Approaching Zero, Paul Mungo [good summer reads TXT] 📗

the technical aspects in the Datenschutz-Berater

and two journalists who were known to Wernery would handle the media. On the

designated day, the journalists told the full story on the evening news; the

next morning it made newspaper headlines around the country.

 

A few days later the two journalists had a second chance at the story when it

was realized that NASA had still not removed the VAXbusters’ programs (the

“trap” programs) from its two computers at its Washington headquarters. Nor had

it installed the mandatory patches. So another event was staged for German

television audiences. This time, in front of the cameras, Bach and Handel broke

into the two NASA computers in Washington, D.C., and installed the mandatory

patches that DEC had issued four months earlier. It took a matter of minutes in

each case. The hackers had fixed the security flaw that NASA could not be

bothered to fix for itself.

 

A spokesman for NASA in Washington, D.C., was not impressed. The loophole in

the operating system was not a “security flaw,” he insisted. The information on

the computers was not classified: it was just scientific data, for the use of

scientists. The two computers were, he said, “like a public library.”

 

The VAXbusters knew differently. With the higher privileges they had been able

to manipulate from the multitude of IDs and passwords they had copied, they had

the authority of the chief librarian in NASA’s library. They had roamed through

the offlimits sections of the shelves; one of the files they had copied was a

fifty-two-page document outlining the security within the entire NASA computer

system.

 

The story, despite the Americans’ professed indifference, got heavy play.

Steffen found himself on television more than once, explaining the arcana of

hacking and his own role in the VAXbuster saga. Eventually the media interest

waned; and that, Steffen assumed, was that. He was not aware of the Illuminati.

 

The French were less phlegmatic than the Americans They had been suffering some

“very serious” hacking incidents that had begun in 1986 and were still

continuing in 1987. The incidents included the theft and destruction of

important programs and data from VAX computers at Philips-France and SGSThom

son—the two French companies targeted by the KGB. Their total losses, they

claimed, reached an astronomical level, some hundreds of millions of dollars.

 

When the French authorities were told about the VAXbusters they became

convinced that the German hackers were the culprits. The penetration techniques

used on the French VAXen were the same as those described in the August report

made by the German secret service. The same back door and the same sort of

program to collect legitimate user IDs and passwords were used.

 

At the instigation of the French, Germany’s federal police raided the homes of

a number of known Chaos Computer Club members in Hamburg on September 27th and

28th, impounding their computer equipment. Ironically, the police overlooked

the VAXbusters, who were not Chaos members. To a large extent, Chaos had become

a victim of its own publicity: the police, not aware the VAXbusters were a

separate group, had simply raided the homes of the most notorious hackers in

Germany. It was a case of rounding up the usual suspects—one of whom was

Steffen Wernery, who told them about his own role in the matter and of his

previous cooperation with the secret service. Within four months the police had

completed their investigations. They concluded that Steffen was simply a

“switching center”—a conduit for information—and nothing more. Neither he nor

the other Chaos members were involved in hacking into the French computers.

 

This information was passed to the French—who didn’t believe it. The methods

used to hack into the French sites were too similar to the techniques employed

by the VAXbusters to be mere coincidence. And even though the gang’s list of

all the VAX computers it had hacked did not include either Philips-France or

SGSThomson, the French authorities remained convinced that the trail from the

two companies led back to Hamburg.

 

At about the same time, the secret service contacted Hans Gliss about the

incidents in France and asked if he could help. Gliss discussed the matter with

Steffen, and suggested that they both go to Paris for the forthcoming annual

Securicom conference, in March 1988, and present a report on computer security-

-particularly VAX security. Securicom was the ideal forum: it attracted the top

computer security specialists in the world. Steffen could tell the delegates

about the back door on the DEC machines and how to fix it.

 

Steffen acquiesced; he had found the limelight agreeable, and the visit to

Securicom would give him another chance to bask in its glow. He arranged to go

to Paris with a colleague from Chaos. Gliss would drive to Paris from his

holiday home in the south of France.

 

Steffen also offered to meet representatives of Philips-France, one of the

companies hit by the unknown hackers. Philips agreed, and asked Steffen to

confirm the names so that security passes could be arranged.

 

Steffen arrived at Paris’s Orly Airport on March 14th. He approached

immigration control and handed his German passport to one of the officers on

duty, a woman. She looked at the photo and his name and hesitated.

 

‘There has been a problem,” she said. “Please wait a moment.” She reappeared a

few minutes later with three men in civilian clothing who claimed to be from

the Brigade Financiere, France’s revenue service. Steffen now suspects that

they were from French Intelligence.

 

“Where is your friend?” they wanted to know. His friend, the colleague from

Chaos, was coming in later by train. Steffen was immediately concerned: how did

they know about his friend? And why should he tell them where he was? Steffen

was arrested and taken to the police cells.

