Read Underground: Tales of Hacking, Madness and Obsession from the Electronic Frontier Online
Authors: Suelette Dreyfus
considerable funding.
This was not going to be a good day for the guys down at the NASA SPAN
computer network office.
This was not going to be a good day for John McMahon.
[ ]
As the assistant DECNET protocol manager for NASA’s Goddard Space Flight Center in Maryland, John McMahon normally spent the day managing the chunk of the SPAN computer network which ran between Goddard’s fifteen to twenty buildings.
McMahon worked for Code 630.4, otherwise known as Goddard’s Advanced Data Flow Technology Office, in Building 28. Goddard scientists would call him up for help with their computers. Two of the most common sentences he heard were ‘This doesn’t seem to work’ and ‘I can’t get to that part of the network from here’.
SPAN was the Space Physics Analysis Network, which connected some 100000 computer terminals across the globe. Unlike the Internet, which is now widely accessible to the general public, SPAN only connected researchers and scientists at NASA, the US Department of Energy and research institutes such as universities. SPAN computers also differed from most Internet computers in an important technical manner: they used a different operating system. Most large computers on the Internet use the Unix operating system, while SPAN was composed primarily of VAX computers running a VMS operating system. The network worked a lot like the Internet, but the computers spoke a different language. The Internet ‘talked’ TCP/IP, while SPAN ‘spoke’ DECNET.
Indeed, the SPAN network was known as a DECNET internet. Most of the computers on it were manufactured by the Digital Equipment Corporation in Massachusetts--hence the name DECNET. DEC built powerful computers.
Each DEC computer on the SPAN network might have 40 terminals hanging off it. Some SPAN computers had many more. It was not unusual for one DEC computer to service 400 people. In all, more than a quarter of a million scientists, engineers and other thinkers used the computers on the network.
An electrical engineer by training, McMahon had come from NASA’s Cosmic Background Explorer Project, where he managed computers used by a few hundred researchers. Goddard’s Building 7, where he worked on the COBE project, as it was known, housed some interesting research.
The project team was attempting to map the universe. And they were trying to do it in wavelengths invisible to the human eye. NASA would launch the COBE satellite in November 1989. Its mission was to
‘measure the diffuse infrared and microwave radiation from the early universe, to the limits set by our astronomical environment’.6 To the casual observer the project almost sounded like a piece of modern art, something which might be titled ‘Map of the Universe in Infrared’.
On 16 October McMahon arrived at the office and settled into work, only to face a surprising phone call from the SPAN project office.
Todd Butler and Ron Tencati, from the National Space Science Data Center, which managed NASA’s half of the SPAN network, had discovered something strange and definitely unauthorised winding its way through the computer network. It looked like a computer worm.
A computer worm is a little like a computer virus. It invades computer systems, interfering with their normal functions. It travels along any available compatible computer network and stops to knock at the door of systems attached to that network. If there is a hole in the security of the computer system, it will crawl through and enter the system. When it does this, it might have instructions to do any number of things, from sending computer users a message to trying to take over the system. What makes a worm different from other computer programs, such as viruses, is that it is self-propagating. It propels itself forward, wiggles into a new system and propagates itself at the new site. Unlike a virus, a worm doesn’t latch onto a data file or a program. It is autonomous.7
The term ‘worm’ as applied to computers came from John Brunner’s 1975
science fiction classic, The Shockwave Rider. The novel described how a rebel computer programmer created a program called ‘tapeworm’ which was released into an omnipotent computer network used by an autocratic government to control its people. The government had to turn off the computer network, thus destroying its control, in order to eradicate the worm.
Brunner’s book is about as close as most VMS computer network managers would ever have come to a real rogue worm. Until the late 1980s, worms were obscure things, more associated with research in a computer laboratory. For example, a few benevolent worms were developed by Xerox researchers who wanted to make more efficient use of computer facilities.8 They developed a ‘town crier worm’ which moved through a network sending out important announcements. Their ‘diagnostic worm’
also constantly weaved through the network, but this worm was designed to inspect machines for problems.
