mother quickly slipped into a back lane and the friend leapt from the
car. She drove off, taking the police tail with her.
The plain-clothed police pulled her over shortly after, searched her
car and demanded to know where her friend had gone and what had
occurred at the meeting. When she was less than helpful, one officer
told her, `You have a child out at 2 in the morning. I think you
should get out of politics, lady. It could be said you were an unfit
mother'.
A few days after this thinly veiled threat, her friend showed up at
Mendax's mother's house, covered in fading bruises. He said the police
had beaten him up, then set him up by planting hash on him. `I'm
getting out of politics,' he announced.
However, she and her husband continued their involvement in theatre.
The young Mendax never dreamed of running away to join the circus--he
already lived the life of a travelling minstrel. But although the
actor-director was a good stepfather, he was also an alcoholic. Not
long after Mendax's ninth birthday, his parents separated and then
divorced.
Mendax's mother then entered a tempestuous relationship with an
amateur musician. Mendax was frightened of the man, whom he considered
a manipulative and violent psychopath. He had five different
identities with plastic in his wallet to match. His whole background
was a fabrication, right down to the country of his birth. When the
relationship ended, the steady pattern of moving around the
countryside began again, but this journey had a very different flavour
from the earlier happy-go-lucky odyssey. This time, Mendax and his
family were on the run from a physically abusive de facto. Finally,
after hiding under assumed names on both sides of the continent,
Mendax and his family settled on the outskirts of Melbourne.
Mendax left home at seventeen because he had received a tip-off about
an impending raid. Mendax wiped his disks, burnt his print-outs and
left. A week later, the Victorian CIB turned up and searched his room,
but found nothing. He married his girlfriend, an intelligent but
introverted and emotionally disturbed sixteen-year-old he had met
through a mutual friend in a gifted children's program. A year later
they had a child.
Mendax made many of his friends through the computer community. He
found Trax easy to talk to and they often spent up to five hours on a
single phone call. Prime Suspect, on the other hand, was hard work on
the phone.
Quiet and introverted, Prime Suspect always seemed to run out of
conversation after five minutes. Mendax was himself naturally shy, so
their talks were often filled with long silences. It wasn't that
Mendax didn't like Prime Suspect, he did. By the time the three
hackers met in person at Trax's home in mid-1991, he considered Prime
Suspect more than just a fellow hacker in the tight-knit IS circle.
Mendax considered him a friend.
Prime Suspect was a boy of veneers. To most of the world, he appeared
to be a studious year 12 student bound for university from his upper
middle-class grammar school. The all-boys school never expected less
from its students and the possibility of attending a TAFE--a
vocational college--was never discussed as an option. University was
the object. Any student who failed to make it was quietly swept under
the carpet like some sort of distasteful food dropping.
Prime Suspect's own family situation did not mirror the veneer of
respectability portrayed by his school. His father, a pharmacist, and
his mother, a nurse, had been in the midst of an acrimonious divorce
battle when his father was diagnosed with terminal cancer. In this
bitter, antagonistic environment, the eight-year-old Prime Suspect was
delivered to his father's bedside in hospice for a rushed few moments
to bid him farewell.
Through much of his childhood and adolescence, Prime Suspect's mother
remained bitter and angry about life, and particularly her
impoverished financial situation. When he was eight, Prime Suspect's
older sister left home at sixteen, moved to Perth and refused to speak
to her mother. In some ways, Prime Suspect felt he was expected be
both child and de facto parent. All of which made him grow up faster
in some ways, but remain immature in others.
Prime Suspect responded to the anger around him by retreating into his
room. When he bought his first computer, an Apple IIe, at age thirteen
he found it better company than any of his relatives. The computers at
school didn't hold much interest for him, since they weren't connected
to the outside world via modem. After reading about BBSes in the Apple
Users' Society newsletter, he saved up for his own modem and soon
began connecting into various BBSes.
School did, however, provide the opportunity to rebel, albeit
anonymously, and he conducted extensive pranking campaigns. Few
teachers suspected the quiet, clean-cut boy and he was rarely caught.
Nature had endowed Prime Suspect with the face of utter innocence.
Tall and slender with brown curly hair, his true character only showed
in the elfish grin which sometimes passed briefly across his baby
face. Teachers told his mother he was underachieving compared to his
level of intelligence, but had few complaints otherwise.
By year 10, he had become a serious hacker and was spending every
available moment at his computer. Sometimes he skipped school, and he
often handed assignments in late. He found it difficult to come up
with ever more creative excuses and sometimes he imagined telling his
teachers the truth. `Sorry I didn't get that 2000-word paper done but
I was knee-deep in NASA networks last night.' The thought made him
laugh.
