the line. In his modulated, almost theatrical
       British  accent,  he  said, "Your hacker has the calling address DNIC
       dash 2624 dash 542104214."                                          
          "So where's the hacker coming from? "                            
          "West Germany. The German Datex network."                        
          "What's that? "                                                  
          "It's  their national network to connect computers together. We'll
       have to call the Bundespost to find out more."                      
          "Who's the Bundespost? "                                          
          "They're   the  German  national  postal  office.  The  government
       communications monopoly."                                            
          Steve  seemed  pessimistic  about completing a successful "We know
       where   he  connects  into  the  system.  But  there's  a  couple  of
       possibilities  there.  The  hacker might be at a computer in Germany,
       simply  connected  over the German Datex network. If that's the case,
       then  we've  got him cold, We know his address, the address points to
       his computer, and the computer points to him.".                      
          "It is unlikely. More likely, the hacker is coming into the German
       Datex network through a dial-in modem."                              
          Just  like  Tymnet,  Datex  let  anyone  dial  into its system and
       connect to computers on the network.                                
        Perfect for businesspeople and scientists. And hackers.            
          "The  real  problem is in German law, " Steve said. "I don't think
       they recognize hacking as a crime."                                  
          "You're  kidding,  of course." "No, " he said. "A lot of countries
       have outdated laws. In Canada, a hacker who broke into a computer was
       convicted of stealing electricity, rather                            
          than  trespassing.  He  was prosecuted only because the connection
       had used a microwatt of power from the computer."                    
          Steve's pessimism was contagious. But his trace jogged my spirits.
       So  what if we couldn't nail the hacker-our circle was closing around
       him.                                                                
          Germany.  I  remembered  my  librarian  recognizing  the  hacker's
       password.  "Jaeger-it's a German word meaning hunter." The answer had
       been right in front of me, but I'd been blind.                      
          Some  details  were still fuzzy, but I understood how he operated.
       Somewhere in Europe, the hacker called into the German Datex network.
       He  asked for Tymnet, and the Bundespost made the connection. Once he
       reached  the States, he connected to my laboratory and hacked his way
       around Milnet.                                                      
          Mitre  must have been his stopover point. Now I realized why Mitre
       paid  for  a  thousand  one-minutelong  phone calls. The hacker would
       connect  to  Mitre and instruct the system to phone another computer.
       When  it  answered,  he  would  try to log in with a default name and
       password. Usually he failed and went on to another phone number. He'd
       been scanning computers, with Mitre picking up the tab.              
          But he'd left a trail. On Mitre's phone bills.                    
          The  path  led  back  to  Germany,  but  it  might  not end there.
       Conceivably,  someone in Berkeley could have called Berlin, connected
       to  the  Datex  network,  connected  through Tymnet, and come back to
       Berkeley.  Maybe  the start of the path was in Mongolia. Or Moscow. I
       couldn't  tell.  For  the  present,  my  working  hypothesis would be
       Germany.                                                            
          And he scanned for militaly secrets. Could I be following a spy? A
       real spy, working for them-but who's "them"?                        
          Three  months  ago, I'd seen some mouse droppings in my accounting
       files.  Quietly  we'd  watched this mouse sneak through our computer,
       out through a hole, and into the military networks and computers.    
          At  last I knew what this rodent was after. And where he was from.
       I'd been mistaken.                                                  
          This wasn't a mouse. It was a rat.                                
          Curious  whether  other people might have a similar problem with a
       hacker, I spent a few hours one early December day searching bulletin
       boards  on the  Usenet  network for news about  hackers and found one
       note from Toronto. I called the  author on the phone - I didn't trust
       electronic mail. Bob Orr, the manager of the University  of Toronto's
       physics computers, told a familiar story.                            
          "Some  hackers  from  Germany  have  invaded  our system, changing
       programs and damaging our operating system."                        
          "How'd  they get in? " "We collaborate with the Swiss physics lab,
       CERN.  And  a  group  of  German  hackers  called  the Chaos Club has
       thoroughly  walked  through  their  computers.  They  probably  stole
       passwords to our system and linked directly to us."                  
          As  an  aside, Bob mentioned that the Chaos Club might have gotten
       into the US Fermilab computer as well.                              
          "One  guy  uses  the  pseudonym  Hagbard,  " he told me. "Another,
       Pengo. I don't know their real names."                              
