Suelette dreyfus julian assange

harder for the SPAN team; getting a worm exterminating program out to

JPL, like other sites which had cut their connection to SPAN, was

going to be that much tougher. Everything had to be done over the

phone.

network. It was like the centre of a wheel, with a dozen spokes

branching off--each leading to another SPAN site. All these places,

known as tailsites, depended on the lab site for their connections

into SPAN. When JPL pulled itself off the network, the tailsites went

down too.

It was a serious problem for the people in the SPAN office back in

Virginia. To Ron Tencati, head of security for NASA SPAN, taking a

routing centre off-line was a major issue. But his hands were tied.

The SPAN office exercised central authority over the wide area

network, but it couldn't dictate how individual field centres dealt

with the worm. That was each centre's own decision. The SPAN team

could only give them advice and rush to develop a way to poison the

worm.

urgent request. Would he come over to help handle the crisis?

The SPAN centre was only 800 metres away from McMahon's office. His

boss, Jerome Bennett, the DECNET protocol manager, gave the nod.

McMahon would be on loan until the crisis was under control.

When he got to Building 26, home of the NASA SPAN project office,

McMahon became part of a core NASA crisis team including Todd Butler,

Ron Tencati and Pat Sisson. Other key NASA people jumped in when

needed, such as Dave Peters and Dave Stern. Jim Green, the head of the

National Space Science Data Center at Goddard and the absolute boss of

SPAN, wanted hourly reports on the crisis. At first the core team

seemed only to include NASA people and to be largely based at Goddard.

But as the day wore on, new people from other parts of the US

government would join the team.

The worm had spread outside NASA.

It had also attacked the US Department of Energy's worldwide

High-Energy Physics' Network of computers. Known as HEPNET, it was

another piece of the overall SPAN network, along with Euro-HEPNET and

Euro-SPAN. The NASA and DOE computer networks of DEC computers

crisscrossed at a number of places. A research laboratory might, for

example, need to have access to computers from both HEPNET and NASA

SPAN. For convenience, the lab might just connect the two networks.

The effect as far as the worm was concerned was that NASA's SPAN and

DOE's HEPNET were in fact just one giant computer network, all of

which the worm could invade.

The Department of Energy keeps classified information on its

computers. Very classified information. There are two groups in DOE:

the people who do research on civilian energy projects and the people

who make atomic bombs. So DOE takes security seriously, as in `threat

to national security' seriously. Although HEPNET wasn't meant to be

carrying any classified information across its wires, DOE responded

with military efficiency when its computer managers discovered the

invader. They grabbed the one guy who knew a lot about computer

security on VMS systems and put him on the case: Kevin Oberman.

Like McMahon, Oberman wasn't formally part of the computer security

staff. He had simply become interested in computer security and was

known in-house as someone who knew about VMS systems and security.

Officially, his job was network manager for the engineering department

at the DOE-financed Lawrence Livermore National Laboratory, or LLNL,

near San Francisco.

LLNL conducted mostly military research, much of it for the Strategic

Defense Initiative. Many LLNL scientists spent their days designing

nuclear arms and developing beam weapons for the Star Wars program.9

DOE already had a computer security group, known as CIAC, the Computer

Incident Advisory Capability. But the CIAC team tended to be experts

in security issues surrounding Unix rather than VMS-based computer

systems and networks. `Because there had been very few security

problems over the years with VMS,' Oberman concluded, `they had never

brought in anybody who knew about VMS and it wasn't something they

were terribly concerned with at the time.'

The worm shattered that peaceful confidence in VMS computers. Even as

the WANK worm coursed through NASA, it was launching an aggressive

attack on DOE's Fermi National Accelerator Laboratory, near Chicago. It

had broken into a number of computer systems there and the Fermilab

people were not happy. They called in CIAC, who contacted Oberman with

an early morning phone call on 16 October. They wanted him to analyse

the WANK worm. They wanted to know how dangerous it was. Most of all,

they wanted to know what to do about it.

The DOE people traced their first contact with the worm back to 14

October. Further, they hypothesised, the worm had actually been

launched the day before, on Friday the 13th. Such an inauspicious day

would, in Oberman's opinion, have been in keeping with the type of

humour exhibited by the creator or creators of the worm.

Oberman began his own analysis of the worm, oblivious to the fact that

3200 kilometres away, on the other side of the continent, his colleague

and acquaintance John McMahon was doing exactly the same thing.

