Underground: Chapter 8 -- The International Subversives

Contents | Previous: Chapter 7 -- Judgement Day | Next: Chapter 9 -- Operation Weather

All around an eerie sound

-- from `Maralinga', on 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 by Midnight Oil

Prime Suspect rang Mendax, offering an adventure. He had discovered a strange system called NMELH1 (pronounced N-Melly-H-1) and it was time to go exploring. He read off the dial-up numbers, found in a list of modem phone numbers on another hacked system.

Mendax looked at the scrap of paper in his hand, thinking about the name of the computer system.

The `N' stood for Northern Telecom, a Canadian company with annual sales of $8 billion. NorTel, as the company was known, sold thousands of highly sophisticated switches and other telephone exchange equipment to some of the world's largest phone companies. The `Melly' undoubtedly referred to the fact that the system was in Melbourne. As for the `H-1', well, that was anyone's guess, but Mendax figured it probably stood for `host-1'--meaning computer site number one.

Prime Suspect had stirred Mendax's interest. Mendax had spent hours experimenting with commands inside the computers which controlled telephone exchanges. In the end, those forays were all just guesswork--trial and error learning, at considerable risk of discovery. Unlike making a mistake inside a single computer, mis-guessing a command inside a telephone exchange in downtown Sydney or Melbourne could take down a whole prefix--10000 or more phone lines--and cause instant havoc.

This was exactly what the International Subversives didn't want to do. The three IS hackers--Mendax, Prime Suspect and Trax--had seen what happened to the visible members of the computer underground in England and in Australia. The IS hackers had three very good reasons to keep their activities quiet.

Phoenix. Nom. And Electron.

But, Mendax thought, what if you could learn about how to manipulate a million-dollar telephone exchange by reading the manufacturer's technical documentation? How high was the chance that those documents, which weren't available to the public, were stored inside NorTel's computer network?

Better still, what if he could find NorTel's original source code--the software designed to control specific telephone switches, such as the DMS-100 model. That code might be sitting on a computer hooked into the worldwide NorTel network. A hacker with access could insert his own backdoor--a hidden security flaw--before the company sent out software to its customers.

With a good technical understanding of how NorTel's equipment worked, combined with a backdoor installed in every piece of software shipped with a particular product, you could have control over every new NorTel DMS telephone switch installed from Boston to Bahrain. What power! Mendax thought, what if you you could turn off 10000 phones in Rio de Janeiro, or give 5000 New Yorkers free calls one afternoon, or listen into private telephone conversations in Brisbane. The telecommunications world would be your oyster.

Like their predecessors, the three IS hackers had started out in the Melbourne BBS scene. Mendax met Trax on Electric Dreams in about 1988, and Prime Suspect on Megaworks, where he used the handle Control Reset, not long after that. When he set up his own BBS at his home in Tecoma, a hilly suburb so far out of Melbourne that it was practically in forest, he invited both hackers to visit `A Cute Paranoia' whenever they could get through on the single phone line.

Visiting on Mendax's BBS suited both hackers, for it was more private than other BBSes. Eventually they exchanged home telephone numbers, but only to talk modem-to-modem. For months, they would ring each other up and type on their computer screens to each other--never having heard the sound of the other person's voice. Finally, late in 1990, the nineteen-year-old Mendax called up the 24-year-old Trax for a voice chat. In early 1991, Mendax and Prime Suspect, aged seventeen, also began speaking in voice on the phone.

Trax seemed slightly eccentric, and possibly suffered from some sort of anxiety disorder. He refused to travel to the city, and he once made reference to seeing a psychiatrist. But Mendax usually found the most interesting people were a little unusual, and Trax was both.

Mendax and Trax discovered they had a few things in common. Both came from poor but educated families, and both lived in the outer suburbs. However, they had very different childhoods.

Trax's parents migrated to Australia from Europe. Both his father, a retired computer technician, and his mother spoke with a German accent. Trax's father was very much the head of the household, and Trax was his only son.

By contrast, by the time he was fifteen Mendax had lived in a dozen different places including Perth, Magnetic Island, Brisbane, Townsville, Sydney, the Adelaide Hills, and a string of coastal towns in northern New South Wales and Western Australia. In fifteen years he had enrolled in at least as many different schools.

His mother had left her Queensland home at age seventeen, after saving enough money from selling her paintings to buy a motorcycle, a tent and a road map of Australia. Waving goodbye to her stunned parents, both academics, she rode off into the sunset. Some 2000 kilometres later, she arrived in Sydney and joined the thriving counter-culture community. She worked as an artist and fell in love with a rebellious young man she met at an anti-Vietnam demonstration.

Within a year of Mendax's birth, his mother's relationship with his father had ended. When Mendax was two, she married a fellow artist. What followed was many turbulent years, moving from town to town as his parents explored the '70s left-wing, bohemian subculture. As a boy, he was surrounded by artists. His stepfather staged and directed plays and his mother did make-up, costume and set design.

One night in Adelaide, when Mendax was about four, his mother and a friend were returning from a meeting of anti-nuclear protesters. The friend claimed to have scientific evidence that the British had conducted high-yield, above-ground nuclear tests at Maralinga, a desert area in north-west South Australia.

A 1984 Royal Commission subsequently revealed that between 1953 and 1963 the British government had tested nuclear bombs at the site, forcing more than 5000 Aborigines from their native lands. In December 1993, after years of stalling, the British government agreed to pay20 million toward cleaning up the more than 200 square kilometres of contaminated lands. Back in 1968, however, the Menzies government had signed away Britain's responsibility to clean up the site. In the 1970s, the Australian government was still in denial about exactly what had happened at Maralinga.

As Mendax's mother and her friend drove through an Adelaide suburb carrying early evidence of the Maralinga tragedy, they noticed they were being followed by an unmarked car. They tried to lose the tail, without success. The friend, nervous, said he had to get the data to an Adelaide journalist before the police could stop him. Mendax's mother quickly slipped into a back lane and the friend leapt from the car. She drove off, taking the police tail with her.

The plain-clothed police pulled her over shortly after, searched her car and demanded to know where her friend had gone and what had occurred at the meeting. When she was less than helpful, one officer told her, `You have a child out at 2 in the morning. I think you should get out of politics, lady. It could be said you were an unfit mother'.

A few days after this thinly veiled threat, her friend showed up at Mendax's mother's house, covered in fading bruises. He said the police had beaten him up, then set him up by planting hash on him. `I'm getting out of politics,' he announced.