          Next I called Stanford and asked one of their system managers, Dan
       Kolkowitz, if he'd heard anything from Germany.                      
          "Come  to  think  of  it,  someone  broke  in  a few months ago. I
       monitored what he did and have a listing of him."                    
          Dan  read the listing over the phone. Some hacker with the nom-de-
       guerre  of  Hagbard  was  sending a file of passwords to some hackers
       named Zombie and Pengo.                                              
          Hagbard and Pengo again. I wrote them in my logbook.              
          One  good  thing  was  happening. One by one, I was making contact
       with other people who were losing sleep and slugging down Maalox over
       the same troubles that obsessed me. It was comforting to learn that I
       wasn't completely alone.                                            
          A  few  days  later,  I received a call telling me that the German
       Bundespost had determined that the hacker came from the University of
       Bremen.  Soon  they  found the account he was using to connect across
       the  Atlantic. They set a trap on that account: the next time someone
       used it, they'd trace the can.                                      
          The  Germans  weren't  sining around. The university would monitor
       the  suspicious  account,  and the Bundespost would keep track of the
       network activity. More and more mouseholes were being watched.      
          Friday,  December  19,  1986,  at  1:38 p.m., the hacker showed up
       again. Stayed around for two hours, fishing on the Milnet. A pleasant
       Friday  afternoon,  trying  to  guess  passwords to the Strategic Air
       Command,  the  European  Milnet  Gateway,  the  West  Point Geography
       Department, and 70 other assorted military computers.                
          I  phoned  Steve  White  at Tymnet. "The hacker's on our computer.
       Tymnet's logical port number 14."                                    
          "OK,  "  Steve said. The usual keyboard clatter in the background.
       Twenty seconds elapsed, and he called"Got it] "                      
          Steve  had  traced a connection from California to Germany in less
       than a minute.                                                      
          "He's  not  coming from Bremen, " he told me. "Today, he's dialing
       into Hannover.".                                                    
          "So  where  is he? In Bremen or Hannover? " "Wolfgang Hoffman, the
       Datex  network  manager  in Germany, doesn't know. For all we know he
       could be in Paris, calling long distance."                          
          Yesterday  it  was  Bremen.  Today  Hannover.  Where would he hide
       tomorrow?  The  hacker,  I  discovered, didn't take holidays; he even
       logged in on New Year's Day. His hacker's celebration was saved on my
       printers. I scribbled notes on the printouts, next to his:          
          WELCOME TO THE ARMY OPTIMIS DATABASE                              
          PLEASE ENTER A WORD OR 'EXIT'.                                    
          / SDI Looking for SDI dope                                        
          THE WORD "SDI" WAS NOT FOUND. But there's none there              
          PLEASE ENTER A WORD OR 'EXIT'.                                    
          / STEALTH Any word on the Stealth bomber?                        
          THE WORD "STEALTH" WAS NOT FOUND. No such luck                    
          PLEASE ENTER A WORD OR 'EXIT'.                                    
          / SAC Strategic Air Command?                                      
          THE WORD "SAC" WAS NOT FOUND. Nope                                
          PLEASE ENTER A WORD OR 'EXIT'.                                    
          / NUCLEAR                                                        
          THANK YOU.                                                        
          I HAVE FOUND 29 DOCUMENT(S) CONTAINING THE PHRASE 'NUCLEAR'.      