Every time McMahon answered a phone call from an irate NASA system or

network manager, he tried to get a copy of the worm from the infected

machine. He also asked for the logs from their computer systems. Which

computer had the worm come from? Which systems was it attacking from

the infected site? In theory, the logs would allow the NASA team to

map the worm's trail. If the team could find the managers of those

systems in the worm's path, it could warn them of the impending

danger. It could also alert the people who ran recently infected

systems which had become launchpads for new worm attacks.

This wasn't always possible. If the worm had taken over a computer and

was still running on it, then the manager would only be able to trace

the worm backward, not forward. More importantly, a lot of the

managers didn't keep extensive logs on their computers.

McMahon had always felt it was important to gather lots of information

about who was connecting to a computer. In his previous job, he had

modified his machines so they collected as much security information

as possible about their connections to other computers.

VMS computers came with a standard set of alarms, but McMahon didn't

think they were thorough enough. The VMS alarms tended to send a

message to the computer managers which amounted to, `Hi! You just got

a network connection from here'. The modified alarm system said, `Hi!

You just got a network connection from here. The person at the other

end is doing a file transfer' and any other bits and pieces of

information that McMahon's computer could squeeze out of the other

computer. Unfortunately, a lot of other NASA computer and network

managers didn't share this enthusiasm for audit logs. Many did not

keep extensive records of who had been accessing their machines and

when, which made the job of chasing the worm much tougher.

The SPAN office was, however, trying to keep very good logs on which

NASA computers had succumbed to the worm. Every time a NASA manager

called to report a worm disturbance, one of the team members wrote

down the details with paper and pen. The list, outlining the addresses

of the affected computers and detailed notations of the degree of

infection, would also be recorded on a computer. But handwritten lists

were a good safeguard. The worm couldn't delete sheets of paper.

When McMahon learned DOE was also under attack, he began checking in

with them every three hours or so. The two groups swapped lists of

infected computers by telephone because voice, like the handwritten

word, was a worm-free medium. `It was a kind of archaic system, but on

the other hand we didn't have to depend on the network being up,'

McMahon said. `We needed to have some chain of communications which

was not the same as the network being attacked.'

A number of the NASA SPAN team members had developed contacts within

different parts of DEC through the company's users' society, DECUS.

These contacts were to prove very helpful. It was easy to get lost in

the bureaucracy of DEC, which employed more than 125000 people, posted

a billion-dollar profit and declared revenues in excess of $12 billion

in 1989.10 Such an enormous and prestigious company would not want

to face a crisis such as the WANK worm, particularly in such a

publicly visible organisation like NASA. Whether or not the worm's

successful expedition could be blamed on DEC's software was a moot

point. Such a crisis was, well, undesirable. It just didn't look good.

And it mightn't look so good either if DEC just jumped into the fray.

It might look like the company was in some way at fault.

Things were different, however, if someone already had a relationship

with a technical expert inside the company. It wasn't like NASA

manager cold-calling a DEC guy who sold a million dollars worth of

machines to someone else in the agency six months ago. It was the NASA

guy calling the DEC guy he sat next to at the conference last month.

It was a colleague the NASA manager chatted with now and again.

John McMahon's analysis suggested there were three versions of the WANK

worm. These versions, isolated from worm samples collected from the

network, were very similar, but each contained a few subtle

differences. In McMahon's view, these differences could not be explained

by the way the worm recreated itself at each site in order to

spread. But why would the creator of the worm release different

versions? Why not just write one version properly and fire it off? The

worm wasn't just one incoming missile; it was a frenzied attack. It was

coming from all directions, at all sorts of different levels within

NASA's computers.

McMahon guessed that the worm's designer had released the different

versions at slightly different times. Maybe the creator released the

worm, and then discovered a bug. He fiddled with the worm a bit to

correct the problem and then released it again. Maybe he didn't like

the way he had fixed the bug the first time, so he changed it a little

more and released it a third time.

In northern California, Kevin Oberman came to a different conclusion.

He believed there was in fact only one real version of the worm

spiralling through HEPNET and SPAN. The small variations in the

different copies he dissected seemed to stem from the worm's ability

to learn and change as it moved from computer to computer.

