Suelette dreyfus julian assange

Download 6.15 Mb.
Size6.15 Mb.
1   2   3   4   5   6   7   8   9   ...   43

Fermilab in Chicago and propelled itself across the Pacific into the

Riken Accelerator Facility in Japan.14

NASA officials told the media they believed the worm had been launched

about 4.30 a.m. on Monday, 16 October.15 They also believed it had

originated in Europe, possibly in France.

[ ]
Wednesday, 18 October 1989

Kennedy Space Center, Florida

The five-member Atlantis had some bad news on Wednesday morning. The

weather forecasters gave the launch site a 40 per cent chance of

launch guideline-violating rain and cloud. And then there was the

earthquake in California.

The Kennedy Space Center wasn't the only place which had to be in

tip-top working order for a launch to go ahead. The launch depended on

many sites far away from Florida. These included Edwards Air Force

Base in California, where the shuttle was due to land on Monday. They

also included other sites, often military bases, which were essential

for shuttle tracking and other mission support. One of these sites was

a tracking station at Onizuka Air Force Base at Sunnyvale, California.

The earthquake which ripped through the Bay area had damaged the

tracking station and senior NASA decision-makers planned to meet on

Wednesday morning to consider the Sunnyvale situation. Still, the

space agency maintained a calm, cool exterior. Regardless of the

technical problems, the court challenges and the protesters, the

whimsical weather, the natural disasters, and the WANK worm, NASA was

still in control of the situation.

`There's been some damage, but we don't know how much. The sense I get

is it's fairly positive,' a NASA spokesman told UPI. `But there are

some problems.'16 In Washington, Pentagon spokesman Rick Oborn

reassured the public again, `They are going to be able to handle

shuttle tracking and support for the mission ... They will be able to

do their job'.17

Atlantis waited, ready to go, at launchpad 39B. The technicians had

filled the shuttle up with rocket fuel and it looked as if the weather

might hold. It was partly cloudy, but conditions at Kennedy passed


The astronauts boarded the shuttle. Everything was in place.

But while the weather was acceptable in Florida, it was causing some

problems in Africa, the site of an emergency landing location. If it

wasn't one thing, it was another. NASA ordered a four-minute delay.

Finally at 12.54 p.m., Atlantis boomed from its launchpad. Rising up

from the Kennedy Center, streaking a trail of twin flames from its

huge solid-fuel boosters, the shuttle reached above the atmosphere and

into space.

At 7.15 p.m., exactly 6 hours and 21 minutes after lift-off, Galileo

began its solo journey into space. And at 8.15 p.m., Galileo's booster


Inside shuttle mission control, NASA spokesman Brian Welch announced,

`The spacecraft Galileo ... has achieved Earth escape velocity'.18

[ ]
Monday, 30 October 1989

NASA's Goddard Space Flight Center, Greenbelt, Maryland

The week starting 16 October had been a long one for the SPAN team.

They were keeping twelve-hour days and dealing with hysterical people

all day long. Still, they managed to get copies of anti-WANK out,

despite the limitations of the dated SPAN records and the paucity of

good logs allowing them to retrace the worm's path. `What we learned

that week was just how much data is not collected,' McMahon observed.

By Friday, 20 October, there were no new reports of worm attacks. It

looked as though the crisis had passed. Things could be tidied up by

the rest of the SPAN team and McMahon returned to his own work.

A week passed. All the while, though, McMahon was on edge. He doubted

that someone who had gone to all that trouble of creating the WANK

worm would let his baby be exterminated so quickly. The decoy-duck

strategy only worked as long as the worm kept the same process name,

and as long as it was programmed not to activate itself on systems

which were already infected. Change the process name, or teach the

worm to not to suicide, and the SPAN team would face another, larger

problem. John McMahon had an instinct about the worm; it might just

be back.

His instinct was right.

The following Monday, McMahon received another phone call from the

SPAN project office. When he poked his head in his boss's office,

Jerome Bennett looked up from his desk.

`The thing is back,' McMahon told him. There was no need to explain

what `the thing' was. `I'm going over to the SPAN office.'

Ron Tencati and Todd Butler had a copy of the new WANK worm ready for

McMahon. This version of the worm was far more virulent. It copied

itself more effectively and therefore moved through the network much

faster. The revised worm's penetration rate was much higher--more than

four times greater than the version of WANK released in the first

attack. The phone was ringing off the hook again. John took a call

from one irate manager who launched into a tirade. `I ran your

anti-WANK program, followed your instructions to the letter, and look

what happened!'

