Approaching Zero, Paul Mungo [good summer reads TXT] 📗

> 

It is likely, though, that had the NSA been involved in the VAX scheme, it

would have chosen a more devious means of access. Whoever put the back door in,

and for whatever purpose, it was probably not intended for Gerrnan hackers. But

by 1986, when Koch and Pengo were trawling for information about VAX, the

secret of the back door had traveled across the Atlantic and had become known

by a small group of hackers in Germany. Bach and Handel, the two students who

broke into the SCICON company’s VAX, are generally thought to have been among

the first to exploit the trick. It was later discovered that their mentor was a

student at Karlsruhe University named Steffen Weihruch.

 

That same year, Karl Koch made contact with Weihruch as well. He had managed to

track down the VAX wizard to Karlsruhe and had prevailed on him to tell him his

technique. It wasn’t dificult: Weihruch was known to be obliging and was rather

pleased that his discovery was useful.

 

Weihruch had also perfected a “tool” to make hacking VAXen even easier. The

problem with the back door was that it didn’t entirely bypass all security

checks: a would-be hacker still had to contend with the security log, which

collated the IDs of all users as they entered the system. It was this log—

which was kept on a computer file and could be examined by the system operator-

-that had alerted SCICON to Bach and Handel. A hacker coming in the back door

would be conspicuous because the ID and password used—the ones entered in the log—could be any combination of random

characters; they wouldn’t necessarily be a real ID and password, and their

inclusion in the log was a clear sign of an intrusion.

 

The solution was to capture the identity of legitimate users, especially ones

with high privileges. Then hackers could roam through the system secretly,

masquerading as authorized users.

 

To this end Weihruch had developed a special tool to capture IDs and passwords

as they were entered. This tool—in reality, a program—replaced the real entry

screen with a phony, a complete replica that was indistinguishable to a user.

On seeing the screen, the unsuspecting user would enter his ID in the normal

way, followed by his password. The program captured that information, saving it

on a secret file. Then, because it wasn’t able to allow entry, the phony screen

displayed the message INVALID—PLEASE REENTER. The user would think he had

simply miskeyed his password. For his next attempt, the user would be presented

with the proper screen; if all was in order, he would be able to gain access.

 

The hacker could then pick up the secret file, containing all the IDs and

passwords that it had collected, on his next visit. It was like using traps to

catch rabbits, except that the rabbit felt no pain. The program had automated

hacking, and with legitimate IDs and the backdoor entry system, hacking became

simply a matter of finding VAX computers, going in through the back door,

leaving the trap program to function until it had captured some legitimate

identities, then taking the real IDs and passwords from the file.

 

With the back door and the trap program, Pengo and Koch were able to supply the

Soviets with better material. Koch passed Kahl computer log-ins and passwords

to military systems. In return, Kahl passed back money.

 

But despite the success with VMS, the KGB was upping the ante again. The

Soviets wanted Koch and Pengo to hack into computers that used the UNIX

operating system. UNIX was becoming increasingly popular because it could be

used on a wide range of computers; many VAX users preferred UNIX to DEC’s VMS.

much to the computer giant’s chagrin.

 

However, neither Koch nor Pengo knew anything about UNIX; they needed to

recruit yet another hacker to their team. Once again, Kahl and Koch made the

rounds of various hacker meets. and soon found Marcus Hess, who at the time was

working for a specialist UNIX systems company in Hannover. He was an ideal

choice: local, experienced, and with an addiction almost as potent as drugs—he

loved fast sports cars.

 

Now they were three. Hess soon became invaluable; shortly after becoming a

member, he was able to download a copy of the UNIX source code. Kahl took it to

the Soviets, who seemed impressed; they paid Kahl DM25,000, about $16,000, the

most he had ever received from them.

 

Hess soon discovered that many American computer users were relaxed about

security. Indeed, if their computers contained nothing secret or classified,

some U.S. sites actually tolerated an occasional visiting hacker; sometimes

system operators would even have time for a chat. In America, the nucleus of

the mythical Worldnet, the concept of the “Global Village,” where everybody

would be friendly neighbors, courtesy of the computer networks, was born. It

was easy to forget that computers, which themselves don’t contain classified

information, can provide entry points to a network with more interesting

machines—and that was what Hess was looking for.

 

He soon found a particularly hospitable computer in California, which contained

no classified material but did provide a convenient launching pad to other

systems. For the cost of a domestic phone call, Hess could hack into the

University of Bremen, where computer security was slack, hop across the

Atlantic by satellite at the university’s expense, and due to the hospitality

of the computers at Lawrence Berkeley Laboratories, at the University of

California in Berkeley, travel to other sites.

 

Some system operators tolerate hackers, some threaten them, but most don’t even

know they’ve got them. Very few actually

chase them: it’s a very timeconsuming and generally unrewarding task.

Clifford Stoll, the system administration manager at Lawrence Berkeley

Laboratories, detected the activities of Hess in August 1986, after

investigating a seventy-five-cent discrepancy in the accounting records of the

lab’s computers. (The seventy-five cent fee couldn’t be attributed to an

authorized user, so the charge had to have been run up by an outsider.) Other

system operators might not have bothered, but Stoll was an astronomer by voca-tion and was only filling in time until grant money could be found to allow him

to pursue his chosen career. To Stoll, chasing a hacker seemed exciting.