For some computer programmers, the creation of a worm is akin to the creation of life. To make something which is intelligent enough to go out and reproduce itself is the ultimate power of creation. Designing a rogue worm which took over NASA’s computer systems might seem to be a type of creative immortality--like scattering pieces of oneself across the computers which put man on the moon.
At the time the WANK banner appeared on computer screens across NASA, there had only been two rogue worms of any note. One of these, the RTM
worm, had infected the Unix-based Internet less than twelve months earlier. The other worm, known as Father Christmas, was the first VMS
worm.
Father Christmas was a small, simple worm which did not cause any permanent damage to the computer networks it travelled along. Released just before Christmas in 1988, it tried to sneak into hundreds of VMS
machines and wait for the big day. On Christmas morning, it woke up and set to work with great enthusiasm. Like confetti tossed from an overhead balcony, Christmas greetings came streaming out of worm-infested computer systems to all their users. No-one within its reach went without a Christmas card. Its job done, the worm evaporated. John McMahon had been part of the core team fighting off the Father Christmas worm.
At about 4 p.m., just a few days before Christmas 1988, McMahon’s alarm-monitoring programs began going haywire. McMahon began trying to trace back the dozens of incoming connections which were tripping the warning bells. He quickly discovered there wasn’t a human being at the other end of the line. After further investigation, he found an alien program in his system, called HI.COM. As he read the pages of HI.COM
code spilling from his line printer, his eyes went wide. He thought, This is a worm! He had never seen a worm before.
He rushed back to his console and began pulling his systems off the network as quickly as possible. Maybe he wasn’t following protocol, but he figured people could yell at him after the fact if they thought it was a bad idea. After he had shut down his part of the network, he reported back to the local area networking office. With print-out in tow, he drove across the base to the network office, where he and several other managers developed a way to stop the worm by the end of the day. Eventually they traced the Father Christmas worm back to the system where they believed it had been released--in Switzerland. But they never discovered who created it.
Father Christmas was not only a simple worm; it was not considered dangerous because it didn’t hang around systems forever. It was a worm with a use-by date.
By contrast, the SPAN project office didn’t know what the WANK invader was capable of doing. They didn’t know who had written or launched it.
But they had a copy of the program. Could McMahon have a look at it?
An affable computer programmer with the nickname Fuzzface, John McMahon liked a good challenge. Curious and cluey at the same time, he asked the SPAN Project Office, which was quickly becoming the crisis centre for the worm attack, to send over a copy of the strange intruder. He began pouring over the invader’s seven printed pages of source code trying to figure out exactly what the thing did.
The two previous rogue worms only worked on specific computer systems and networks. In this case, the WANK worm only attacked VMS computer systems. The source code, however, was unlike anything McMahon had ever seen. ‘It was like sifting through a pile of spaghetti,’ he said.
‘You’d pull one strand out and figure, "OK, that is what that thing does." But then you’d be faced with the rest of the tangled mess in the bowl.’
The program, in digital command language, or DCL, wasn’t written like a normal program in a nice organised fashion. It was all over the place. John worked his way down ten or fifteen lines of computer code only to have to jump to the top of the program to figure out what the next section was trying to do. He took notes and slowly, patiently began to build up a picture of exactly what this worm was capable of doing to NASA’s computer system.
[ ]
It was a big day for the anti-nuclear groups at the Kennedy Space Center. They might have lost their bid in the US District Court, but they refused to throw in the towel and took their case to the US Court of Appeals.
On 16 October the news came. The Appeals Court had sided with NASA.
Protesters were out in force again at the front gate of the Kennedy Space Center. At least eight of them were arrested. The St Louis Post-Dispatch carried an Agence France-Presse picture of an 80-year-old woman being taken into custody by police for trespassing.