He saw girls as a unwanted distraction from hacking. Sometimes, after
he chatted with a girl at a party, his friends would later ask him why
he hadn't asked her out. Prime Suspect shrugged it off. The real
reason was that he would rather get home to his computer, but he never
discussed his hacking with anyone at school, not even with Mentat.
A friend of Force's and occasional visitor to The Realm, Mentat was
two years ahead of Prime Suspect at school and in general couldn't be
bothered talking to so junior a hacker as Prime Suspect. The younger
hacker didn't mind. He had witnessed other hackers' indiscretions,
wanted no part of them and was happy to keep his hacking life private.
Before the Realm bust, Phoenix rang him up once at 2 a.m. suggesting
that he and Nom come over there and then. Woken by the call, Prime
Suspect's mother stood in the doorway to his bedroom, remonstrating
with him for letting his `friends' call at such a late hour. With
Phoenix goading him in one ear, and his mother chewing him out in the
other, Prime Suspect decided the whole thing was a bad idea. He said
no thanks to Phoenix, and shut the door on his mother.
He did, however, talk to Powerspike on the phone once in a while. The
older hacker's highly irreverent attitude and Porky Pig laugh appealed
to him. But other than those brief talks, Prime Suspect avoided
talking on the phone to people outside the International Subversives,
especially when he and Mendax moved into ever more sensitive military
computers.
Using a program called Sycophant written by Mendax, the IS hackers had
been conducting massive attacks on the US military. They divided up
Sycophant on eight attack machines, often choosing university systems
at places like the Australian National University or the University of
Texas. They pointed the eight machines at the targets and fired.
Within six hours, the eight machines had assaulted thousands of
computers. The hackers sometimes reaped 100000 accounts each night.
Using Sycophant, they essentially forced a cluster of Unix machines in
a computer network to attack the entire Internet en masse.
And that was just the start of what they were into. They had been in
so many sites they often couldn't remember if they
had actually hacked a particular computer. The places they could
recall read like a Who's Who of the American military-industrial
complex. The US Airforce 7th Command Group Headquarters in the
Pentagon. Stanford Research Institute in California. Naval Surface
Warfare Center in Virginia. Lockheed Martin's Tactical Aircraft
Systems Air Force Plant in Texas. Unisys Corporation in Blue Bell,
Pennsylvania. Goddard Space Flight Center, NASA. Motorola Inc. in
Illinois. TRW Inc. in Redondo Beach, California. Alcoa in Pittsburgh.
Panasonic Corp in New Jersey. US Naval Undersea Warfare Engineering
Station. Siemens-Nixdorf Information Systems in Massachusetts.
Securities Industry Automation Corp in New York. Lawrence Livermore
National Laboratory in California. Bell Communications Research, New
Jersey. Xerox Palo Alto Research Center, California.
As the IS hackers reached a level of sophistication beyond anything
The Realm had achieved, they realised that progress carried
considerable risk and began to withdraw completely from the broader
Australian hacking community. Soon they had drawn a tight circle
around themselves. They talked only to each other.
Watching the Realm hackers go down hadn't deterred the next generation
of hackers. It had only driven them further underground.
In the spring of 1991, Prime Suspect and Mendax began a race to get
root on the US Department of Defense's Network Information Center
(NIC) computer--potentially the most important computer on the
Internet.
As both hackers chatted amiably on-line one night, on a Melbourne
University computer, Prime Suspect worked quietly in another screen to
penetrate ns.nic.ddn.mil, a US Department of Defense system closely
linked to NIC. He believed the sister system and NIC might `trust'
each other--a trust he could exploit to get into NIC. And NIC did
everything.
NIC assigned domain names--the `.com' or `.net' at the end of an email
address--for the entire Internet. NIC also controlled the US
military's own internal defence data network, known as MILNET.
NIC also published the communication protocol standards for all of the
Internet. Called RFCs (Request for Comments), these technical
specifications allowed one computer on the Internet to talk to
another. The Defense Data Network Security Bulletins, the US
Department of Defense's equivalent of CERT advisories, came from the
NIC machine.
Perhaps most importantly, NIC controlled the reverse look-up service
on the Internet. Whenever someone connects to another site across the
Internet, he or she typically types in the site name--say,
ariel.unimelb.edu.au at the University of Melbourne. The computer then
translates the alphabetical name into a numerical address--the IP
address--in this case 128.250.20.3. All the computers on the Internet
need this IP address to relay the packets of data onto the final
destination computer. NIC decided how Internet computers would
translate the alphabetical name into an IP address, and vice versa.