          ITEM* MARKS* TITLE                                                
          1 20-lF IG INSPECTIONS (HEADQUARTERS, DEPART                      
          MENT OF THE ARMY).                                                
          2 50A NUCLEAR, CHEMICAL, AND BIOLOGICAL NATION                    
          AL SECURITY AFFAIRS                                              
          3 50B NUCLEAR, CHEMICAL, AND BIOLOGICAL WAR                      
          FARE ARMS CONTROLS                                                
          4 50D NUCLEAR AND CHEMICAL STRATEGY                              
          FORMULATIONS 5 50E NUCLEAR AND CHEMICAL POLITICO-MILITARY        
          AFFAIRS 6 5OF NUCLEAR AND CHEMICAL REQUIREMENTS                  
          7 5OG NUCLEAR AND CHEMICAL CAPABILITIES                          
          8 50H THEATER NUCLEAR FORCE STRUCTURE                            
          DEVELOPMENTS 9 501 NUCLEAR AND CHEMICAL WARFARE BUDGET            
          FORMULATIONS 10 50J NUCLEAR AND CHEMICAL PROGRESS AND STA        
          TISTICAL REPORTS 11 50K ARMY NUCLEAR, CHEMICAL, AND BIOLOGICAL    
          DEFENSE PROGRAM 12 50M NUCLEAR AND CHEMICAL COST ANALYSES        
          13 5ON NUCLEAR, CHEMICAL WARFARE, AND BIOLOGI                    
          CAL DEFENSE SCIENTIFIC AND TECHNICAL                              
          INFORMATION 14 50P NUCLEAR COMMAND AND CONTROL                    
          COMMUNICATIONS                                                    
          15 50Q CHEMICAL AND NUCLEAR DEMILITARIZATIONS                    
          16 5OR CHEMICAL AND NUCLEAR PLANS                                
          17 50-5A NUCLEAR ACCIDENT/INCIDENT CONTROLS                      
          18 50-5B NUCLEAR MANPOWER ALLOCATIONS                            
          19 50-5C NUCLEAR SURETY FILES                                    
          20 50-5D NUCLEAR SITE RESTORATIONS                                
          21 50,5-lA NUCLEAR SITE UPGRADING FILES                          
          22 50-115A NUCLEAR SAFETY FILES                                  
          23 55-355FRTD DOMESTIC SHIPMENT CONTROLS                          
          24 200-IC HAZARDOUS MATERIAL MANAGEMENT FILES.                    
          25 385-11K RADIATION INCIDENT CASES                              
          26 385-11M RADIOACTIVE MATERIAL LICENSING                        
          27 385-40C RADIATION INCIDENT CASES                              
          28 700-65A INTERNATIONAL NUCLEAR LOGISTICS FILES                  
          29 1125-2-300A PLANT DATA                                        
          And  he  wasn't  satisfied  with  the titles to these documents-he
       dumped  all 29 over the line printer. Page after page was filled with
       army  doubletalk.  At one point, my printer jammed. The old DECwriter
       had paid its dues for the past ten years and now needed an adjustment
       with  a  sledgehammer.  Damn.  Right  where the hacker had listed the
       army's plans for nuclear bombs in the central European theater, there
       was only an ink blot.                                                
          Around  noon on Sunday, January 4, my beeper sounded. I jumped for
       the  computer,  checked that the hacker was around, then called Steve
       White. Within a minute, he'd started the trace.                      
          The  hacker  tried  the Air Force Systems Command, Space Division,
       and  managed  to log in as Field Service: not as an ordinary user but
       as one                                                              
          with a completely privileged account.                            
          His first command was to show what privileges he'd                
          garnered.  The  air force computer responded automatically: System
       Privilege, and a slew of other rights, including the ability to read,
       write, or erase any file on the system.                              
          He  was  even  authorized  to run security audits on the air force
       computer. I could imagine him sitting behind his terminal in Germany,
       staring  in  disbelief at the screen. He didn't just have free run of
       the Space Command's computer; he controlled it.                      
          Confident that he was undetected, he probed nearby computers. In a
       moment,  he'd  discovered four on the air force network and a pathway
       to connect to others. From his high ground, none of these were hidden
       from  him;  if their passwords weren't guessable, he could steal them
       by setting up Trojan horses.                                        
          This  wasn't  a little desktop computer he'd broken into. He found
       thousands of files on the system, and hundreds of users.            
          He  commanded  the air force computer to list the names of all its
       files;  it  went  merrily  along typing out names like "Laser-design-
       plans"  and  "Shuttlelaunch-manifest." But he didn't know how to shut
       off  the  spigot.  For  two hours, it poured a Niagara of information
       onto his terminal.                                                  
          Finally, at 2:30, he hung up. While the hacker stepped through the
       air  force computer, Steve White traced Tymnet's lines. I asked Steve
       for the details.                                                    
          "I  checked  with Wolfgang Hoffman at the Bundespost. Your visitor
       is coming from Karlsruhe today. The University of Karlsruhe.".      
          My hacker was moving around. Or maybe he was staying in one place,
       playing  a  shell  game  with  the telephone system. Perhaps he was a
       student,  visiting different campuses and showing off to his friends.
