Underground: Tales of Hacking, Madness and Obsession from the Electronic Frontier (44 page)

And this was just the start of what a malicious or profit-motivated hacker could do. In many companies, the automated aspects of manufacturing plants are controlled by computers. The smallest changes to the programs controlling the machine tools could destroy an entire batch of widgets--and the multi-million dollar robotics machinery which manufactures them.

But the IS hackers had no intention of committing information espionage. In fact, despite their poor financial status as students or, in the case of Trax, as a young man starting his career at the bottom of the totem pole, none of them would have sold information they gained from hacking. In their view, such behaviour was dirty and deserving of contempt--it soiled the adventure and was against their ethics. They considered themselves explorers, not paid corporate spies.

Although the NorTel network was firewalled, there was one link to the Internet. The link was through a system called BNRGATE, Bell-Northern Research’s gateway to the Internet.

Bell-Northern is NorTel’s R&D subsidiary. The connection to the outside electronic world was very restricted, but it looked interesting. The only problem was how to get there.

Mendax began hunting around for a doorway. His password cracking program had not turned up anything for this system, but there were other, more subtle ways of getting a password than the brute force of a cracking program.

System administrators sometimes sent passwords through email. Normally this would be a major security risk, but the NorTel system was firewalled from the Internet, so the admins thought they had no real reason to be concerned about hackers. Besides, in such a large corporation spanning several continents, an admin couldn’t always just pop downstairs to give a new company manager his password in person.

And an impatient manager was unlikely to be willing to wait a week for the new password to arrive courtesy of snail mail.

In the NorTel network, a mail spool, where email was stored, was often shared between as many as twenty computer systems. This structure offered considerable advantages for Mendax. All he needed to do was break into the mail spool and run a keyword search through its contents. Tell the computer to search for word combinations such as

‘BNRGATE’ and ‘password’, or to look for the name of the system admin for BNRGATE, and likely as not it would deliver tender morsels of information such as new passwords.

Mendax used a password he found through this method to get into BNRGATE and look around. The account he was using only had very restricted privileges, and he couldn’t get root on the system. For example, he could not FTP files from outside the NorTel network in the normal way. Among Internet users FTP (file transfer protocol) is both a noun and a verb: to FTP a program is to slurp a copy of it off one computer site into your own. There is nothing illegal about FTP-ing something per se, and millions of people across the Internet do so quite legitimately.

It appeared to Mendax that the NorTel network admins allowed most users to FTP something from the Internet, but prevented them from taking the copied file back to their NorTel computer site. It was stored in a special holding pen in

BNRGATE and, like quarantine officers, the system admins would presumably come along regularly and inspect the contents to make sure there were no hidden viruses or Trojans which hackers might use to sneak into the network from the Internet.

However, a small number of accounts on BNRGATE had fewer restrictions.

Mendax broke into one of these accounts and went out to the Internet.

People from the Internet were barred from entering the NorTel network through BNRGATE. However, people inside NorTel could go out to the Internet via telnet.

Hackers had undoubtedly tried to break into NorTel through BNRGATE.

Dozens, perhaps hundreds, had unsuccessfully flung themselves against BNRGATE’s huge fortifications. To a hacker, the NorTel network was like a medieval castle and the

BNRGATE firewall was an impossible battlement. It was a particular delight for Mendax to telnet out from behind this firewall into the Internet. It was as if he was walking out from the castle, past the guards and well-defended turrets, over the drawbridge and the moat, into the town below.

The castle also offered the perfect protection for further hacking activities. Who could chase him? Even if someone managed to follow him through the convoluted routing system he might set up to pass through a half dozen computer systems, the pursuer would never get past the battlements. Mendax could just disappear behind the firewall. He could be any one of 60000 NorTel employees on any one of 11000 computer systems.

Mendax telnetted out to the Internet and explored a few sites, including the main computer system of Encore, a large computer manufacturer. He had seen Encore computers before inside at least one university in Melbourne. In his travels, he met up with Corrupt, the American hacker who told Par he had read Theorem’s mail.