 

Under French law an investigating judge can order the deten-tion of a suspect for twenty-four hours and then for an additional twenty-four

hours if necessary. During that period the suspect is not allowed to make

contact with anyone at all, not even a lawyer. The police began interrogating

Steffen: they asked him about Chaos, about the VAXbusters, and about the two

sites in France. They also went through his belongings and papers, looking at

names and addresses. In his diary they found the Paris contact address for Hans

Gliss.

 

Gliss had checked into the Pullman St. Jacques Hotel, having driven up from his

house in the Dordogne. When he arrived at the hotel, he found three members of

the “Brigade Financiere” waiting for him. Fortunately for Gliss he was with his

wife, Ursula, who, seeing her husband arrested and escorted away, started

telephoning for help.

 

Gliss was taken to the police station, and his passport was impounded. The

police began asking him about the Chaos Computer Club. Gliss, whose French is

poor, demanded an interpreter. The police told Gliss they had arrested Steffen-

-unnecessarily, as it happens, because Gliss could hear him being questioned in

a nearby cell.

 

Gliss was interrogated for two and a half hours before his passport was

returned. Half an hour after that he was set free. On his return to the hotel,

Ursula told him she had phoned their friends in Paris, who had contacted the

German police, who in turn had called the secret service. The agency, it was

presumed, had prevailed on the French authorities to release him.

 

Steffen wasn’t so lucky. He was held in the police cells for two days, under

continuous interrogation. He says he was allowed to sleep for only three to

four hours each day. Steffen told them all he knew, including the fact that a

full list of computers penetrated by the VAXbusters had been presented to the

German authorities and didn’t include the two French sites. He also insisted

that all Chaos members had stopped hacking.

 

While Steffen was being interrogated, Gliss told the five hundred delegates at

Securicom of his experience and of Steffen’s incarceration. He also read

Steffen’s paper, which had been written to help the French improve their

computer security. Later he contacted the German authorities on Steffen’s

behalf, but they were powerless to intervene: the French were holding Steffen

as an “accessory” to the breakins at Philips-France and SGSThomson.

 

Three times Steffen was brought before a judge, and each time he was remanded

in custody for further questioning. The German foreign office discreetly

pressured the French government over the case, until finally Steffen’s dossier

reached the desk of the French president.

 

Mitterand presumably had enough problems: he ordered the German hacker’s

release. On May 20th, at five minutes past midnight, Steffen was driven to the

airport and unceremoniously bundled aboard the night plane to Hamburg. He had

spent over two months in a French jail.

 

While Steffen was incarcerated in Paris, the real culprits remained in Germany,

safely beyond French jurisdiction.

 

Despite the French authorities’ suspicions about Chaos and the VAXbusters,

despite the raids in Hamburg, it was in reality the Soviet hacker gang—

ensconced in Hannover and Berlin—who had penetrated the sites at

Philips-France and SGSThomson. They were looking for information on megachip

research, just as the KGB had requested. Surprisingly, in view of the

importance the French authorities attached to the sites, Pengo remembers them

as simple systems to get around in once they had been breached.

 

Koch and Pengo had penetrated the security at Philips-France and SGSThomson

using the back door and the trap program they had learned about from Weihruch,

the Karlsruhe student. It was understandable that the French would blame the

VAXbusters: both teams had used the same techniques, having learned them from

the same source.

 

Koch and Pengo had downloaded data from the two French

companies, and supposedly passed a computer tape to the KGB in East Berlin.

Without revealing exactly what was on the tape, Pengo has suggested that it

might have contained details of a design program for advanced microprocessors.

But although the hackers were able to pass on the French material to their

Soviet paymasters, the KGB was again demanding more. By the end of 1987 they

wanted information on Western military computer networks, including the

operating specifications of the interconnected machines. It appeared that the

KGB wanted to infiltrate the military systems.

 

However, the pressure was beginning to tell on Pengo and Koch, and the two had

other things on their minds. They were frightened by the arrests of the Chaos

members in Hamburg; they felt that it wouldn’t be long before the police

stumbled over their own operation. And they had also heard about Steffen’s

interrogation in Paris, which meant that the French were also chasing them.

 

In the summer of 1988 both Pengo and Koch independently approached the

authorities, hoping to take advantage of an amnesty provision in German

espionage legislation. This provision guaranteed lenient treatment to those who

had not previously been under suspicion and now confessed, provided they

cooperated fully. The two confessed to espionage, the only offense covered by

the amnesty. Paradoxically, confessing to any lesser offense could have

resulted in a severer penalty.

 

Both were interrogated regularly and at length by the authorities. By early

1989 the Germans felt that they had enough evidence to support a case against

the other members of the Soviet hacker gang. On March 2nd, eighteen people were

interrogated and eight arrested. The latter included Hess, Pengo, and Koch, as

well as Dirk Brescinsky and Peter Kahl. The others were local hackers caught up

in the wide-ranging investigation. All the hackers were released after a few

days; Kahl and Brescinsky were dispatched to a high-security prison in

Karlsruhe. Pengo and Koch could expect to escape prosecution due to their

earlier confessions under the amnesty.

 

Just two months after his arrest Karl Koch would be found dead, his burned body

Iying in a wood