       Was  I  certain  that  there  was  only  one hacker-or was I watching
       several people?                                                      
          Two  days  later,  the  hacker was back. He went straight over thc
       Milnet to the Air Force Space Division. I watched him log in as Field
       Service.                                                            
          He  didn't  waste  a minute. He went straight to the authorization
       software,  searched  for  an  old,  unused  account, and modified it,
       giving it system privileges and a new password: AFHACK.              
          AFHACK-what arrogance. He's thumbing his nose at the United States
       Air Force.                                                          
          From  now  on, he didn't need the field service account. Disguised
       as  an officer in the air force, he had unlimited access to the Space
       Division's computer.                                                
          A  call  to  Steve  White  started  a  trace  rolling. Within five
       minutes,  he'd  traced  the  connection  to  Hannover  and called the
       Bundespost.                                                          
          A few minutes of silence then: "Cliff does the con                
          nection look like it will be                                      
          a long one? "                                                    
          "I can't tell, but I think so, " I said.                          
          "OK."  Steve  was  on  another  telephone;  I  could  hear only an
       occasional shout.                                                    
          In  a  minute, Steve returned to my fine. "Wolfgang is tracing the
       call in Hannover. It's a local call. They're going to try to trace it
       all the way."                                                        
          Here's  news]  A  local call in Hannover meant that the hacker was
       somewhere in Hannover.                                              
          Steve  shouted instructions from Wolfgang: "Whatever you do, don't
       disconnect the hacker. Keep him on the line if you can] "            
          But  he's rifling files at the air force base. It was like letting
       a burglar rob your home while you watched.                          
          He  went  for  operational  plans.  Documents describing air force
       payloads for the space shuttle. Test results from satellite detection
       systems.  SDI  research  proposals.  A  description  of an astronaut-
       operated camera system.                                              
          Tymnet came back on the I'm sorry, Cliff, but the trace in Germany
       is stymied."                                                        
          "Can't  they trace the call? " "Well, the hacker's line comes from
       Hannover,  all  right,  "  Steve replied. "But Hannover's phone fines
       connect  through  mechanical  switches-noisy, complicated widgets-and
       these can be traced only by people, not by computers."              
          Another  opportunity  lost.  I  cut off the hacker's connection so
       that he couldn't do more harm.                                      
          Later, Steve White explained that American telephones are computer
       controlled,  so  it's  pretty easy to trace them. But in Germany they
       need someone at the Hannover exchange to trace the call.            
          "So  we  can't trace him unless the hacker calls during the day or
       evening? " I asked.                                                  
          "Worse than that. It'll take an hour or two to make the trace once
       it's started."                                                      
          Lately, the hacker had been showing up for five minutes at a time.
       Long  enough  to  wake me up, but hardly enough for a two-hour trace.
       How could I keep him on for a couple of hours?                      
          The  answer,  I  realized,  was disarmingly simplegive him what he
       wants:  all  the  classified  data, all the top-secret information he
       could  gather.  Not  for real, of course. Instead, I'd create a phony
       database.  Its  documents  would describe a new Star Wars project. An
       outsider   reading   them   would   believe  that  Lawrence  Berkeley
       Laboratories  had  just  landed a fat government contract to manage a
       new computer network. The SDI Network.                              
          This bogus network, which would apparently link together scores of
       classified  computers,  would  extend  to  military  bases around the
       world.  By  reading  the  files, you'd find lieutenants and colonels,
       scientists  and  engineers.  Here  and  there,  I would drop hints of
       meetings and classified reports.                                    
          And  I  invented  Barbara  Sherwin,  the sweet, bumbling secretary
       trying  to  figure  out  her new word processor and keep track of the
       endless stream of documents produced by our newly invented "Strategic
       Defense Initiative Network Office.".                                
          My  snare  was  baited.  If the hacker bit, he'd take two hours to
       swallow the bait. Long enough for the Germans to track him down.    
          The next move was the hacker's.                                  
          My  beeper  sounded  at 5:14 p.m., Friday, January 16. There's the
       hacker.  It  didn't  take  him very long to swallow the hook; soon he
       broke  into  my  phony  SDInet.  Quickly, I got on the phone to Steve
       White.                                                              
          "Steve, call Germany. The hacker's on, and it'll be a long session
       ."  "Spot-on,  Cliff.  Call you back in ten minutes." For the next 45
       minutes,  the  hacker  dumped  out  file  after file, reading all the
       garbage  that  I had created. Boring, tedious ore, with an occasional
       nugget of technical information.                                    