The worm had changed its process name. It was also designed to hunt down

and kill the decoy-duck program. In fact, the SPAN network was going to

turn into a rather bloody battlefield. This worm didn't just kill the

decoy, it also killed any other copy of the WANK worm. Even if McMahon

changed the process name used by his program, the decoy-duck strategy

was not going to work any longer.

There were other disturbing improvements to the new version of the

WANK worm. Preliminary information suggested it changed the password

on any account it got into. This was a problem. But not nearly as big

a problem as if the passwords it changed were for the only privileged

accounts on the system. The new worm was capable of locking a system

manager out of his or her own system.

Prevented from getting into his own account, the computer manager

might try borrowing the account of an average user, call him Edwin.

Unfortunately, Edwin's account probably only had low-level privileges.

Even in the hands of a skilful computer manager, the powers granted to

Edwin's account were likely too limited to eradicate the worm from its

newly elevated status as computer manager. The manager might spend his

whole morning matching wits with the worm from the disadvantaged

position of a normal user's account. At some point he would have to

make the tough decision of last resort: turn the entire computer

system off.

The manager would have to conduct a forced reboot of the machine. Take

it down, then bring it back up on minimum configuration. Break back

into it. Fix the password which the worm had changed. Logout. Reset

some variables. Reboot the machine again. Close up any underlying

security holes left behind by the worm. Change any passwords which

matched users' names. A cold start of a large VMS machine took time.

All the while, the astronomers, physicists and engineers who worked in

this NASA office wouldn't be able to work on their computers.

At least the SPAN team was better prepared for the worm this time.

They had braced themselves psychologically for a possible return

attack. Contact information for the network had been updated. And the

general DECNET internet community was aware of the worm and was

lending a hand wherever possible.

Help came from a system manager in France, a country which seemed to

be of special interest to the worm's author. The manager, Bernard

Perrot of Institut de Physique Nucleaire in Orsay, had obtained a copy

of the worm, inspected it and took special notice of the creature's

poor error checking ability. This was the worm's true Achilles' heel.

The worm was trained to go after the RIGHTSLIST database, the list of

all the people who have accounts on the computer. What if someone

moved the database by renaming it and put a dummy database in its

place? The worm would, in theory, go after the dummy, which could be

designed with a hidden bomb. When the worm sniffed out the dummy, and

latched onto it, the creature would explode and die. If it worked, the

SPAN team would not have to depend on the worm killing itself, as they

had during the first invasion. They would have the satisfaction of

destroying the thing themselves.

Ron Tencati procured a copy of the French manager's worm-killing

program and gave it to McMahon, who set up a sort of mini-laboratory

experiment. He cut the worm into pieces and extracted the relevant

bits. This allowed him to test the French worm-killing program with

little risk of the worm escaping and doing damage. The French program

worked wonderfully. Out it went. The second version of the worm was so

much more virulent, getting it out of SPAN was going to take

considerably longer than the first time around. Finally, almost two

weeks after the second onslaught, the WANK worm had been eradicated

from SPAN.

By McMahon's estimate, the WANK worm had incurred up to half a million

dollars in costs. Most of these were through people wasting time and

resources chasing the worm instead of doing their normal jobs. The

worm was, in his view, a crime of theft. `People's time and resources

had been wasted,' he said. `The theft was not the result of the

accident. This was someone who deliberately went out to make a mess.

`In general, I support prosecuting people who think breaking into

machines is fun. People like that don't seem to understand what kind

of side effects that kind of fooling around has. They think that

breaking into a machine and not touching anything doesn't do anything.

That is not true. You end up wasting people's time. People are dragged

into the office at strange hours. Reports have to be written. A lot of

yelling and screaming occurs. You have to deal with law enforcement.

These are all side effects of someone going for a joy ride in someone

else's system, even if they don't do any damage. Someone has to pay

the price.'

McMahon never found out who created the WANK worm. Nor did he ever

discover what he intended to prove by releasing it. The creator's

motives were never clear and, if it had been politically inspired,

no-one took credit.

The WANK worm left a number of unanswered questions in its wake, a

number of loose ends which still puzzle John McMahon. Was the hacker

behind the worm really protesting against NASA's launch of the

plutonium-powered Galileo space probe? Did the use of the word

`WANK'--a most un-American word--mean the hacker wasn't American? Why

had the creator recreated the worm and released it a second time? Why

had no-one, no political or other group, claimed responsibility for

the WANK worm?