 

Once he had detected Hess, he was faced with the classic dilemma: should he

lock him out or watch him? If he were to lock him out, there was a chance that

he might sneak in some other way and not be noticed; it was also likely that he

might penetrate some other system. Stoll decided to keep a watch, setting up an

intricate alarm system that would tip him off whenever the hacker appeared. On

some occasions, he even slept at the lab. His principal intruder was Hess, whom

he knew only through his various aliases—but he also noted the presence of

both Pengo and Hagbard (Koch) on other occasions. These two, with their

interest in the VAXen that used VMS, would not be a major source of worry for

Stoll on his UNIX site.

 

It eventually became obvious that Lawrence Berkeley had nothing to interest

Hess; it was just a convenient jumping-off place. Stoll tried to make things

look a bit more exciting and concocted a “secret” file as bait, and the hacker

gobbled it up.

 

Stoll subsequently recounted his experiences in an academic paper (“Stalking

the Wily Hacker,” 1988) and a best-selling book, The Cuckoo’s Egg (1989). He

would record the heavy artillery that was eventually wheeled out to deal with

his German hackers: the FBI, the CIA and, the superspooks themselves, the

National Security Agency.

 

The reaction of the various agencies at first ranged from apathy to annoyance.

Stoll was hard-pressed to interest the authorities at all: losses in hacking

incidents are generally estimated in nice large numbers, and chasing

seventy-five cents seemed like a joke. But he persisted, and eventually the

authorities became nervous and mounted an operation to catch the intruder.

Finding him was a matter of tracing his calls back to their source. However,

the calls were routed through several different computer networks, a practice

known as network weaving, so that each time the authorities traced the calls

back, they realized they had farther to go—from one network to another, across

the country, and across the Atlantic.

 

Slowly, the calls were traced back to Germany, down to the University of

Bremen, across to Hannover, and eventually to Marcus Hess’s address. Under

pressure from the Americans, the German authorities arrested and questioned

Hess in June 1987. The Germans had little to go on—the loss of seventy-five

cents didn’t appear to be an extraditable offense—but they decided to tap his

phone just in case.

 

But while the police were watching Hess, the Illuminati were moving in on

Steffen Wernery.

 

The saga began when Bach and Handel, the two student hackers who broke into

the SCICON computer, decided to set up a hacker gang known as the VAXbusters.

The team used the backdoor technique to get into VAX computers throughout

Europe and North America. They traveled on SPAN, NASA’s Space Physics

Analysis Network, which links computers involved in physics research around the

world. From the ever-obliging Steffen Weihruch they were also able to get a

copy of the “trap” program, giving them legitimate identities on the systems

they hacked.

 

For ten months the team wandered through VAX sites with impunity. Unlike Koch

and Pengo, the VAXbusters weren’t spying, nor were they interested in damaging

hacked computers. They were just tourists, browsing through the network,

looking for sites of interest.

 

Despite their precautions and their benign intent, no hack is entirely

undetectable. In July 1987 the curtain came down on the VAXbusters. Roy Omond,

the particularly diligent manager of a VAX system in Heidelberg, discovered

from a routine scrutiny of his security logs that he had been hacked. Even

though the hackers had been using legitimate IDs, Omond guessed from the noc-turnal timings that many of the entries in his visitors’ book had not been

posted by authorized users. Furious, he mounted his own investigation, and by

sounding out various people he believed might be in contact with the hackers,

he discovered the real names of Bach and Handel. He immediately posted an

electronic message to all other users on SPAN, and named the two students

involved.

 

Bach and Handel panicked. They assumed they would be prosecuted by the German

authorities and called Steffen at Chaos for advice; Steffen who called Hans

Gliss, who in turn contacted the Verfassungsschutz, the German secret service.

 

The agency said it would be interested in talking to the two hackers.

 

Prior to meeting the agents, Bach and Handel prepared a report, dated August

17, 1987, detailing all the installations that had been penetrated by the

VAXbusters. The list comprised 135 sites in total, all on SPAN, and included

nineteen installations at NASA, including two VAX sites at their headquarters

in Washington, D.C., six at the Goddard Space Flight Center, and ten at the

Marshall Space Flight Center. It also included a large number of systems at

CERN in Switzerland, and others at the European Space Agency in the

Netherlands, the Meudon Observatory and the Institut d’Astrophysique in Paris,

and various Max Planck Institute sites in Germany.

 

There was a full exchange of information at the meeting, and in return for Bach

and Handel’s cooperation, the authorities declined to prosecute. The secret

service then contacted the CIA in Bonn, as well as NASA, DEC, and other groups

that the agency felt should be informed.

 

In the hope of defusing the situation for the VAXbusters, it was decided that

their story should be released to the press on September 15th. The delay, it

was thought, would give all the affected sites enough time to repair their

defenses. Gliss would cover