          Then he dumped the file named FORM LETTER:                        
          DEAR SIR:                                                        
          THANK  YOU  FOR  YOUR INQUIRY ABOUT SDINET. WE ARE HAPPY TO COMPLY
       WITH  YOUR  REQUEST  FOR  MORE  INFORMATION  ABOUT  THIS NETWORK. THE
       FOLLOWING  DOCUMENTS  ARE  AVAILABLE  FROM  THIS OFFICE. PLEASE STATE
       WHICH DOCUMENTS YOU WISH MAILED TO YOU:                              
          #37.6 SDINET OVERVIEW DESCRIPTION DOCUMENT                        
          19 PAGES, REVISED SEPT. 1985                                      
          #41.7 STRATEGIC DEFENSE INITIATIVE AND COMPUTER NETWORKS:        
          PLANS  AND  IMPLEMENTATIONS  (CONFERENCE NOTES) 227 PAGES, REVISED
       SEPT. 1985.                                                          
          #45.2 STRATEGIC DEFENSE INITIATIVE AND COMPUTER NETWORKS:        
          PLANS AND IMPLEMENTATIONS (CONFERENCE NOTES) 300 PAGES, JUNE 1986
          #47.3 SDINET CONNECTIVITY REQUIREMENTS                            
          65 PAGES, REVISED APRIL 1986                                      
          #48.8 How TO LINK INTO THE SDINET                                
          25 PAGES, JULY 1986                                              
          #49.1 X.25 AND X.75 CONNECTIONS TO SDINET (INCLUDES JAPA          
          NESE,  EUROPEAN,  AND HAWAIIAN NODES) 8 PAGES, DECEMBER 1986 #55.2
       SDINET MANAGEMENT PLAN FOR 1986 TO 1988                              
          47 PAGES, NOVEMBER 1985                                          
          #62.7 UNCLASSIFIED SDINET MEMBERSHIP LIST (INCLUDES MAJOR        
          MILNET CONNECTIONS) 24 PAGES, NOVEMBER 1986                      
          #65.3 CLASSIFIED SDINET MEMBERSHIP LIST                          
          9 PAGES, NOVEMBER 1986                                            
          #69.1 DEVELOPMENTS IN SDINET AND SDI DISNET                      
          28 PAGES, OCTOBER 1986                                            
          SINCERELY YOURS,                                                  
          MRS. BARBARA SHERWIN                                              
          DOCUMENTS SECRETARY                                              
          SDINET PROJECT                                                    
          Steve  White called back from Tymnet. "I've traced your connection
       over  to  the University of Bremen. And the Bundespost has traced the
       Datex  line  from  Bremen  into  Hannover. In the past half hour, the
       technician  traced  the  line  and  has narrowed it down to one of 50
       telephone numbers.".                                                
          "Why can't they get the actual number? " "Wolfgang's unclear about
       that. It sounds like they've determined the number to be from a group
       of local phones, but the next time they make a trace, they'll zero in
       on  the  actual  telephone.  From  tile  sound of Wolfgang's message,
       they're excited about solving this case."                            
          The  next  day, at 10:17 a.m., the hacker came back. This time, he
       wasn't interested in SDI files. Instead, he went out over the Milnet,
       trying to break into military computers.                            
          He  was  concentrating  on air force and army computers, though he
       occasionally  knocked  on  the  navy's door as well. Places I'd never
       heard  of,  like  the Air Force Weapons Lab, Descom headquarters, Air
       Force CC OIS, and the CCA-amc. Fifty places, all without success.    
          Then  he  slid across the Milnet into a computer named Buckner. He
       got  right  in . . . didn't even need a password on the account named
       "guest."                                                            
          He'd  broken  into  the Army Communications Center in Building 23,
       Room 121, of Fort Buckner. Fort Buckner was in Okinawa.              
          What  a  connection]  From Hannover, Germany, the hacker linked to
       the  University  of Bremen, across a transatlantic cable into Tymnet,
       then into my Berkeley computer, and into the Milnet, finally reaching
       Okinawa.                                                            
          A  bit  after  11 in the morning, he finally grew tired and logged
       off.  While he'd circled the globe with his spiderweb of connections,
       the German Bundespost had homed in on him.                          