McMahon and Oberman weren't the only detectives trying to decipher the

various manifestations of the worm. DEC was also examining the worm,

and with good reason. The WANK worm had invaded the corporation's own

network. It had been discovered snaking its way through DEC's own

private computer network, Easynet, which connected DEC manufacturing

plants, sales offices and other company sites around the world. DEC

was circumspect about discussing the matter publicly, but the Easynet

version of the WANK worm was definitely distinct. It had a strange

line of code in it, a line missing from any other versions. The worm

was under instructions to invade as many sites as it could, with one

exception. Under no circumstances was it to attack computers inside

DEC's area 48. The NASA team mulled over this information. One of them

looked up area 48. It was New Zealand.

New Zealand?

The NASA team were left scratching their heads. This attack was

getting stranger by the minute. Just when it seemed that the SPAN team

members were travelling down the right path toward an answer at the

centre of the maze of clues, they turned a corner and found themselves

hopelessly lost again. Then someone pointed out that New Zealand's

worldwide claim to fame was that it was a nuclear-free zone.

In 1986, New Zealand announced it would refuse to admit to its ports

any US ships carrying nuclear arms or powered by nuclear energy. The

US retaliated by formally suspending its security obligations to the

South Pacific nation. If an unfriendly country invaded New Zealand,

the US would feel free to sit on its hands. The US also cancelled

intelligence sharing practices and joint military exercises.

Many people in Australia and New Zealand thought the US had

overreacted. New Zealand hadn't expelled the Americans; it had simply

refused to allow its population to be exposed to nuclear arms or

power. In fact, New Zealand had continued to allow the Americans to

run their spy base at Waihopai, even after the US suspension. The

country wasn't anti-US, just anti-nuclear.

And New Zealand had very good reason to be anti-nuclear. For years, it

had put up with France testing nuclear weapons in the Pacific. Then in

July 1985 the French blew up the Greenpeace anti-nuclear protest ship

as it sat in Auckland harbour. The Rainbow Warrior was due to sail for

Mururoa Atoll, the test site, when French secret agents bombed the

ship, killing Greenpeace activist Fernando Pereira.

For weeks, France denied everything. When the truth came out--that

President Mitterand himself had known about the bombing plan--the

French were red-faced. Heads rolled. French Defence Minister Charles

Hernu was forced to resign. Admiral Pierre Lacoste, director of

France's intelligence and covert action bureau, was sacked. France

apologised and paid $NZ13 million compensation in exchange for New

Zealand handing back the two saboteurs, who had each been sentenced to

ten years' prison in Auckland.

As part of the deal, France had promised to keep the agents

incarcerated for three years at the Hao atoll French military base.

Both agents walked free by May 1988 after serving less than two years.

After her return to France, one of the agents, Captain Dominique

Prieur, was promoted to the rank of commandant.

Finally, McMahon thought. Something that made sense. The exclusion of

New Zealand appeared to underline the meaning of the worm's political

message.

When the WANK worm invaded a computer system, it had instructions to

copy itself and send that copy out to other machines. It would slip

through the network and when it came upon a computer attached to the

network, it would poke around looking for a way in. What it really

wanted was to score a computer account with privileges, but it would

settle for a basic-level, user-level account.

VMS systems have accounts with varying levels of privilege. A

high-privilege account holder might, for example, be able to read the

electronic mail of another computer user or delete files from that

user's directory. He or she might also be allowed to create new

computer accounts on the system, or reactivate disabled accounts. A

privileged account holder might also be able to change someone else's

password. The people who ran computer systems or networks needed

accounts with the highest level of privilege in order to keep the

system running smoothly. The worm specifically sought out these sorts

of accounts because its creator knew that was where the power lay.

The worm was smart, and it learned as it went along. As it traversed

the network, it created a masterlist of commonly used account names.

First, it tried to copy the list of computer users from a system it

had not yet penetrated. It wasn't always able to do this, but often

the system security was lax enough for it to be successful. The worm

then compared that list to the list of users on its current host. When

it found a match--an account name common to both lists--the worm added

that name to the masterlist it carried around inside it, making a note

to try that account when breaking into a new system in future.

It was a clever method of attack, for the worm's creator knew that

certain accounts with the highest privileges were likely to have

standard names, common across different machines. Accounts with names

such as `SYSTEM', `DECNET' and `FIELD' with standard passwords such as

`SYSTEM' and `DECNET' were often built into a computer before it was

shipped from the manufacturer. If the receiving computer manager

didn't change the pre-programmed account and password, then his

computer would have a large security hole waiting to be exploited.