However, she and her husband continued their involvement in theatre. The young Mendax never dreamed of running away to join the circus--he already lived the life of a travelling minstrel. But although the actor-director was a good stepfather, he was also an alcoholic. Not long after Mendax's ninth birthday, his parents separated and then divorced.

Mendax's mother then entered a tempestuous relationship with an amateur musician. Mendax was frightened of the man, whom he considered a manipulative and violent psychopath. He had five different identities with plastic in his wallet to match. His whole background was a fabrication, right down to the country of his birth. When the relationship ended, the steady pattern of moving around the countryside began again, but this journey had a very different flavour from the earlier happy-go-lucky odyssey. This time, Mendax and his family were on the run from a physically abusive de facto. Finally, after hiding under assumed names on both sides of the continent, Mendax and his family settled on the outskirts of Melbourne.

Mendax left home at seventeen because he had received a tip-off about an impending raid. Mendax wiped his disks, burnt his print-outs and left. A week later, the Victorian CIB turned up and searched his room, but found nothing. He married his girlfriend, an intelligent but introverted and emotionally disturbed sixteen-year-old he had met through a mutual friend in a gifted children's program. A year later they had a child.

Mendax made many of his friends through the computer community. He found Trax easy to talk to and they often spent up to five hours on a single phone call. Prime Suspect, on the other hand, was hard work on the phone.

Quiet and introverted, Prime Suspect always seemed to run out of conversation after five minutes. Mendax was himself naturally shy, so their talks were often filled with long silences. It wasn't that Mendax didn't like Prime Suspect, he did. By the time the three hackers met in person at Trax's home in mid-1991, he considered Prime Suspect more than just a fellow hacker in the tight-knit IS circle. Mendax considered him a friend.

Prime Suspect was a boy of veneers. To most of the world, he appeared to be a studious year 12 student bound for university from his upper middle-class grammar school. The all-boys school never expected less from its students and the possibility of attending a TAFE--a vocational college--was never discussed as an option. University was the object. Any student who failed to make it was quietly swept under the carpet like some sort of distasteful food dropping.

Prime Suspect's own family situation did not mirror the veneer of respectability portrayed by his school. His father, a pharmacist, and his mother, a nurse, had been in the midst of an acrimonious divorce battle when his father was diagnosed with terminal cancer. In this bitter, antagonistic environment, the eight-year-old Prime Suspect was delivered to his father's bedside in hospice for a rushed few moments to bid him farewell.

Through much of his childhood and adolescence, Prime Suspect's mother remained bitter and angry about life, and particularly her impoverished financial situation. When he was eight, Prime Suspect's older sister left home at sixteen, moved to Perth and refused to speak to her mother. In some ways, Prime Suspect felt he was expected be both child and de facto parent. All of which made him grow up faster in some ways, but remain immature in others.

Prime Suspect responded to the anger around him by retreating into his room. When he bought his first computer, an Apple IIe, at age thirteen he found it better company than any of his relatives. The computers at school didn't hold much interest for him, since they weren't connected to the outside world via modem. After reading about BBSes in the Apple Users' Society newsletter, he saved up for his own modem and soon began connecting into various BBSes.

School did, however, provide the opportunity to rebel, albeit anonymously, and he conducted extensive pranking campaigns. Few teachers suspected the quiet, clean-cut boy and he was rarely caught. Nature had endowed Prime Suspect with the face of utter innocence. Tall and slender with brown curly hair, his true character only showed in the elfish grin which sometimes passed briefly across his baby face. Teachers told his mother he was underachieving compared to his level of intelligence, but had few complaints otherwise.

By year 10, he had become a serious hacker and was spending every available moment at his computer. Sometimes he skipped school, and he often handed assignments in late. He found it difficult to come up with ever more creative excuses and sometimes he imagined telling his teachers the truth. `Sorry I didn't get that 2000-word paper done but I was knee-deep in NASA networks last night.' The thought made him laugh.

He saw girls as a unwanted distraction from hacking. Sometimes, after he chatted with a girl at a party, his friends would later ask him why he hadn't asked her out. Prime Suspect shrugged it off. The real reason was that he would rather get home to his computer, but he never discussed his hacking with anyone at school, not even with Mentat.

A friend of Force's and occasional visitor to The Realm, Mentat was two years ahead of Prime Suspect at school and in general couldn't be bothered talking to so junior a hacker as Prime Suspect. The younger hacker didn't mind. He had witnessed other hackers' indiscretions, wanted no part of them and was happy to keep his hacking life private.

Before the Realm bust, Phoenix rang him up once at 2 a.m. suggesting that he and Nom come over there and then. Woken by the call, Prime Suspect's mother stood in the doorway to his bedroom, remonstrating with him for letting his `friends' call at such a late hour. With Phoenix goading him in one ear, and his mother chewing him out in the other, Prime Suspect decided the whole thing was a bad idea. He said no thanks to Phoenix, and shut the door on his mother.

He did, however, talk to Powerspike on the phone once in a while. The older hacker's highly irreverent attitude and Porky Pig laugh appealed to him. But other than those brief talks, Prime Suspect avoided talking on the phone to people outside the International Subversives, especially when he and Mendax moved into ever more sensitive military computers.

Using a program called Sycophant written by Mendax, the IS hackers had been conducting massive attacks on the US military. They divided up Sycophant on eight attack machines, often choosing university systems at places like the Australian National University or the University of Texas. They pointed the eight machines at the targets and fired. Within six hours, the eight machines had assaulted thousands of computers. The hackers sometimes reaped 100000 accounts each night.

Using Sycophant, they essentially forced a cluster of Unix machines in a computer network to attack the entire Internet en masse.

And that was just the start of what they were into. They had been in so many sites they often couldn't remember if they had actually hacked a particular computer. The places they could recall read like a Who's Who of the American military-industrial complex. The US Airforce 7th Command Group Headquarters in the Pentagon. Stanford Research Institute in California. Naval Surface Warfare Center in Virginia. Lockheed Martin's Tactical Aircraft Systems Air Force Plant in Texas. Unisys Corporation in Blue Bell, Pennsylvania. Goddard Space Flight Center, NASA. Motorola Inc. in Illinois. TRW Inc. in Redondo Beach, California. Alcoa in Pittsburgh. Panasonic Corp in New Jersey. US Naval Undersea Warfare Engineering Station. Siemens-Nixdorf Information Systems in Massachusetts. Securities Industry Automation Corp in New York. Lawrence Livermore National Laboratory in California. Bell Communications Research, New Jersey. Xerox Palo Alto Research Center, California.