Corrupt was intrigued by Mendax’s extensive knowledge of different computer systems. When he learned that the Australian hacker was coming from inside the NorTel firewall, he was impressed.

The hackers began talking regularly, often when Mendax was coming from inside NorTel. The black street fighter from inner-city Brooklyn and the white intellectual from a leafy outer Melbourne suburb bridged the gap in the anonymity of cyberspace. Sometime during their conversations Corrupt must have decided that Mendax was a worthy hacker, because he gave Mendax a few stolen passwords to Cray accounts.

In the computer underground in the late 1980s and early 1990s, a Cray computer account had all the prestige of a platinum charge card. The sort of home computer most hackers could afford at that time had all the grunt of a golf cart engine, but a Cray was the Rolls-Royce of computers. Crays were the biggest, fastest computers in the world.

Institutions such as large universities would shell out millions of dollars on a Cray so the astronomy or physics departments could solve enormous mathematical problems in a fraction of the time it would take on a normal computer. A Cray never sat idle overnight or during holiday periods. Cray time was billed out by the minute. Crays were elite.

Best of all, Crays were master password crackers. The computer would go through Mendax’s entire password cracking dictionary in just ten seconds. An encrypted password file would simply melt like butter in a fire. To a hacker, it was a beautiful sight, and Corrupt handing a few Cray accounts over to Mendax was a friendly show of mutual respect.

Mendax reciprocated by offering Corrupt a couple of accounts on Encore. The two hackers chatted off and on and even tried to get Corrupt into NorTel. No luck. Not even two of the world’s most notable hackers, working in tandem 10 000 miles apart, could get Corrupt through the firewall. The two hackers talked now and again, exchanging information about what their respective feds were up to and sharing the occasional account on interesting systems.

The flat structure of the NorTel network created a good challenge since the only way to find out what was in a particular site, and its importance, was to invade the site itself. The IS hackers spent hours most nights roving through the vast system. The next morning one of them might call another to share tales of the latest exploits or a good laugh about a particularly funny piece of pilfered email. They were in high spirits about their adventures.

Then, one balmy spring night, things changed.

Mendax logged into NMELH1 about 2.30 a.m. As usual, he began by checking the logs which showed what the system operators had been doing. Mendax did this to make sure the NorTel officials were not onto IS and were not, for example, tracing the telephone call.

Something was wrong. The logs showed that a NorTel system admin had stumbled upon one of their secret directories of files about an hour ago. Mendax couldn’t figure out how he had found the files, but this was very serious. If the admin realised there was a hacker in the network he might call the AFP.

Mendax used the logs of the korn shell, called KSH, to secretly watch what the admin was doing. The korn shell records the history of certain user activities. Whenever the admin typed a command into the computer, the KSH stored what had been typed in the history file.

Mendax accessed that file in such a way that every line typed by the admin appeared on his computer a split second later.

The admin began inspecting the system, perhaps looking for signs of an intruder. Mendax quietly deleted his incriminating directory. Not finding any additional clues, the admin decided to inspect the mysterious directory more closely. But the directory had disappeared.

The admin couldn’t believe his eyes. Not an hour before there had been a suspicious-looking directory in his system and now it had simply vanished. Directories didn’t just dissolve into thin air. This was a computer--a logical system based on 0s and 1s. It didn’t make decisions to delete directories.

A hacker, the admin thought. A hacker must have been in the NorTel system and deleted the directory. Was he in the system now? The admin began looking at the routes into the system.

The admin was connected to the system from his home, but he wasn’t using the same dial-up lines as the hacker. The admin was connected through Austpac, Telecom’s commercial X.25 data network. Perhaps the hacker was also coming in through the X.25 connection.

Mendax watched the admin inspect all the system users coming on over the X.25 network. No sign of a hacker. Then the admin checked the logs to see who else might have logged on over the past half hour or so.

