Underground: Tales of Hacking, Madness and Obsession from the Electronic Frontier (28 page)

When he found a complete collection of Zardoz in Worsley’s directory, Electron was tempted to try a grab and run. The problem was that, with his slow modem, he couldn’t run very quickly. Downloading Zardoz would take several hours. Quashing his overwhelming desire to reach out and grab Zardoz then and there, he slipped out of the machine noiselessly.

Early next morning, an excited and impatient Electron crept back into DITMELA and headed straight for Worsley’s directory. Zardoz was still there. And a sweet irony. Electron was using a security bug he had found on an early issue of Zardoz to break into the computer which would surrender the entire archive to him.

Getting Zardoz out of the CSIRO machine was going to be a little difficult. It was a big archive and at 300 baud--30 characters per second--Electron’s modem would take five hours to siphon off an entire copy. Using the CAT command, Electron made copies of all the Zardoz issues and bundled them up into one 500 k file. He called the new file

.t and stored it in the temporary directory on DITMELA.

Then he considered what to do next. He would mail the Zardoz bundle to another account outside the CSIRO computer, for safe-keeping. But after that he had to make a choice: try to download the thing himself or hang up, call Phoenix and ask him to download it.

Using his 2400 baud modem, Phoenix would be able to download the Zardoz bundle eight times faster than Electron could. On the other hand, Electron didn’t particularly want to give Phoenix access to the CSIRO machine. They had both been targeting the machine, but he hadn’t told Phoenix that he had actually managed to get in. It wasn’t that he planned on withholding Zardoz when he got it. Quite the contrary, Electron wanted Phoenix to read the security file so they could bounce ideas off each other. When it came to accounts, however, Phoenix had a way of messing things up. He talked too much. He was simply not discreet.

While Electron considered his decision, his fingers kept working at the keyboard. He typed quickly, mailing copies of the Zardoz bundle to two hacked student accounts at Melbourne University. With the passwords to both accounts, he could get in whenever he wanted and he wasn’t taking any chances with this precious cargo. Two accounts were safer than one--a main account and a back-up in case someone changed the password on the first one.

Then, as the DITMELA machine was still in the process of mailing the Zardoz bundle off to the back-up sites, Electron’s connection suddenly died.

The CSIRO machine had hung up on him, which probably meant one thing.

The admin had logged him off. Electron was furious. What the hell was a system administrator doing on a computer at this hour? The admin was supposed to be asleep! That’s why Electron logged on when he did. He had seen Zardoz on the CSIRO machine the day before but he had been so patient refusing to touch it because the risk of discovery was too great. And now this.

The only hope was to call Phoenix and get him to login to the Melbourne Uni accounts to see if the mail had arrived safely. If so, he could download it with his faster modem before the CSIRO admin had time to warn the Melbourne Uni admin, who would change the passwords.

Electron got on the phone to Phoenix. They had long since stopped caring about what time of day they rang each other. 10 p.m. 2 a.m.

4.15 a.m. 6.45 a.m.

‘Yeah.’ Electron greeted Phoenix in the usual way.

‘Yup,’ Phoenix responded.

Electron told Phoenix what happened and gave him the two accounts at Melbourne University where he had mailed the Zardoz bundle.

Phoenix hung up and rang back a few minutes later. Both accounts were dead. Someone from Melbourne University had gone in and changed the passwords within 30 minutes of Electron being booted off the CSIRO

computer. Both hackers were disturbed by the implications of this event. It meant someone--in fact probably several people--were onto them. But their desperation to get Zardoz overcame their fear.

Electron had one more account on the CSIRO computer. He didn’t want to give it to Phoenix, but he didn’t have a choice. Still, the whole venture was filled with uncertainty. Who knew if the Zardoz bundle was still there? Surely an admin who bothered to kick Electron out would move Zardoz to somewhere inaccessible. There was, however, a single chance.

When Electron read off the password and username, he told Phoenix to copy the Zardoz bundle to a few other machines on the Internet instead of trying to download it to his own computer. It would be much quicker, and the CSIRO admin wouldn’t dare break into someone else’s computers to delete the copied file. Choosing overseas sites would make it even harder for the admin to reach the admins of those machines and warn them in time. Then, once Zardoz was safely tucked away in a few back-up sites, Phoenix could download it over the Internet from one of those with less risk of being booted off the machine halfway through the process.