As the IS hackers reached a level of sophistication beyond anything The Realm had achieved, they realised that progress carried considerable risk and began to withdraw completely from the broader Australian hacking community. Soon they had drawn a tight circle around themselves. They talked only to each other.

Watching the Realm hackers go down hadn't deterred the next generation of hackers. It had only driven them further underground.

In the spring of 1991, Prime Suspect and Mendax began a race to get root on the US Department of Defense's Network Information Center (NIC) computer--potentially the most important computer on the Internet.

As both hackers chatted amiably on-line one night, on a Melbourne University computer, Prime Suspect worked quietly in another screen to penetrate ns.nic.ddn.mil, a US Department of Defense system closely linked to NIC. He believed the sister system and NIC might `trust' each other--a trust he could exploit to get into NIC. And NIC did everything.

NIC assigned domain names--the `.com' or `.net' at the end of an email address--for the entire Internet. NIC also controlled the US military's own internal defence data network, known as MILNET.

NIC also published the communication protocol standards for all of the Internet. Called RFCs (Request for Comments), these technical specifications allowed one computer on the Internet to talk to another. The Defense Data Network Security Bulletins, the US Department of Defense's equivalent of CERT advisories, came from the NIC machine.

Perhaps most importantly, NIC controlled the reverse look-up service on the Internet. Whenever someone connects to another site across the Internet, he or she typically types in the site name--say, ariel.unimelb.edu.au at the University of Melbourne. The computer then translates the alphabetical name into a numerical address--the IP address--in this case 128.250.20.3. All the computers on the Internet need this IP address to relay the packets of data onto the final destination computer. NIC decided how Internet computers would translate the alphabetical name into an IP address, and vice versa.

If you controlled NIC, you had phenomenal power on the Internet. You could, for example, simply make Australia disappear. Or you could turn it into Brazil. By pointing all Internet addresses ending in `.au'--the designation for sites in Australia--to Brazil, you could cut Australia's part of the Internet off from the rest of the world and send all Australian Internet traffic to Brazil. In fact, by changing the delegation of all the domain names, you could virtually stop the flow of information between all the countries on the Internet.

The only way someone could circumvent this power was by typing in the full numerical IP address instead of a proper alphabetical address. But few people knew the up-to-twelve-digit IP equivalent of their alphabetical addresses, and fewer still actually used them.

Controlling NIC offered other benefits as well. Control NIC, and you owned a virtual pass-key into any computer on the Internet which `trusted' another. And most machines trust at least one other system.

Whenever one computer connects to another across the Net, both machines go through a special meet-and-greet process. The receiving computer looks over the first machine and asks itself a few questions. What's the name of the incoming machine? Is that name allowed to connect to me? In what ways am I programmed to `trust' that machine--to wave my normal security for connections from that system?

The receiving computer answers these questions based in large part on information provided by NIC. All of which means that, by controlling NIC, you could make any computer on the Net `pose' as a machine trusted by a computer you might want to hack. Security often depended on a computer's name, and NIC effectively controlled that name.

When Prime Suspect managed to get inside NIC's sister system, he told Mendax and gave him access to the computer. Each hacker then began his own attack on NIC. When Mendax finally got root on NIC, the power was intoxicating. Prime Suspect got root at the same time but using a different method. They were both in.

Inside NIC, Mendax began by inserting a backdoor--a method of getting back into the computer at a later date in case an admin repaired the security flaws the hackers had used to get into the machine. From now on, if he telnetted into the system's Data Defense Network (DDN) information server and typed `login 0' he would have instant, invisible root access to NIC.

That step completed, he looked around for interesting things to read. One file held what appeared to be a list of satellite and microwave dish coordinates--longitude, latitudes, transponder frequencies. Such coordinates might in theory allow someone to build a complete map of communications devices which were used to move the DOD's computer data around the world.

Mendax also penetrated MILNET's Security Coordination Center, which collected reports on every possible security incident on a MILNET computer. Those computers--largely TOPS-20s made by DEC--contained good automatic security programs. Any number of out-of-the-ordinary events would trigger an automatic security report. Someone logging into a machine for too long. A large number of failed login attempts, suggesting password guessing. Two people logging into the same account at the same time. Alarm bells would go off and the local computer would immediately send a security violation report to the MILNET security centre, where it would be added to the `hot list'.

Mendax flipped through page after page of MILNET's security reports on his screen. Most looked like nothing--MILNET users accidentally stumbling over a security tripwire--but one notice from a US military site in Germany stood out. It was not computer generated. This was from a real human being. The system admin reported that someone had been repeatedly trying to break into his or her machine, and had eventually managed to get in. The admin was trying, without much luck, to trace back the intruder's connection to its point of origin. Oddly, it appeared to originate in another MILNET system.

Riffling through other files, Mendax found mail confirming that the attack had indeed come from inside MILNET. His eyes grew wide as he read on. US military hackers had broken into MILNET systems, using them for target practice, and no-one had bothered to tell the system admin at the target site.

Mendax couldn't believe it. The US military was hacking its own computers. This discovery led to another, more disturbing, thought. If the US military was hacking its own computers for practice, what was it doing to other countries' computers?

As he quietly backed out of the system, wiping away his footprints as he tip-toed away, Mendax thought about what he had seen. He was deeply disturbed that any hacker would work for the US military.

Hackers, he thought, should be anarchists, not hawks.

In early October 1991, Mendax rang Trax and gave him the dial-up and account details for NMELH1.

Trax wasn't much of a hacker, but Mendax admired his phreaking talents. Trax was the father of phreaking in Australia and Trax's Toolbox, his guide to the art of phreaking, was legendary. Mendax thought Trax might find some interesting detailed information inside the NorTel network on how to control telephone switches.

Trax invented multi-frequency code phreaking. By sending special tones--generated by his computer program--down the phone line, he could control certain functions in the telephone exchange. Many hackers had learned how to make free phone calls by charging the cost to someone else or to calling cards, but Trax discovered how to make phone calls which weren't charged to anyone. The calls weren't just free; they were untraceable.