If you controlled NIC, you had phenomenal power on the Internet. You
could, for example, simply make Australia disappear. Or you could turn
it into Brazil. By pointing all Internet addresses ending in
`.au'--the designation for sites in Australia--to Brazil, you could
cut Australia's part of the Internet off from the rest of the world
and send all Australian Internet traffic to Brazil. In fact, by
changing the delegation of all the domain names, you could virtually
stop the flow of information between all the countries on the
Internet.
The only way someone could circumvent this power was by typing in the
full numerical IP address instead of a proper alphabetical address.
But few people knew the up-to-twelve-digit IP equivalent of their
alphabetical addresses, and fewer still actually used them.
Controlling NIC offered other benefits as well. Control NIC, and you
owned a virtual pass-key into any computer on the Internet which
`trusted' another. And most machines trust at least one other system.
Whenever one computer connects to another across the Net, both
machines go through a special meet-and-greet process. The receiving
computer looks over the first machine and asks itself
a few questions. What's the name of the incoming machine?
Is that name allowed to connect to me? In what ways am I
programmed to `trust' that machine--to wave my normal security for
connections from that system?
The receiving computer answers these questions based in large part on
information provided by NIC. All of which means that, by controlling
NIC, you could make any computer on the Net `pose' as a machine
trusted by a computer you might want to hack. Security often depended
on a computer's name, and NIC effectively controlled that name.
When Prime Suspect managed to get inside NIC's sister system, he told
Mendax and gave him access to the computer. Each hacker then began his
own attack on NIC. When Mendax finally got root on NIC, the power was
intoxicating. Prime Suspect got root at the same time but using a
different method. They were both in.
Inside NIC, Mendax began by inserting a backdoor--a method of getting
back into the computer at a later date in case an admin repaired the
security flaws the hackers had used to get into the machine. From now
on, if he telnetted into the system's Data Defense Network (DDN)
information server and typed `login 0' he would have instant,
invisible root access to NIC.
That step completed, he looked around for interesting things to read.
One file held what appeared to be a list of satellite and microwave
dish coordinates--longitude, latitudes, transponder frequencies. Such
coordinates might in theory allow someone to build a complete map of
communications devices which were used to move the DOD's computer data
around the world.
Mendax also penetrated MILNET's Security Coordination Center, which
collected reports on every possible security incident on a MILNET
computer. Those computers--largely TOPS-20s made by DEC--contained
good automatic security programs. Any number of out-of-the-ordinary
events would trigger an automatic security report. Someone logging
into a machine for too long. A large number of failed login attempts,
suggesting password guessing. Two people logging into the same account
at the same time. Alarm bells would go off and the local computer
would immediately send a security violation report to the MILNET
security centre, where it would be added to the `hot list'.
Mendax flipped through page after page of MILNET's security reports on
his screen. Most looked like nothing--MILNET users accidentally
stumbling over a security tripwire--but one notice from a US military
site in Germany stood out. It was not computer generated. This was
from a real human being. The system admin reported that someone had
been repeatedly trying to break into his or her machine, and had
eventually managed to get in. The admin was trying, without much luck,
to trace back the intruder's connection to its point of origin. Oddly,
it appeared to originate in another MILNET system.
Riffling through other files, Mendax found mail confirming that the
attack had indeed come from inside MILNET. His eyes grew wide as he
read on. US military hackers had broken into MILNET systems, using
them for target practice, and no-one had bothered to tell the system
admin at the target site.
Mendax couldn't believe it. The US military was hacking its own
computers. This discovery led to another, more disturbing, thought. If
the US military was hacking its own computers for practice, what was
it doing to other countries' computers?
As he quietly backed out of the system, wiping away his footprints as
he tip-toed away, Mendax thought about what he had seen. He was deeply
disturbed that any hacker would work for the US military.
Hackers, he thought, should be anarchists, not hawks.
In early October 1991, Mendax rang Trax and gave him the dial-up and
account details for NMELH1.
Trax wasn't much of a hacker, but Mendax admired his phreaking
talents. Trax was the father of phreaking in Australia and Trax's
Toolbox, his guide to the art of phreaking, was
legendary. Mendax thought Trax might find some interesting detailed
information inside the NorTel network on how to
control telephone switches.