One of the many details which remained an enigma was contained in the

version of the worm used in the second attack. The worm's creator had

replaced the original process name, NETW_, with a new one, presumably

to thwart the anti-WANK program. McMahon figured the original process

name stood for `netwank'--a reasonable guess at the hacker's intended

meaning. The new process name, however, left everyone on the SPAN team

scratching their heads: it didn't seem to stand for anything. The

letters formed an unlikely set of initials for someone's name. No-one

recognised it as an acronym for a saying or an organisation. And it

certainly wasn't a proper word in the English language. It was a

complete mystery why the creator of the WANK worm, the hacker who

launched an invasion into hundreds of NASA and DOE computers, should

choose this weird word.

The word was `OILZ'.


Chapter 2 -- The Corner Pub


You talk of times of peace for all

and then prepare for war

-- from `Blossom of Blood' on Species Deceases by Midnight Oil

It is not surprising the SPAN security team would miss the mark. It is

not surprising, for example, that these officials should to this day

be pronouncing the `Oilz' version of the WANK worm as `oil zee'. It is

also not surprising that they hypothesised the worm's creator chose

the word `Oilz' because the modifications made to the last version

made it slippery, perhaps even oily.

Likely as not, only an Australian would see the worm's link to the

lyrics of Midnight Oil.

This was the world's first worm with a political message, and the

second major worm in the history of the worldwide computer networks.

It was also the trigger for the creation of FIRST, the Forum of

Incident Response and Security Teams.2 FIRST was an international

security alliance allowing governments, universities and commercial

organisations to share information about computer network security

incidents. Yet, NASA and the US Department of Energy were half a world

away from finding the creator of the WANK worm. Even as investigators

sniffed around electronic trails leading to France, it appears the

perpetrator was hiding behind his computer and modem in Australia.

Geographically, Australia is a long way from anywhere. To Americans,

it conjures up images of fuzzy marsupials, not computer hackers.

American computer security officials, like those at NASA and the US

Department of Energy, had other barriers as well. They function in a

world of concretes, of appointments made and kept, of real names,

business cards and official titles. The computer underground, by

contrast, is a veiled world populated by characters slipping in and

out of the half-darkness. It is not a place where people use their

real names. It is not a place where people give out real personal


It is, in fact, not so much a place as a space. It is ephemeral,

intangible--a foggy labyrinth of unmapped, winding streets through

which one occasionally ascertains the contours of a fellow traveller.

When Ron Tencati, the manager in charge of NASA SPAN security, realised

that NASA's computers were being attacked by an intruder, he rang the

FBI. The US Federal Bureau of Investigation's Computer Crime Unit fired

off a stream of questions. How many computers had been attacked? Where

were they? Who was behind the attack? The FBI told Tencati, `keep us

informed of the situation'. Like the CIAC team in the Department of

Energy, it appears the FBI didn't have much knowledge of VMS, the

primary computer operating system used in SPAN.

But the FBI knew enough to realise the worm attack was potentially

very serious. The winding electronic trail pointed vaguely to a

foreign computer system and, before long, the US Secret Service was

involved. Then the French secret service, the Direction de la

Surveillance du Territoire, or DST, jumped into the fray.

DST and the FBI began working together on the case. A casual observer

with the benefit of hindsight might see different motivations driving

the two government agencies. The FBI wanted to catch the perpetrator.

The DST wanted to make it clear that the infamous WANK worm attack on

the world's most prestigious space agency did not originate in France.

In the best tradition of cloak-and-dagger government agencies, the FBI

and DST people established two communication channels--an official

channel and an unofficial one. The official channel involved

embassies, attach├ęs, formal communiques and interminable delays in

getting answers to the simplest questions. The unofficial channel

involved a few phone calls and some fast answers.

Ron Tencati had a colleague named Chris on the SPAN network in France,

which was the largest user of SPAN in Europe. Chris was involved in

more than just science computer networks. He had certain contacts in

the French government and seemed to be involved in their computer

networks. So, when the FBI needed technical information for its

investigation--the kind of information likely to be sanitised by some

embassy bureaucrat--one of its agents rang up Ron Tencati. `Ron, ask

your friend this,' the FBI would say. And Ron would.

`Chris, the FBI wants to know this,' Tencati would tell his colleague

on SPAN France. Then Chris would get the necessary information. He

would call Tencati back, saying, `Ron, here is the answer. Now, the

DST wants to know that'. And off Ron would go in search of information

requested by the DST.

The investigation proceeded in this way, with each helping the other

through backdoor channels. But the Americans' investigation was headed

toward the inescapable conclusion that the attack on NASA had

originated from a French computer. The worm may have simply travelled

through the French computer from yet another system, but the French

machine appeared to be the sole point of infection for NASA.