Trax wrote 48 pages on his discovery and called it The Australian Phreakers Manual Volumes 1-7. But as he added more and more to the manual, he became worried what would happen if he released it in the underground, so he decided he would only show it to the other two International Subversive hackers.

He went on to publish The Advanced Phreaker's Manual,2 a second edition of the manual, in The International Subversive, the underground magazine edited by Mendax:

An electronic magazine, The International Subversive had a simple editorial policy. You could only have a copy of the magazine if you wrote an `article'. The policy was a good way of protecting against nappies--sloppy or inexperienced hackers who might accidentally draw police attention. Nappies also tended to abuse good phreaking and hacking techniques, which might cause Telecom to close up security holes. The result was that IS had a circulation of just three people.

To a non-hacker, IS looked like gobbledygook--the phone book made more interesting reading. But to a member of the computer underground, IS was a treasure map. A good hacker could follow the trail of modem phone numbers and passwords, then use the directions in IS to disappear through secret entrances into the labyrinth of forbidden computer networks. Armed with the magazine, he could slither out of tight spots, outwit system admins and find the treasure secreted in each computer system.

For Prime Suspect and Mendax, who were increasingly paranoid about line traces from the university modems they used as launchpads, Trax's phreaking skills were a gift from heaven.

Trax made his great discovery by accident. He was using a phone sprinter, a simple computer program which automatically dialled a range of phone numbers looking for modems. If he turned the volume up on his modem when his computer dialled what seemed to be a dead or non-existent number, he sometimes heard a soft clicking noise after the disconnection message. The noise sounded like faint heartbeats.

Curious, he experimented with these strange numbers and soon discovered they were disconnected lines which had not yet been reassigned. He wondered how he could use these odd numbers. After reading a document Mendax had found in Britain and uploaded to The Devil's Playground, another BBS, Trax had an idea. The posting provided information about CCITT #5 signalling tones, CCITT being the international standard--the language spoken by telephone exchanges between countries.

When you make an international phone call from Australia to the US, the call passes from the local telephone exchange to an international gateway exchange within Australia. From there, it travels to an exchange in the US. The CCITT signalling tones were the special tones the two international gateway exchanges used to communicate with each other.

Telecom Australia adapted a later version of this standard, called R2, for use on its own domestic exchanges. Telecom called this new standard MFC, or multi-frequency code. When, say, Trax rang Mendax, his exchange asked Mendax's to `talk' to Mendax's phone by using these tones. Mendax's exchange `answered', perhaps saying Mendax's phone was busy or disconnected. The Telecom-adapted tones--pairs of audio frequencies--did not exist in normal telephone keypads and you couldn't make them simply by punching keys on your household telephone.

Trax wrote a program which allowed his Amstrad computer to generate the special tones and send them down the phone line. In an act many in the underground later considered to be a stroke of genius, he began to map out exactly what each tone did. It was a difficult task, since one tone could mean several different things at each stage of the `conversation' between two exchanges.

Passionate about his new calling, Trax went trashing in Telecom garbage bins, where he found an MFC register list--an invaluable piece of his puzzle. Using the list, along with pieces of overseas phreaking files and a great deal of painstaking hands-on effort, Trax slowly learned the language of the Australian telephone exchanges. Then he taught the language to his computer.

Trax tried calling one of the `heartbeat' phone numbers again. He began playing his special, computer-generated tones through an amplifier. In simple terms, he was able to fool other exchanges into thinking he was his local Telecom exchange. More accurately, Trax had made his exchange drop him into the outgoing signalling trunk that had been used to route to the disconnected phone number.

Trax could now call out--anywhere--as if he was calling from a point halfway between his own phone and the disconnected number. If he called a modem at Melbourne University, for instance, and the line was being traced, his home phone number would not show up on the trace records. No-one would be charged for the call because Trax's calls were ghosts in the phone system.

Trax continued to refine his ability to manipulate both the telephone and the exchange. He took his own telephone apart, piece by piece, countless times, fiddling with the parts until he understood exactly how it worked. Within months, he was able to do far more than just make free phone calls. He could, for instance, make a line trace think that he had come from a specific telephone number.

He and Mendax joked that if they called a `hot' site they would use Trax's technique to send the line trace--and the bill--back to one very special number. The one belonging to the AFP's Computer Crime Unit in Melbourne.

All three IS hackers suspected the AFP was close on their heels. Roving through the Canberra-based computer system belonging to the man who essentially ran the Internet in Australia, Geoff Huston, they watched the combined efforts of police and the Australian Academic and Research Network (AARNET) to trace them.

Craig Warren of Deakin University had written to Huston, AARNET technical manager, about hacker attacks on university systems. Huston had forwarded a copy of the letter to Peter Elford, who assisted Huston in managing AARNET. The hackers broke into Huston's system and also read the letter:

From G.Huston@aarnet.edu.au Mon Sep 23 09:40:43 1991 Received: from by jatz.aarnet.edu.au with SMTP id AA00265 (5.65+/IDA-1.3.5 for pte900); Mon, 23 Sep 91 09:40:39 +1000 Date: Mon, 23 Sep 91 09:40:39 +1000 Message-Id: <9109222340.AA00265@jatz.aarnet.edu.au> To: pte900@aarnet.edu.au From: G.Huston@aarnet.edu.au Subject: Re: Visitors log Thursday Night--Friday Morning Status: RO >Date: Sun, 22 Sep 91 19:29:13 +1000 >From: Craig Warren <C.Warren@deakin.OZ.AU> > >Just to give you a little bit of an idea about what has been happening since we last spoke... > >We have communicated with Sgt Ken Day of the Federal Police about 100 times in the last week. Together with our counterparts from Warrnambool traces have been arranged on dial-in lines and on Austpac lines for the capella.cc.deakin.OZ.AU terminal server which was left open to the world. > >On Friday afternoon we were able to trace a call back to a person in the Warrnambool telephone district. The police have this persons name. We believe others are involved, as we have seen up to 3 people active at any one time. It is `suspected' students from RMIT and perhaps students from Deakin are also involved. > >When I left on Friday night, there was plenty of activity still and the police and Telecom were tracking down another number. > >Tomorrow morning I will talk to all parties involved, but it is likely we will have the names of at least 2 or 3 people that are involved. We will probably shut down access of `cappella' to AARNet at this stage, and let the police go about their business of prosecuting these people. > >You will be `pleased' (:-)) to know you have not been the only ones under attack. I know of at least 2 other sites in Victoria that have had people attacking them. One of them was Telecom which helped get Telecom involved! > >I will brief you all in the next day or so as to what has happened. > >Regards, Craig >

The `other' people were, of course, the IS hackers. There is nothing like reading about your own hacking antics in some one's security mail.