Jane Brown, of the Florida Coalition for Peace and Justice, announced,
‘This is just ... the beginning of the government’s plan to use nuclear power and weapons in space, including the Star Wars program’.
Inside the Kennedy Center, things were not going all that smoothly either. Late Monday, NASA’s technical experts discovered yet another problem. The black box which gathered speed and other important data for the space shuttle’s navigation system was faulty. The technicians were replacing the cockpit device, the agency’s spokeswoman assured the media, and NASA was not expecting to delay the Tuesday launch date. The countdown would continue uninterrupted. NASA had everything under control.
Everything except the weather.
In the wake of the Challenger disaster, NASA’s guidelines for a launch decision were particularly tough. Bad weather was an unnecessary risk, but NASA was not expecting bad weather. Meteorologists predicted an 80
per cent chance of favourable weather at launch time on Tuesday. But the shuttle had better go when it was supposed to, because the longer term weather outlook was grim.
By Tuesday morning, Galileo’s keepers were holding their breath. The countdown for the shuttle launch was ticking toward 12.57 p.m. The anti-nuclear protesters seemed to have gone quiet. Things looked hopeful. Galileo might finally go.
Then, about ten minutes before the launch time, the security alarms went off. Someone had broken into the compound. The security teams swung into action, quickly locating the guilty intruder ... a feral pig.
With the pig safely removed, the countdown rolled on. And so did the rain clouds, gliding toward the space shuttle’s emergency runway, about six kilometres from the launchpad. NASA launch director Robert Sieck prolonged a planned ‘hold’ at T minus nine minutes. Atlantis had a 26-minute window of opportunity. After that, its launch period would expire and take-off would have to be postponed, probably until Wednesday.
The weather wasn’t going to budge.
At 1.18 p.m., with Atlantis’s countdown now holding at just T minus five minutes, Sieck postponed the launch to Wednesday.
[ ]
Back at the SPAN centre, things were becoming hectic. The worm was spreading through more and more systems and the phones were beginning to ring every few minutes. NASA computers were getting hit all over the place.
The SPAN project staff needed more arms. They were simultaneously trying to calm callers and concentrate on developing an analysis of the alien program. Was the thing a practical joke or a time bomb just waiting to go off? Who was behind this?
NASA was working in an information void when it came to WANK. Some staff knew of the protesters’ action down at the Space Center, but nothing could have prepared them for this. NASA officials were confident enough about a link between the protests against Galileo and the attack on NASA’s computers to speculate publicly that the two were related. It seemed a reasonable likelihood, but there were still plenty of unanswered questions.
Callers coming into the SPAN office were worried. People at the other end of the phone were scared. Many of the calls came from network managers who took care of a piece of SPAN at a specific NASA site, such as the Marshall Space Flight Center. Some were panicking; others spoke in a sort of monotone, flattened by a morning of calls from 25 different hysterical system administrators. A manager could lose his job over something like this.
Most of the callers to the SPAN head office were starved for information. How did this rogue worm get into their computers? Was it malicious? Would it destroy all the scientific data it came into contact with? What could be done to kill it?
NASA stored a great deal of valuable information on its SPAN
computers. None of it was supposed to be classified, but the data on those computers is extremely valuable. Millions of man-hours go into gathering and analysing it. So the crisis team which had formed in the NASA SPAN project office, was alarmed when reports of massive data destruction starting coming in. People were phoning to say that the worm was erasing files.
It was every computer manager’s worst nightmare, and it looked as though the crisis team’s darkest fears were about to be confirmed.
Yet the worm was behaving inconsistently. On some computers it would only send anonymous messages, some of them funny, some bizarre and a few quite rude or obscene. No sooner would a user login than a message would flash across his or her screen:
Remember, even if you win the rat race--you’re still a rat.
Or perhaps they were graced with some bad humour: Nothing is faster than the speed of light...
To prove this to yourself, try opening the refrigerator door before the light comes on.