Sitting at his home in Kelvin Grove, Thornbury, just two suburbs north of the CSIRO machine, Ian Mathieson watched the hacker break into his computer again. Awoken by a phone call at 2.30 a.m. telling him there was a suspected hacker in his computer, Mathieson immediately logged in to his work system, DITMELA, via his home computer and modem. The call, from David Hornsby of the Melbourne University Computer Science Department, was no false alarm.

After watching the unknown hacker, who had logged in through a Melbourne University machine terminal server, for about twenty minutes, Mathieson booted the hacker off his system. Afterwards he noticed that the DITMELA computer was still trying to execute a command issued by the hacker. He looked a little closer, and discovered DITMELA was trying to deliver mail to two Melbourne University accounts.

The mail, however, hadn’t been completely delivered. It was still sitting in the mail spool, a temporary holding pen for undelivered mail. Curious as to what the hacker would want so much from his system, Mathieson moved the file into a subdirectory to look at it. He was horrified to find the entire Zardoz archive, and he knew exactly what it meant. These were no ordinary hackers--they were precision fliers. Fortunately, Mathieson

consoled himself, he had stopped the mail before it had been sent out and secured it.

Unfortunately, however, Mathieson had missed Electron’s original file--the bundle of Zardoz copies. When Electron had mailed the file, he had copied it, leaving the original intact. They were still sitting on DITMELA under the unassuming name .t. Mailing a file didn’t delete it--the computer only sent a copy of the original. Mathieson was an intelligent man, a medical doctor with a master’s degree in computer science, but he had forgotten to check the temporary directory, one of the few places a hacker could store files on a Unix system if he didn’t have root privileges.

At exactly 3.30 a.m. Phoenix logged into DITMELA from the University of Texas. He quickly looked in the temporary directory. The .t file was there, just as Electron had said it would be. The hacker quickly began transferring it back to the University of Texas.

He was feeling good. It looked like the Australians were going to get the entire Zardoz collection after all. Everything was going extremely well--until the transfer suddenly died. Phoenix had forgotten to check that there was enough disk space available on the University of Texas account to download the sizeable Zardoz bundle. Now, as he was logged into a very hot machine, a machine where the admin could well be watching his every move, he discovered there wasn’t enough room for the Zardoz file.

Aware that every second spent on-line to DITMELA posed a serious risk, Phoenix logged off the CSIRO machine immediately. Still connected to the Texas computer, he fiddled around with it, deleting other files and making enough room to pull the whole 500 k Zardoz file across.

At 3.37 a.m. Phoenix entered DITMELA again. This time, he vowed, nothing would go wrong. He started up the file transfer and waited.

Less than ten minutes later, he logged off the CSIRO computer and nervously checked the University of Texas system. It was there.

Zardoz, in all its glory. And it was his! Phoenix was ecstatic.

He wasn’t done yet and there was no time for complacency. Swiftly, he began compressing and encrypting Zardoz. He compressed it because a smaller file was less obvious on the Texas machine and was faster to send to a back-up machine. He encrypted it so no-one nosing around the file would be able to see what was in it.

He wasn’t just worried about system admins; the Texas system was riddled with hackers, in part because it was home to his friend, Legion of Doom hacker Erik Bloodaxe, a

student at the university.

After Phoenix was satisfied Zardoz was safe, he rang Electron just before 4 a.m. with the good news. By 8.15, Phoenix had downloaded Zardoz from the Texas computer onto his own machine. By 1.15 p.m., Electron had downloaded it from Phoenix’s machine to his own.

[ ]

Zardoz had been a difficult conquest, but Deszip would prove to be even more so. While dozens of security experts possessed complete Zardoz archives, far fewer people had Deszip. And, at least officially, all of them were in the US.