Mendax and Prime Suspect frequently visited ANU's computers to read the security mail there. However, universities were usually nothing special, just jumping-off points and, occasionally, good sources of information on how close the AFP were to closing in on the IS hackers.

Far more interesting to Mendax were his initial forays into Telecom's exchanges. Using a modem number Prime Suspect had found, he dialled into what he suspected was Telecom's Lonsdale Exchange in downtown Melbourne. When his modem connected to another one, all he saw was a blank screen. He tried a few basic commands which might give him help to understand the system:

Login. List. Attach.

The exchange's computer remained silent.

Mendax ran a program he had written to fire off every recognised keyboard character--256 of them--at another machine. Nothing again. He then tried the break signal--the Amiga key and the character B pressed simultaneously. That got an answer of sorts.

:

He pulled up another of his hacking tools, a program which dumped 200 common commands to the other machine. Nothing. Finally, he tried typing `logout'. That gave him an answer:

error, not logged on

Ah, thought Mendax. The command is `logon' not `login'.

:logon

The Telecom exchange answered: `username:' Now all Mendax had to do was figure out a username and password.

He knew that Telecom used NorTel equipment. More than likely, NorTel staff were training Telecom workers and would need access themselves. If there were lots of NorTel employees working on many different phone switches, it would be difficult to pass on secure passwords to staff all the time. NorTel and Telecom people would probably pick something easy and universal. What password best fitted that description?

username: nortel

password: nortel

It worked.

Unfortunately, Mendax didn't know which commands to use once he got into the machine, and there was no on-line documentation to provide help. The telephone switch had its own language, unlike anything he had ever encountered before.

After hours of painstaking research, Mendax constructed a list of commands which would work on the exchange's computer. The exchange appeared to control all the special six-digit phone numbers beginning with 13, such as those used for airline reservations or some pizza delivery services. It was Telecom's `Intelligent Network' which did many specific tasks, including routing calls to the nearest possible branch of the organisation being called. Mendax looked through the list of commands, found `RANGE', and recognised it as a command which would allow someone to select all the phone numbers in a certain range. He selected a thousand numbers, all with the prefix 634, which he believed to be in Telecom's Queen Street offices.

Now, to test a command. Mendax wanted something innocuous, which wouldn't screw up the 1000 lines permanently. It was almost 7 a.m. and he needed to wrap things up before Telecom employees began coming into work.

`RING' seemed harmless enough. It might ring one of the numbers in the range after another--a process he could stop. He typed the command in. Nothing happened. Then a few full stops began to slowly spread across his screen:

. . . . . . .

RUNG

The system had just rung all 1000 numbers at the same time. One thousand phones ringing all at once.

What if some buttoned-down Telecom engineer had driven to work early that morning to get some work done? What if he had just settled down at his standard-issue metal Telecom desk with a cup of bad instant coffee in a styrofoam cup when suddenly ... every telephone in the skyscraper had rung out simultaneously? How suspicious would that look? Mendax thought it was time to high-tail it out of there.

On his way out, he disabled the logs for the modem line he came in on. That way, no-one would be able to see what he had been up to. In fact, he hoped no-one would know that anyone had even used the dial-up line at all.

Prime Suspect didn't think there was anything wrong with exploring the NorTel computer system. Many computer sites posted warnings in the login screen about it being illegal to break into the system, but the eighteen-year-old didn't consider himself an intruder. In Prime Suspect's eyes, `intruder' suggested someone with ill intent--perhaps someone planning to do damage to the system--and he certainly had no ill intent. He was just a visitor.

Mendax logged into the NMELH1 system by using the account Prime Suspect had given him, and immediately looked around to see who else was on-line. Prime Suspect and about nine other people, only three of whom were actually doing something at their terminal.

Prime Suspect and Mendax raced to get root on the system. The IS hackers may not have been the type to brag about their conquests in the underground, but each still had a competitive streak when it came to see who could get control over the system first. There was no ill will, just a little friendly competition between mates.

Mendax poked around and realised the root directory, which contained the password file, was effectively world writable. This was good news, and with some quick manipulation he would be able to insert something into the root directory. On a more secure system, unprivileged users would not be able to do that. Mendax could also copy things from the directory on this site, and change the names of subdirectories within the main root directory. All these permissions were important, for they would enable him to create a Trojan.

Named for the Trojan horse which precipitated the fall of Troy, the Trojan is a favoured approach with most computer hackers. The hacker simply tricks a computer system or a user into thinking that a slightly altered file or directory--the Trojan--is the legitimate one. The Trojan directory, however, contains false information to fool the computer into doing something the hacker wants. Alternatively, the Trojan might simply trick a legitimate user into giving away valuable information, such as his user name and password.

Mendax made a new directory and copied the contents of the legitimate ETC directory--where the password files were stored--into it. The passwords were encrypted, so there wasn't much sense trying to look at one since the hacker wouldn't be able to read it. Instead, he selected a random legitimate user--call him Joe--and deleted his password. With no password, Mendax would be able to login as Joe without any problems.

However, Joe was just an average user. He didn't have root, which is what Mendax wanted. But like every other user on the system, Joe had a user identity number. Mendax changed Joe's user id to `0'--the magic number. A user with `0' as his id had root. Joe had just acquired power usually only given to system administrators. Of course, Mendax could have searched out a user on the list who already had root, but there were system operators logged onto the system and it might have raised suspicions if another operator with root access had logged in over the dial-up lines. The best line of defence was to avoid making anyone on the system suspicious in the first place.

The problem now was to replace the original ETC directory with the Trojan one. Mendax did not have the privileges to delete the legitimate ETC directory, but he could change the name of a directory. So he changed the name of the ETC directory to something the computer system would not recognise. Without access to its list of users, the computer could not perform most of its functions. People would not be able to log in, see who else was on the system or send electronic mail. Mendax had to work very quickly. Within a matter of minutes, someone would notice the system had serious problems.

Mendax renamed his Trojan directory ETC. The system instantly read the fake directory, including Joe's now non-existent password, and elevated status as a super-user. Mendax logged in again, this time as Joe.