          The  phone  rang-had  to  be Steve White. "Hi Cliff, " Steve said,
       "The  trace  is complete." "The Germans got the guy? " "They know his
       phone number." "Well, who is he? " I asked.                          
          "They can't say right now, but you're supposed to tell the FBI."  
          "Just  tell  me this much, " I asked Steve. "Is it a computer or a
       person?  " "A person with a computer at his home. Or should I say, at
       his  business."  Days  later, Tymnet passed along a chilling message:
       "This  is  not a benign hacker. It is quite serious. The scope of the
       investigation  is  being  extended.  Thirty people are now working on
       this  case.  Instead of simply breaking into the apartments of one or
       two  people, locksmiths are making keys to the houses of the hackers,
       and  the  arrests  will  be  made when the hackers cannot destroy the
       evidence. These hackers are linked to the shady dealings of a private
       company."                                                            
          Throughout the spring, I kept making new bait. My mythical Barbara
       Sherwin  created  memos  and letters, requisitions and travel orders.
       Here  and  there,  she sprinkled a few technical articles, explaining
       how the SDI network interconnected all sorts of classified computers.
          On  Monday,  April  27,  came  one of the biggest shocks. A letter
       arrived, addressed to the imaginary Barbara Sherwin.                
          Triam International, Inc.                                        
          6512 Ventura Drive                                                
          Pittsburgh, PA 15236 April 21, 1987                              
          Dear Mrs. Sherwin:                                                
          I am interested in the following documents. Please send me a price
       list  and  an  update  on  SDI  Network  Project.  Thank you for your
       cooperation.                                                        
          Very truly yours,                                                
          Laszlo J. Balogh                                                  
          Balogh  then  asked  for every phony document I had made up in the
       file called FORM LETTER.                                            
          Someone   had   swallowed   the  bait  and  was  asking  for  more
       information]  I could understand it if the letter came from Hannover.
       But Pittsburgh?                                                      
          I  called  Mike  Gibbons at the Alexandria FBI office and told him
       about it.                                                            
          "OK, " Mike said. "Listen up carefully. Don't touch that letter.  
        Especially,  don't  touch  around  the  edges.  Go  find  a glassine
       envelope.  Gently insert the paper in the envelope. Then express mail
       it to me. Whatever you do, don't handle it. Wear gloves if you must."
          This  sounded  like  Dick Tracy's "Crimestoppers, " but I followed
       orders.                                                              
          A  hacker  in  Hannover,  Germany,  learns a secret from Berkeley,
       California.  Three  months  later,  a  Hungarian  named Laszlo Balogh
       living  in  Pittsburgh  writes  us  a  letter. What's happening here?
       Tuesday moming, June 23, Mike Gibbons called from the FBI.          
          "You  can  close  up  shop,  Cliff."  "What's  happened? " "Arrest
       warrants  were  issued  this  morning  at IO." "Anyone arrested? " "I
       can't say." Something was happening. But Mike wouldn't say what.    
          A  few hours later, Wolfgang Hoffman sent a message: "An apartment
       and  a  company  were  searched,  and  nobody  was  home at the time.
       Printouts,  disks,  and tapes were seized and will be analyzed in the
       next few days. Expect no further break-ins."                        
          Finally,  it was over. The FBI still wasn't talking, but I managed
       to fmd out who the Germans had fingered; I could now attach a name to
       the shadowy hacker I had chased across two continents: Markus Hess.  
          So  what  really  happened?  Was  Hess working alone, or was he in
       league  with  others? And why was he breaking into defense department
       computers?  Here's  my estimate, based on interviews, police reports,
       newspaper accounts, and messages from German computer programmers. In
       the mid-1980s, a dozen hackers started the Chaos Computer Club, whose
       members specialized in creating viruses, breaking into computers, and
       serving  as  a  computer  counterculture. Through electronic bulletin
       boards  and telephone links, they anonymously exchanged phone numbers
       of hacked computers, as well as stolen passwords and credit cards.  