The US government banned the export of cryptography algorithms. To send a copy of Deszip, or DES or indeed any other encryption program outside the US was a crime. It was illegal because the US State Department’s Office of Defense Trade Controls considered any encryption program to be a weapon. ITAR, the International Traffic in Arms Regulations stemming from the US Arms Export Control Act 1977, restricted publication of and trad in ‘defense articles’. It didn’t matter whether you flew to Europe with a disk in your pocket, or you sent the material over the Internet. If you violated ITAR, you faced the prospect of prison.

Occasionally, American computer programmers discreetly slipped copies of encryption programs to specialists in their field outside the US.

Once the program was outside the US, it was fair game--there was nothing US authorities could do about someone in Norway sending Deszip to a colleague in Australia. But even so, the comp-sec and cryptography communities outside the US still held programs such as Deszip very tightly within their own inner sanctums.

All of which meant that Electron and Phoenix would almost certainly have to target a site in the US. Electron continued to compile a hit list, based on the Zardoz mailing list, which he gave to Phoenix. The two hackers then began searching the growing Internet for computers belonging to the targets.

It was an impressive hit list. Matthew Bishop, author of Deszip.

Russell Brand, of the Lawrence Livermore National Labs, a research laboratory funded by the US Department of Energy. Dan Farmer, an author of the computer program COPS, a popular security-testing program which included a password cracking program. There were others.

And, at the top of the list, Eugene Spafford, or Spaf, as the hackers called him.

By 1990, the computer underground viewed Spaf not just as security guru, but also as an anti-hacker zealot. Spaf was based at Purdue University, a hotbed of computer security experts. Bishop had earned his PhD at Purdue and Dan Farmer was still there. Spaf was also one of the founders of usenet, the Internet newsgroups service. While working as a computer scientist at the university, he had made a name for himself by, among other things, writing a technical analysis of the RTM worm. The worm, authored by Cornell University student Robert T.

Morris Jr in 1988, proved to be a boon for Spaf’s career.

Prior to the RTM worm, Spaf had been working in software engineering.

After the worm, he became a computer ethicist and a very public spokesman for the conservatives in the computer security industry.

Spaf went on tour across the US, lecturing the public and the media on worms, viruses and the ethics of hacking. During the Morris case, hacking became a hot topic in the United States, and Spaf fed the flames. When Judge Howard G. Munson refused to sentence Morris to prison, instead ordering him to complete 400 hours community service, pay a $10000 fine and submit to three years probation, Spaf publicly railed against the decision. The media reported that he had called on the computer industry to boycott any company which chose to employ Robert T. Morris Jr.

Targeting Spaf therefore served a dual purpose for the Australian hackers. He was undoubtedly a repository of treasures such as Deszip, and he was also a tall poppy.

One night, Electron and Phoenix decided to break into Spaf’s machine at Purdue to steal a copy of Deszip. Phoenix would do the actual hacking, since he had the fast modem, but he would talk to Electron simultaneously on the other phone line. Electron would guide him at each step. That way, when Phoenix hit a snag, he wouldn’t have to retreat to regroup and risk discovery.

Both hackers had managed to break into another computer at Purdue, called Medusa. But Spaf had a separate machine, Uther, which was connected to Medusa.

Phoenix poked and prodded at Uther, trying to open a hole wide enough for him to crawl through. At Electron’s suggestion, he tried to use the CHFN bug. The CHFN command lets users change the information provided--such as their name, work address or office phone number--when someone ‘fingers’ their accounts. The bug had appeared in one of the Zardoz files and Phoenix and Electron had already used it to break into several other machines.

Electron wanted to use the CHFN bug because, if the attack was successful, Phoenix would be able to make a root account for himself on Spaf’s machine. That would be the ultimate slap in the face to a high-profile computer security guru.

But things weren’t going well for Phoenix. The frustrated Australian hacker kept telling Electron that the bug should work, but it wouldn’t, and he couldn’t figure out why. The problem, Electron finally concluded, was that Spaf’s machine was a Sequent. The CHFN bug depended on a particular Unix password file structure, but Sequents used a different structure. It didn’t help that Phoenix didn’t know that much about Sequents--they were one of Gandalf’s specialties.

After a few exasperating hours struggling to make the CHFN bug work, Phoenix gave up and turned to another security flaw suggested by Electron: the FTP bug. Phoenix ran through the bug in his mind.