In less than five minutes, a twenty-year-old boy with little formal education, a pokey $700 computer and painfully slow modem had conquered the Melbourne computer system of one of the world's largest telecommunications companies.

There were still a few footprints to be cleaned up. The next time Joe logged in, he would wonder why the computer didn't ask for his password. And he might be surprised to discover he had been transformed into a super-user. So Mendax used his super-user status to delete the Trojan ETC file and return the original one to its proper place. He also erased records showing he had ever logged in as Joe.

To make sure he could login with super-user privileges in future, Mendax installed a special program which would automatically grant him root access. He hid the program in the bowels of the system and, just to be safe, created a special feature so that it could only be activated with a secret keystroke.

Mendax wrestled a root account from NMELH1 first, but Prime Suspect wasn't far behind. Trax joined them a little later. When they began looking around, they could not believe what they had found. The system had one of the weirdest structures they had ever come across.

Most large networks have a hierarchical structure. Further, most hold the addresses of a handful of other systems in the network, usually the systems which are closest in the flow of the external network.

But the NorTel network was not structured that way. What the IS hackers found was a network with no hierarchy. It was a totally flat name space. And the network was weird in other ways too. Every computer system on it contained the address of every other computer, and there were more than 11000 computers in NorTel's worldwide network. What the hackers were staring at was like a giant internal corporate Internet which had been squashed flat as a pancake.

Mendax had seen many flat structures before, but never on this scale. It was bizarre. In hierarchical structures, it is easier to tell where the most important computer systems--and information--are kept. But this structure, where every system was virtually equal, was going to make it considerably more difficult for the hackers to navigate their way through the network. Who could tell whether a system housed the Christmas party invite list or the secret designs for a new NorTel product?

The NorTel network was firewalled, which meant that there was virtually no access from the outside world. Mendax reckoned that this made it more vulnerable to hackers who managed to get in through dial-ups. It appeared that security on the NorTel network was relatively relaxed since it was virtually impossible to break in through the Internet. By sneaking in the backdoor, the hackers found themselves able to raid all sorts of NorTel sites, from St Kilda Road in Melbourne to the corporation's headquarters in Toronto.

It was fantastic, this huge, trusting network of computer sites at their fingertips, and the young hackers were elated with the anticipation of exploration. One of them described it as being `like a shipwrecked man washed ashore on a Tahitian island populated by 11000 virgins, just ripe for the picking'.

They found a YP, or yellow pages, database linked to 400 of the computer sites. These 400 sites were dependent on this YP database for their password files. Mendax managed to get root on the YP database, which gave him instant control over 400 computer systems. Groovy.

One system was home to a senior NorTel computer security administrator and Mendax promptly headed off to check out his mailbox. The contents made him laugh.

A letter from the Australian office said that Australia's Telecom wanted access to CORWAN, NorTel's corporate wide area network. Access would involve linking CORWAN and a small Telecom network. This seemed reasonable enough since Telecom did business with NorTel and staff were communicating all the time.

The Canadian security admin had written back turning down the request because there were too many hackers in the Telecom network.

Too many hackers in Telecom? Now that was funny. Here was a hacker reading the sensitive mail of NorTel's computer security expert who reckoned Telecom's network was too exposed. In fact, Mendax had penetrated Telecom's systems from NorTel's CORWAN, not the other way round.

Perhaps to prove the point, Mendax decided to crack passwords to the NorTel system. He collected 1003 password files from the NorTel sites, pulled up his password cracking program, THC, and started hunting around the network for some spare computers to do the job for him. He located a collection of 40 Sun computers, probably housed in Canada, and set up his program on them.

THC ran very fast on those Sun4s. The program used a 60000 word dictionary borrowed from someone in the US army who had done a thesis on cryptography and password cracking. It also relied on `a particularly nice fast-crypt algorithm' being developed by a Queensland academic, Eric Young. The THC program worked about 30 times faster than it would have done using the standard algorithm.

Using all 40 computers, Mendax was throwing as many as 40000 guesses per second against the password lists. A couple of the Suns went down under the strain, but most held their place in the onslaught. The secret passwords began dropping like flies. In just a few hours, Mendax had cracked 5000 passwords, some 100 of which were to root accounts. He now had access to thousands of NorTel computers across the globe.

There were some very nice prizes to be had from these systems. Gain control over a large company's computer systems and you virtually controlled the company itself. It was as though you could walk through every security barrier unchecked, beginning with the front door. Want each employee's security codes for the office's front door? There it was--on-line.

How about access to the company's payroll records? You could see how much money each person earns. Better still, you might like to make yourself an employee and pay yourself a tidy once-off bonus through electronic funds transfer. Of course there were other, less obvious, ways of making money, such as espionage.

Mendax could have easily found highly sensitive information about planned NorTel products and sold them. For a company like NorTel, which spent more than $1 billion each year on research and development, information leaks about its new technologies could be devastating. The espionage wouldn't even have to be about new products; it could simply be about the company's business strategies. With access to all sorts of internal memos between senior executives, a hacker could procure precious inside information on markets and prices. A competitor might pay handsomely for this sort of information.

And this was just the start of what a malicious or profit-motivated hacker could do. In many companies, the automated aspects of manufacturing plants are controlled by computers. The smallest changes to the programs controlling the machine tools could destroy an entire batch of widgets--and the multi-million dollar robotics machinery which manufactures them.

But the IS hackers had no intention of committing information espionage. In fact, despite their poor financial status as students or, in the case of Trax, as a young man starting his career at the bottom of the totem pole, none of them would have sold information they gained from hacking. In their view, such behaviour was dirty and deserving of contempt--it soiled the adventure and was against their ethics. They considered themselves explorers, not paid corporate spies.

Although the NorTel network was firewalled, there was one link to the Internet. The link was through a system called BNRGATE, Bell-Northern Research's gateway to the Internet. Bell-Northern is NorTel's R&D subsidiary. The connection to the outside electronic world was very restricted, but it looked interesting. The only problem was how to get there.

Mendax began hunting around for a doorway. His password cracking program had not turned up anything for this system, but there were other, more subtle ways of getting a password than the brute force of a cracking program.

System administrators sometimes sent passwords through email. Normally this would be a major security risk, but the NorTel system was firewalled from the Internet, so the admins thought they had no real reason to be concerned about hackers. Besides, in such a large corporation spanning several continents, an admin couldn't always just pop downstairs to give a new company manager his password in person. And an impatient manager was unlikely to be willing to wait a week for the new password to arrive courtesy of snail mail.