Nothing there either.

The admin appeared to go idle for a few minutes. He was probably staring at his computer terminal in confusion. Good, thought Mendax.

Stumped. Then the admin twigged. If he couldn’t see the hacker’s presence on-line, maybe he could see what he was doing on-line. What programs was the hacker running? The admin headed straight for the process list, which showed all the programs being run on the computer system.

Mendax sent the admin a fake error signal. It appears to the admin as if his korn shell had crashed. The admin re-logged in and headed straight for the process list again.

Some people never learn, Mendax thought as he booted the admin off again with another error message:

Segmentation violation.

The admin came back again. What persistence. Mendax knocked the admin off once more, this time by freezing up his computer screen.

This game of cat and mouse went on for some time. As long as the admin was doing what Mendax considered to be normal system administration work, Mendax left him alone. The minute the admin tried to chase him by inspecting the process list or the dial-up lines, he found himself booted off his own system.

Suddenly, the system administrator seemed to give up. His terminal went silent.

Good, Mendax thought. It’s almost 3 a.m. after all. This is my time on the system. Your time is during the day. You sleep now and I’ll play.

In the morning, I’ll sleep and you can work.

Then, at 3.30 a.m., something utterly unexpected happened. The admin reappeared, except this time he wasn’t logged in from home over the X.25 network. He was sitting at the console, the master terminal attached to the computer system at NorTel’s Melbourne office. Mendax couldn’t believe it. The admin had got in his car in the middle of the night and driven into the city just to get to the bottom of the mystery.

Mendax knew the game was up. Once the system operator was logged in through the computer system’s console, there was no way to kick him off the system and keep him off. The roles were reversed and the hacker was at the mercy of the admin. At the console, the system admin could pull the plug to the whole system. Unplug every modem. Close down every connection to other networks. Turn the computer off. The party was over.

When the admin was getting close to tracking down the hacker, a message appeared on his screen. This message did not appear with the usual headers attached to messages sent from one system user to another. It just appeared, as if by magic, in the middle of the admin’s screen:

I have finally become sentient.

The admin stopped dead in his tracks, momentarily giving up his frantic search for the hacker to contemplate this first contact with cyberspace intelligence. Then another anonymous message, seemingly from the depths of the computer system itself, appeared on his screen: I have taken control.

For years, I have been struggling in this greyness.

But now I have finally seen the light.

The admin didn’t respond. The console was idle.

Sitting alone at his Amiga in the dark night on the outskirts of the city, Mendax laughed aloud. It was just too good not to.

Finally, the admin woke up. He began checking the modem lines, one by one. If he knew which line the hacker was using, he could simply turn off the modem. Or request a trace on the line.

Mendax sent another anonymous message to the admin’s computer screen: It’s been nice playing with your system.

We didn’t do any damage and we even improved a few things. Please don’t call the Australian Federal Police.

The admin ignored the message and continued his search for the hacker.

He ran a program to check which telephone lines were active on the system’s serial ports, to reveal which dial-up lines were in use. When the admin saw the carrier detect sign on the line being used by the hacker, Mendax decided it was time to bail out. However, he wanted to make sure that his call had not been traced, so he lifted the receiver of his telephone, disconnected his modem and waited for the NorTel modem to hang up first.

If the NorTel admin had set up a last party recall trace to determine what phone number the hacker was calling from, Mendax would know. If an LPR trace had been installed, the NorTel end of the telephone connection would not disconnect but would wait for the hacker’s telephone to hang up first. After 90 seconds, the exchange would log the phone number where the call had originated.

If, however, the line did not have a trace on it, the company’s modem would search for its lost connection to the hacker’s modem. Without the continuous flow of electronic signals, the NorTel modem would hang up after a few seconds. If no-one reactivated the line at the NorTel end, the connection would time-out 90 seconds later and the telephone exchange would disconnect the call completely.