          Markus  Hess  knew  of  the  Chaos  Club,  although he was never a
       central  figure  there.  Rather,  he kept his distance as a freelance
       hacker.  During  thc  day,  he  worked  at  a  small software firm in
       downtown Hannover.                                                  
          Over  a  crackling  phone  connection,  an  astronomer  friend  in
       Hannover  explained  to  me, "You see, Hess knew Hagbard, who kept in
       touch  with other hackers in Germany, Eke Pengo and Frimp. Hagbard is
       a pseudonym, of course, his real name is . . . "                    
          Hagbard.  I'd heard that name before-he'd broken into Fermilab and
       Stanford.                                                            
          Hagbard  worked  closely  with  Markus  Hess.  The two drank beers
       together at Hannover bars and spent evenings behind Hess's computer.
          Apparently,  Hess  apparently  just  played around the networks at
       first,  searching  for  ways to connect around the world. Like a ham-
       radio  operator,  he  started  out a hobbyist, trying to reach as far
       away  as  possible.  In  the  beginning,  he  managed  to  connect to
       Karlsruhe; later he reached Bremen over the Datex network.          
          Soon  he  discovered that many system managers hadn't locked their
       back  doors. Usually these were university computers, but Markus Hess
       began  to  wonder:  how many other systems were wide open? What other
       ways could you sneak into computers?                                
          By  September 1985, Hagbard and Pengo were routinely breaking into
       computers  in  North  America: mostly high energy physics labs, but a
       few  NASA sites as well. Excitedly, Hagbard described his exploits to
       Hess.                                                                
          Hess  began  to explore outside of Germany. But he no longer cared
       about  universities  and  physics  laboratories-he  wanted  some real
       excitement.  Hess now targeted the military. The leaders of the Chaos
       Computer Club had issued a warning to their members: "Never penetrate
       a  military  computer.  The security people on the other side will be
       playing  a  game  with  youalmost  like  chess. Remember that they've
       practiced  this  game  for  a  long  time. . . . " Markus Hess wasn't
       listening.                                                          
          Hess  apparently  found  his  way  into  an  unprotected  computer
       belonging  to  a  German subsidiary of U.S. defense contractor Mitre.
       Once  inside that system, he discovered detailed instructions to link
       into   Mitre's  computers  in  Bedford,  Massachusetts,  and  McLean,
       Virginia.  By summer 1986, Hess and Hagbard were operating separately
       but  frequently  comparing notes. Meanwhile, Hess worked in Hannover,
       programming VAX computers and managing several systems.              
          Hess  soon expanded his beachhead at Mitre. He explored the system
       internally, then sent out tentacles into other American computers. He
       collected  telephone  numbers  and network addresses and methodically
       attacked  these  systems.  On  August 20, he struck Lawrence Berkeley
       Labs.                                                                
          Even then, Hess was only fooling around. He'd realized that he was
       privy  to  secrets,  both industrial and national, but kept his mouth
       shut.  Then,  around  the  end  of  September,  in  a  smoky Hannover
       beergarden, he described his latest exploit to Hagbard.              
          Hagbard  smelled money. And Hagbard knew who to contact: Pengo, in
       West Berlin.                                                        
          Pengo,  with  his  contacts to hackers across Germany, knew how to
       use  Hess's information. Carrying Hess's printouts, one of the Berlin
       hackers  crossed  into  East Berlin and met with agents from the East
       German Staatssicherheitsdienst-the Secret Service.                  
          The   deal  was.  made:  around  30,000  deutschemarks-$18,000-for
       printouts and passwords.                                            
          From  there,  who knows what happened to the information? The East
       German  Secret Service cooperates closely with the Soviet KGB; surely
       the Staatssicherheitsdienst would tell the KGB about this new form of
       espionage.                                                          
          The KGB wasn't just paying for printouts, though. Hess and company
       apparently  sold  their  techniques  as  well:  how to break into VAX
       computers;  which networks to use when crossing the Atlantic; details
       on how the Milnet operates.                                          
          Even  more  important to the KGB was obtaining research data about
       Western  technology,  including  integrated circuit design, computer-
       aided  manufacturing, and, especially, operating system software that
       was under U.S. export control. They offered 250,000 deutschemarks for
       copies of Digital Equipment's VMS operating system.                  
          According to the German television station NDR, the Berlin hackers
       supplied  much  of  this  order,  including  source  code to the Unix
       operating  system  designs for high-speed gallium-arsenide integrated
       circuits,  and  computer  programs  used  to engineer computer memory
       chips. Hagbard wanted more than money. He demanded co                
          caine. The East German Secret Service was a willing supplier.    