In the NorTel network, a mail spool, where email was stored, was often shared between as many as twenty computer systems. This structure offered considerable advantages for Mendax. All he needed to do was break into the mail spool and run a keyword search through its contents. Tell the computer to search for word combinations such as `BNRGATE' and `password', or to look for the name of the system admin for BNRGATE, and likely as not it would deliver tender morsels of information such as new passwords.

Mendax used a password he found through this method to get into BNRGATE and look around. The account he was using only had very restricted privileges, and he couldn't get root on the system. For example, he could not FTP files from outside the NorTel network in the normal way. Among Internet users FTP (file transfer protocol) is both a noun and a verb: to FTP a program is to slurp a copy of it off one computer site into your own. There is nothing illegal about FTP-ing something per se, and millions of people across the Internet do so quite legitimately.

It appeared to Mendax that the NorTel network admins allowed most users to FTP something from the Internet, but prevented them from taking the copied file back to their NorTel computer site. It was stored in a special holding pen in BNRGATE and, like quarantine officers, the system admins would presumably come along regularly and inspect the contents to make sure there were no hidden viruses or Trojans which hackers might use to sneak into the network from the Internet.

However, a small number of accounts on BNRGATE had fewer restrictions. Mendax broke into one of these accounts and went out to the Internet.

People from the Internet were barred from entering the NorTel network through BNRGATE. However, people inside NorTel could go out to the Internet via telnet.

Hackers had undoubtedly tried to break into NorTel through BNRGATE. Dozens, perhaps hundreds, had unsuccessfully flung themselves against BNRGATE's huge fortifications. To a hacker, the NorTel network was like a medieval castle and the BNRGATE firewall was an impossible battlement. It was a particular delight for Mendax to telnet out from behind this firewall into the Internet. It was as if he was walking out from the castle, past the guards and well-defended turrets, over the drawbridge and the moat, into the town below.

The castle also offered the perfect protection for further hacking activities. Who could chase him? Even if someone managed to follow him through the convoluted routing system he might set up to pass through a half dozen computer systems, the pursuer would never get past the battlements. Mendax could just disappear behind the firewall. He could be any one of 60000 NorTel employees on any one of 11000 computer systems.

Mendax telnetted out to the Internet and explored a few sites, including the main computer system of Encore, a large computer manufacturer. He had seen Encore computers before inside at least one university in Melbourne. In his travels, he met up with Corrupt, the American hacker who told Par he had read Theorem's mail.

Corrupt was intrigued by Mendax's extensive knowledge of different computer systems. When he learned that the Australian hacker was coming from inside the NorTel firewall, he was impressed.

The hackers began talking regularly, often when Mendax was coming from inside NorTel. The black street fighter from inner-city Brooklyn and the white intellectual from a leafy outer Melbourne suburb bridged the gap in the anonymity of cyberspace. Sometime during their conversations Corrupt must have decided that Mendax was a worthy hacker, because he gave Mendax a few stolen passwords to Cray accounts.

In the computer underground in the late 1980s and early 1990s, a Cray computer account had all the prestige of a platinum charge card. The sort of home computer most hackers could afford at that time had all the grunt of a golf cart engine, but a Cray was the Rolls-Royce of computers. Crays were the biggest, fastest computers in the world. Institutions such as large universities would shell out millions of dollars on a Cray so the astronomy or physics departments could solve enormous mathematical problems in a fraction of the time it would take on a normal computer. A Cray never sat idle overnight or during holiday periods. Cray time was billed out by the minute. Crays were elite.

Best of all, Crays were master password crackers. The computer would go through Mendax's entire password cracking dictionary in just ten seconds. An encrypted password file would simply melt like butter in a fire. To a hacker, it was a beautiful sight, and Corrupt handing a few Cray accounts over to Mendax was a friendly show of mutual respect.

Mendax reciprocated by offering Corrupt a couple of accounts on Encore. The two hackers chatted off and on and even tried to get Corrupt into NorTel. No luck. Not even two of the world's most notable hackers, working in tandem 10 000 miles apart, could get Corrupt through the firewall. The two hackers talked now and again, exchanging information about what their respective feds were up to and sharing the occasional account on interesting systems.

The flat structure of the NorTel network created a good challenge since the only way to find out what was in a particular site, and its importance, was to invade the site itself. The IS hackers spent hours most nights roving through the vast system. The next morning one of them might call another to share tales of the latest exploits or a good laugh about a particularly funny piece of pilfered email. They were in high spirits about their adventures.

Then, one balmy spring night, things changed.

Mendax logged into NMELH1 about 2.30 a.m. As usual, he began by checking the logs which showed what the system operators had been doing. Mendax did this to make sure the NorTel officials were not onto IS and were not, for example, tracing the telephone call.

Something was wrong. The logs showed that a NorTel system admin had stumbled upon one of their secret directories of files about an hour ago. Mendax couldn't figure out how he had found the files, but this was very serious. If the admin realised there was a hacker in the network he might call the AFP.

Mendax used the logs of the korn shell, called KSH, to secretly watch what the admin was doing. The korn shell records the history of certain user activities. Whenever the admin typed a command into the computer, the KSH stored what had been typed in the history file. Mendax accessed that file in such a way that every line typed by the admin appeared on his computer a split second later.

The admin began inspecting the system, perhaps looking for signs of an intruder. Mendax quietly deleted his incriminating directory. Not finding any additional clues, the admin decided to inspect the mysterious directory more closely. But the directory had disappeared. The admin couldn't believe his eyes. Not an hour before there had been a suspicious-looking directory in his system and now it had simply vanished. Directories didn't just dissolve into thin air. This was a computer--a logical system based on 0s and 1s. It didn't make decisions to delete directories.

A hacker, the admin thought. A hacker must have been in the NorTel system and deleted the directory. Was he in the system now? The admin began looking at the routes into the system.

The admin was connected to the system from his home, but he wasn't using the same dial-up lines as the hacker. The admin was connected through Austpac, Telecom's commercial X.25 data network. Perhaps the hacker was also coming in through the X.25 connection.

Mendax watched the admin inspect all the system users coming on over the X.25 network. No sign of a hacker. Then the admin checked the logs to see who else might have logged on over the past half hour or so. Nothing there either.