The French did not like this outcome. Not one bit. There was no way

that the worm had come from France. Ce n'est pas vrai.

Word came back from the French that they were sure the worm had come

from the US. Why else would it have been programmed to mail details of

all computer accounts it penetrated around the world back to a US

machine, the computer known as GEMPAK? Because the author of the worm

was an American, of course! Therefore it is not our problem, the

French told the Americans. It is your problem.

Most computer security experts know it is standard practice among

hackers to create the most tangled trail possible between the hacker

and the hacked. It makes it very difficult for people like the FBI to

trace who did it. So it would be difficult to draw definite

conclusions about the nationality of the hacker from the location of a

hacker's information drop-off point--a location the hacker no doubt

figured would be investigated by the authorities almost immediately

after the worm's release.

Tencati had established the French connection from some computer logs

showing NASA under attack very early on Monday, 16 October. The logs

were important because they were relatively clear. As the worm had

procreated during that day, it had forced computers all over the

network to attack each other in ever greater numbers. By 11 a.m. it

was almost impossible to tell where any one attack began and the other


Some time after the first attack, DST sent word that certain agents

were going to be in Washington DC regarding other matters. They wanted

a meeting with the FBI. A representative from the NASA Inspector

General's Office would attend the meeting, as would someone from NASA

SPAN security.

Tencati was sure he could show the WANK worm attack on NASA originated

in France. But he also knew he had to document everything, to have

exact answers to every question and counter-argument put forward by

the French secret service agents at the FBI meeting. When he developed

a timeline of attacks, he found that the GEMPAK machine showed X.25

network connection, via another system, from a French computer around

the same time as the WANK worm attack. He followed the scent and

contacted the manager of that system. Would he help Tencati? Mais oui.

The machine is at your disposal, Monsieur Tencati.

Tencati had never used an X.25 network before; it had a unique set of

commands unlike any other type of computer communications network. He

wanted to retrace the steps of the worm, but he needed help. So he

called his friend Bob Lyons at DEC to walk him through the process.

What Tencati found startled him. There were traces of the worm on the

machine all right, the familiar pattern of login failures as the worm

attempted to break into different accounts. But these remnants of the

WANK worm were not dated 16 October or any time immediately around

then. The logs showed worm-related activity up to two weeks before the

attack on NASA. This computer was not just a pass-through machine the

worm had used to launch its first attack on NASA. This was the

development machine.

Ground zero.

Tencati went into the meeting with DST at the FBI offices prepared. He

knew the accusations the French were going to put forward. When he

presented the results of his sleuthwork, the French secret service

couldn't refute it, but they dropped their own bombshell. Yes they

told him, you might be able to point to a French system as ground zero

for the attack, but our investigations reveal incoming X.25

connections from elsewhere which coincided with the timing of the

development of the WANK worm.

The connections came from Australia.

The French had satisfied themselves that it wasn't a French hacker who

had created the WANK worm. Ce n'est pas notre problem. At least, it's

not our problem any more.

It is here that the trail begins to go cold. Law enforcement and

computer security people in the US and Australia had ideas about just

who had created the WANK worm. Fingers were pointed, accusations were

made, but none stuck. At the end of the day, there was coincidence and

innuendo, but not enough evidence to launch a case. Like many

Australian hackers, the creator of the WANK worm had emerged from the

shadows of the computer underground, stood momentarily in hazy

silhouette, and then disappeared again.

[ ]
The Australian computer underground in the late 1980s was an

environment which spawned and shaped the author of the WANK worm.

Affordable home computers, such as the Apple IIe and the Commodore 64,

made their way into ordinary suburban families. While these computers

were not widespread, they were at least in a price range which made

them attainable by dedicated computer enthusiasts.

In 1988, the year before the WANK worm attack on NASA, Australia was

on an upswing. The country was celebrating its bicentennial. The

economy was booming. Trade barriers and old regulatory structures were

coming down. Crocodile Dundee had already burst on the world movie

scene and was making Australians the flavour of the month in cities

like LA and New York. The mood was optimistic. People had a sense they

were going places. Australia, a peaceful country of seventeen or so

million people, poised on the edge of Asia but with the order of a

Western European democracy, was on its way up. Perhaps for the first

Directory: ~suelette -> underground

Download 6.15 Mb.

Share with your friends:
1   2   3   4   5   6   7   8   9   ...   43

The database is protected by copyright © 2022
send message

    Main page