          Hagbard passed some of the money (but none of the cocaine) to Hess
       in retum for printouts, passwords, and network information. Hagbard's
       cut  went  toward  paying his telephone bill which sometimes ran over
       $1,000  a  month  as he called computers around the world. Hess saved
       everything.  He kept a detailed notebook and saved every session on a
       floppy  disk.  This  way,  after  he  disconnected  from  a  military
       computer,  he  could  print  out the interesting parts and pass these
       along to Hagbard and on to the KGB.                                  
          Also on the KGB's wish list was SDI data. As Hess searched for it,
       I  naturally  detected  SDI showing up in his requests. And I had fed
       Hess plenty of SDI fodder. But could the East Germans (or KGB?) trust
       these  printouts? How could they be sure Hagbard wasn't inventing all
       of this to feed his own coke habit?                                  
          The  KGB  decided  to  verify the German hacker ring. The mythical
       Barbara  Sherwin served as a perfect way to test the validity of this
       new form of espionage. She had, after all, invited people to write to
       her for more information.                                            
          But  secret  services  don't  handle  things  directly.  They  use
       intermediaries.  The  East  Germans  (KGB?) contacted another agency-
       either the Hungarian or Bulgarian intelligence service. They, in tum,
       apparently   had  a  professional  relationship  with  a  contact  in
       Pittsburgh: Laszlo Balogh.                                          
          Does  the  FBI  have enough evidence to indict Laszlo Balogh? They
       won't  tell  me.  But the way I see it, Laszlo's in deep trouble: the
       FBI  is  watching him, and whoever's pulling his puppet strings isn't
       pleased.                                                            
          The  West  German  police, though, have plenty of evidence against
       Markus Hess. Printouts, phone traces, and my logbook. When they broke
       into  his  apartment  on  June 29, 1987, they seized a hundred floppy
       disks,  a computer, and documentation describing the U.S. Milnet. But
       when  the  police  raided Hess's apartment, nobody was home. Though I
       was  waiting  patiently  for him to appear on my computer, the German
       police entered his place when he wasn't connected.                  
          At his first trial, Hess got off on appeal. His lawyer argued that
       since  Hess  wasn't connected at the moment his apartment was raided,
       he might not have done the hacking. This, along with a problem in the
       search  warrants,  was  enough  to  overtum  the case against Hess on
       computer   theft.   But   the  German  federal  police  continued  to
       investigate.                                                        
          On  March  2,  1989,  German  authorities charged five people with
       espionage:  Pengo,  Hagbard,  Peter  Carl, Dirk Bresinsky, and Markus
       Hess.                                                                
          Peter  Carl  met regularly with KGB agents in East Berlin, selling
       any data the others could find.                                      
        When  the  German  officials caught up with him, he was about to run
       off  to  Spain.  He's now in jail, waiting for trial, along with Dirk
       Bresinsky, who was jailed for desertion from the German army.        
          Pengo  is  having  second thoughts about his years working for the
       KGB.  He  says  that  he  hopes he "did the right thing by giving the
       German police detailed information about my involvement." But as long
       as there's an active criminal case, he'll say no more.              
          All  the  same,  the  publicity hasn't helped Pengo's professional
       life  as a computer consultant. His business partners have shied away
       from  backing  him,  and  several of his computing projects have been
       canceled.  Outside of his business losses, I'm not sure that he feels
       there's anything wrong with what he did.                            
          Today,  Markus  Hess  is  walking the streets of Hannover, free on
       bail while awaiting a trial for espionage.                          
          Hagbard,  who  hacked  with  Hess  for  a  year, tried to kick his
       cocaine  habit in late 1988. But not before spending his profits from
       the  KGB:  he  was  deep in debt and without a job. In spring 1989 he
       found  a  job  at  the  office  of  a political party in Hannover. By
       cooperating  with  the  police,  he and Pengo avoided prosecution for
       espionage.                                                          
          Hagbard was last seen alive on May 23, 1989. In an isolated forest
       outside  of Hannover, police found his chaffed bones next to a melted
       can  of gasoline. A borrowed car was parked nearby, keys still in the
       ignition.                                                            
          No suicide note was found.                                        



Яндекс цитирования