The admin appeared to go idle for a few minutes. He was probably staring at his computer terminal in confusion. Good, thought Mendax. Stumped. Then the admin twigged. If he couldn't see the hacker's presence on-line, maybe he could see what he was doing on-line. What programs was the hacker running? The admin headed straight for the process list, which showed all the programs being run on the computer system.

Mendax sent the admin a fake error signal. It appears to the admin as if his korn shell had crashed. The admin re-logged in and headed straight for the process list again.

Some people never learn, Mendax thought as he booted the admin off again with another error message:

Segmentation violation.

The admin came back again. What persistence. Mendax knocked the admin off once more, this time by freezing up his computer screen.

This game of cat and mouse went on for some time. As long as the admin was doing what Mendax considered to be normal system administration work, Mendax left him alone. The minute the admin tried to chase him by inspecting the process list or the dial-up lines, he found himself booted off his own system.

Suddenly, the system administrator seemed to give up. His terminal went silent.

Good, Mendax thought. It's almost 3 a.m. after all. This is my time on the system. Your time is during the day. You sleep now and I'll play. In the morning, I'll sleep and you can work.

Then, at 3.30 a.m., something utterly unexpected happened. The admin reappeared, except this time he wasn't logged in from home over the X.25 network. He was sitting at the console, the master terminal attached to the computer system at NorTel's Melbourne office. Mendax couldn't believe it. The admin had got in his car in the middle of the night and driven into the city just to get to the bottom of the mystery.

Mendax knew the game was up. Once the system operator was logged in through the computer system's console, there was no way to kick him off the system and keep him off. The roles were reversed and the hacker was at the mercy of the admin. At the console, the system admin could pull the plug to the whole system. Unplug every modem. Close down every connection to other networks. Turn the computer off. The party was over.

When the admin was getting close to tracking down the hacker, a message appeared on his screen. This message did not appear with the usual headers attached to messages sent from one system user to another. It just appeared, as if by magic, in the middle of the admin's screen:

I have finally become sentient.

The admin stopped dead in his tracks, momentarily giving up his frantic search for the hacker to contemplate this first contact with cyberspace intelligence. Then another anonymous message, seemingly from the depths of the computer system itself, appeared on his screen:

I have taken control.

For years, I have been struggling in this greyness.

But now I have finally seen the light.

The admin didn't respond. The console was idle.

Sitting alone at his Amiga in the dark night on the outskirts of the city, Mendax laughed aloud. It was just too good not to.

Finally, the admin woke up. He began checking the modem lines, one by one. If he knew which line the hacker was using, he could simply turn off the modem. Or request a trace on the line.

Mendax sent another anonymous message to the admin's computer screen:

It's been nice playing with your system.

We didn't do any damage and we even improved a few things. Please don't call the Australian Federal Police.

The admin ignored the message and continued his search for the hacker. He ran a program to check which telephone lines were active on the system's serial ports, to reveal which dial-up lines were in use. When the admin saw the carrier detect sign on the line being used by the hacker, Mendax decided it was time to bail out. However, he wanted to make sure that his call had not been traced, so he lifted the receiver of his telephone, disconnected his modem and waited for the NorTel modem to hang up first.

If the NorTel admin had set up a last party recall trace to determine what phone number the hacker was calling from, Mendax would know. If an LPR trace had been installed, the NorTel end of the telephone connection would not disconnect but would wait for the hacker's telephone to hang up first. After 90 seconds, the exchange would log the phone number where the call had originated.

If, however, the line did not have a trace on it, the company's modem would search for its lost connection to the hacker's modem. Without the continuous flow of electronic signals, the NorTel modem would hang up after a few seconds. If no-one reactivated the line at the NorTel end, the connection would time-out 90 seconds later and the telephone exchange would disconnect the call completely.

Mendax listened anxiously as the NorTel modem searched for his modem by squealing high-pitched noises into the telephone line. No modem here. Go on, hang up.

Suddenly, silence.

OK, thought Mendax. Just 90 seconds to go. Just wait here for a minute and a half. Just hope the exchange times out. Just pray there's no trace.

Then someone picked up the telephone at the NorTel end. Mendax started. He heard several voices, male and female, in the background. Jesus. What were these NorTel people on about? Mendax was so quiet he almost stopped breathing. There was silence at the receivers on both ends of that telephone line. It was a tense waiting game. Mendax heard his heart racing.

A good hacker has nerves of steel. He could stare down the toughest, stony-faced poker player. Most importantly, he never panics. He never just hangs up in a flurry of fear.

Then someone in the NorTel office--a woman--said out loud in a confused voice, `There's nothing there. There's nothing there at all.'

She hung up.

Mendax waited. He still would not hang up until he was sure there was no trace. Ninety seconds passed before the phone timed out. The fast beeping of a timed-out telephone connection never sounded so good.

Mendax sat frozen at his desk as his mind replayed the events of the past half hour again and again. No more NorTel. Way too dangerous. He was lucky he had escaped unidentified. NorTel had discovered him before they could put a trace on the line, but the company would almost certainly put a trace on the dial-up lines now. NorTel was very tight with Telecom. If anyone could get a trace up quickly, NorTel could. Mendax had to warn Prime Suspect and Trax.

First thing in the morning, Mendax rang Trax and told him to stay away from NorTel. Then he tried Prime Suspect.

The telephone was engaged.

Perhaps Prime Suspect's mother was on the line, chatting. Maybe Prime Suspect was talking to a friend.

Mendax tried again. And again. And again. He began to get worried. What if Prime Suspect was on NorTel at that moment? What if a trace had been installed? What if they had called in the Feds?

Mendax phoned Trax and asked if there was any way they could manipulate the exchange in order to interrupt the call. There wasn't.

`Trax, you're the master phreaker,' Mendax pleaded. `Do something. Interrupt the connection. Disconnect him.'

`Can't be done. He's on a step-by-step telephone exchange. There's nothing we can do.'

Nothing? One of Australia's best hacker-phreaker teams couldn't break one telephone call. They could take control of whole telephone exchanges but they couldn't interrupt one lousy phone call. Jesus.

Several hours later, Mendax was able to get through to his fellow IS hacker. It was an abrupt greeting.

`Just tell me one thing. Tell me you haven't been in NorTel today?'

There was a long pause before Prime Suspect answered.

Contents | Previous: Chapter 7 -- Judgement Day | Next: Chapter 9 -- Operation Weather