The worm's creator could guess some of the names of these

manufacturer's accounts, but not all of them. By endowing the worm

with an ability to learn, he gave it far more power. As the worm

spread, it became more and more intelligent. As it reproduced, its

offspring evolved into ever more advanced creatures, increasingly

successful at breaking into new systems.

When McMahon performed an autopsy on one of the worm's progeny, he was

impressed with what he found. Slicing the worm open and inspecting its

entrails, he discovered an extensive collection of generic privileged

accounts across the SPAN network. In fact, the worm wasn't only picking

up the standard VMS privileged accounts; it had learned accounts common

to NASA but not necessarily to other VMS computers. For example, a lot

of NASA sites which ran a type of TCP/IP mailer that needed either a

POSTMASTER or a MAILER account. John saw those names turn up inside the

worm's progeny.

Even if it only managed to break into an unprivileged account, the

worm would use the account as an incubator. The worm replicated and

then attacked other computers in the network. As McMahon and the rest

of the SPAN team continued to pick apart the rest of the worm's code

to figure out exactly what the creature would do if it got into a

fully privileged account, they found more evidence of the dark sense

of humour harboured by the hacker behind the worm. Part of the worm, a

subroutine, was named `find fucked'.

The SPAN team tried to give NASA managers calling in as much

information as they could about the worm. It was the best way to help

computer managers, isolated in their offices around the country, to

regain a sense of control over the crisis.

Like all the SPAN team, McMahon tried to calm the callers down and

walk them through a set a questions designed to determine the extent

of the worm's control over their systems. First, he asked them what

symptoms their systems were showing. In a crisis situation, when

you're holding a hammer, everything looks like a nail. McMahon wanted

to make sure that the problems on the system were in fact caused by

the worm and not something else entirely.

If the only problem seemed to be mysterious comments flashing across

the screen, McMahon concluded that the worm was probably harassing the

staff on that computer from a neighbouring system which it had

successfully invaded. The messages suggested that the recipients'

accounts had not been hijacked by the worm. Yet.

VAX/VMS machines have a feature called Phone, which is useful for

on-line communications. For example, a NASA scientist could `ring up'

one of his colleagues on a different computer and have a friendly chat

on-line. The chat session is live, but it is conducted by typing on

the computer screen, not `voice'. The VMS Phone facility enabled the

worm to send messages to users. It would simply call them using the

phone protocol. But instead of starting a chat session, it sent them

statements from what was later determined to be the aptly named

Fortune Cookie file--a collection of 60 or so pre-programmed comments.

In some cases, where the worm was really bugging staff, McMahon told

the manager at the other end of the phone to turn the computer's Phone

feature off. A few managers complained and McMahon gave them the

obvious ultimatum: choose Phone or peace. Most chose peace.

When McMahon finished his preliminary analysis, he had good news and

bad news. The good news was that, contrary to what the worm was

telling computer users all over NASA, it was not actually deleting

their files. It was just pretending to delete their data. One big

practical joke. To the creator of the worm anyway. To the NASA

scientists, just a headache and heartache. And occasionally a heart

attack.

The bad news was that, when the worm got control over a privileged

even more serious break-in at NASA. The worm sought out the FIELD

account created by the manufacturer and, if it had been turned off,

tried to reactivate the account and install the password FIELD. The

worm was also programmed to change the password for the standard

account named DECNET to a random string of at least twelve characters.

In short, the worm tried to pry open a backdoor to the system.

The worm sent information about accounts it had successfully broken

into back to a type of electronic mailbox--an account called GEMPAK on

SPAN node 6.59. Presumably, the hacker who created the worm would

check the worm's mailbox for information which he could use to break

into the NASA account at a later date. Not surprisingly, the mailboxes

had been surreptitiously `borrowed' by the hacker, much to the

surprise of the legitimate owners.

A computer hacker created a whole new set of problems. Although the

worm was able to break into new accounts with greater speed and reach

than a single hacker, it was more predictable. Once the SPAN and DOE

teams picked the worm apart, they would know exactly what it could be

expected to do. However, a hacker was utterly unpredictable.

McMahon realised that killing off the worm was not going to solve the

problem. All the system managers across the NASA and DOE networks

would have to change all the passwords of the accounts used by the

worm. They would also have to check every system the worm had invaded

to see if it had built a backdoor for the hacker. The system admin had

to shut and lock all the backdoors, no small feat.

What really scared the SPAN team about the worm, however, was that it

was rampaging through NASA simply by using the simplest of attack