Trax invented multi-frequency code phreaking. By sending special
tones--generated by his computer program--down the phone line, he
could control certain functions in the telephone exchange. Many
hackers had learned how to make free phone calls by charging the cost
to someone else or to calling cards, but Trax discovered how to make
phone calls which weren't charged to anyone. The calls weren't just
free; they were untraceable.
Trax wrote 48 pages on his discovery and called it The Australian
Phreakers Manual Volumes 1-7. But as he added more and more to the
manual, he became worried what would happen if he released it in the
underground, so he decided he would only show it to the other two
International Subversive hackers.
He went on to publish The Advanced Phreaker's Manual,2 a second
edition of the manual, in The International Subversive, the
underground magazine edited by Mendax:
An electronic magazine, The International Subversive had a simple
editorial policy. You could only have a copy of the magazine if you
wrote an `article'. The policy was a good way of protecting against
nappies--sloppy or inexperienced hackers who might accidentally draw
police attention. Nappies also tended to abuse good phreaking and
hacking techniques, which might cause Telecom to close up security
holes. The result was that IS had a circulation of just three people.
To a non-hacker, IS looked like gobbledygook--the phone book made more
interesting reading. But to a member of the computer underground, IS
was a treasure map. A good hacker could follow the trail of modem
phone numbers and passwords, then use the directions in IS to
disappear through secret entrances into the labyrinth of forbidden
computer networks. Armed with the magazine, he could slither out of
tight spots, outwit system admins and find the treasure secreted in
each computer system.
For Prime Suspect and Mendax, who were increasingly paranoid about
line traces from the university modems they used as launchpads, Trax's
phreaking skills were a gift from heaven.
Trax made his great discovery by accident. He was using a phone
sprinter, a simple computer program which automatically dialled a
range of phone numbers looking for modems. If he turned the volume up
on his modem when his computer dialled what seemed to be a dead or
non-existent number, he sometimes heard a soft clicking noise after
the disconnection message. The noise sounded like faint heartbeats.
Curious, he experimented with these strange numbers and soon
discovered they were disconnected lines which had not yet been
reassigned. He wondered how he could use these odd numbers. After
reading a document Mendax had found in Britain and uploaded to The
Devil's Playground, another BBS, Trax had an idea. The posting
provided information about CCITT #5 signalling tones, CCITT being the
international standard--the language spoken by telephone exchanges
between countries.
When you make an international phone call from Australia to the US,
the call passes from the local telephone exchange to an international
gateway exchange within Australia. From there, it travels to an
exchange in the US. The CCITT signalling tones were the special tones
the two international gateway exchanges used to communicate with each
other.
Telecom Australia adapted a later version of this standard, called R2,
for use on its own domestic exchanges. Telecom called this new
standard MFC, or multi-frequency code. When, say, Trax rang Mendax,
his exchange asked Mendax's to `talk' to Mendax's phone by using these
tones. Mendax's exchange `answered', perhaps saying Mendax's phone was
busy or disconnected. The Telecom-adapted tones--pairs of audio
frequencies--did not exist in normal telephone keypads and you
couldn't make them simply by punching keys on your household
telephone.
Trax wrote a program which allowed his Amstrad computer to generate the
special tones and send them down the phone line. In an act many in the
underground later considered to be a stroke of genius, he began to map
out exactly what each tone did. It was a difficult task, since one tone
could mean several different things at each stage of the `conversation'
between two exchanges.
Passionate about his new calling, Trax went trashing in Telecom
garbage bins, where he found an MFC register list--an invaluable piece
of his puzzle. Using the list, along with pieces of overseas phreaking
files and a great deal of painstaking hands-on effort, Trax slowly
learned the language of the Australian telephone exchanges. Then he
taught the language to his computer.
Trax tried calling one of the `heartbeat' phone numbers again. He
began playing his special, computer-generated tones through an
amplifier. In simple terms, he was able to fool other exchanges into
thinking he was his local Telecom exchange. More accurately, Trax had
made his exchange drop him into the outgoing signalling trunk that had
been used to route to the disconnected phone number.
Trax could now call out--anywhere--as if he was calling from a point
halfway between his own phone and the disconnected number. If he
called a modem at Melbourne University, for instance, and the line was
being traced, his home phone number would not show up on the trace
records. No-one would be charged for the call because Trax's calls
were ghosts in the phone system.
Trax continued to refine his ability to manipulate both the telephone
and the exchange. He took his own telephone apart, piece by piece,
countless times, fiddling with the parts until he understood exactly
how it worked. Within months, he was able to do far more than just
make free phone calls. He could, for instance, make a line trace think
Share with your friends: |