

                        The Cockoo's egg
              ------------------------------------
                       from Clifford Stoll


      Until  a  week  before,  I  had  been  an  astronomer, contentedly
   designing  telescope optics. But then I found myself transferred from
   the  Keck  Observatory at the Lawrence Berkeley Lab (LBL) down to the
   computer center in the basement of the same building.
      On  either  side of my new cubicle were the offices of two systems
   people, Wayne Graves and Dave Cleveland, the old hands of the system.
   Together,  Wayne,  Dave, and I were to run the computers as a labwide
   utility.  We managed a dozen mainframe computers-giant workhorses for
   solving  physics  problems,  together  worth  around  $6 million. The
   scientists  using  the  computers  were  supposed  to  see  a simple,
   powerful  computing system, as reliable as the electric company. This
   meant  keeping  the machines running full-time, around the clock. And
   just  like a utility company, we charged for every cycle of computing
   that was used.
      On  my  second  day,  Dave was mumbling about a hiccup in the Unix
   accounting  system. Someone must have used a few seconds of computing
   time  without  paying  for  it.  The  computer's  books  didn't quite
   balance; last month's bills of $2,387 showed a 75-cent shortfall.
      Now, an error of a few thousand dollars is obvious, and isn't hard
   to  find.  But  errors in the pennies column arise from deeply buried
   problems,  so  finding  these  bugs  is  a natural test for a budding
   software wizard.
      Around  about  7 p.m., my eye caught the name of one user, Hunter.
   This  guy didn't have a valid billing address. Ha] Hunter had used 75
   cents  of  time  in the past month, but nobody had paid for him. Here
   was  the source of our imbalance. Someone had screwed up while adding
   a user to our system. A trivial problem caused by a trivial error.
      A  day  later,  an  obscure  computer  named Dockmaster sent us an
   electronic-mail message. Its system manager claimed that someone from
   our laboratory had tried to break into his computer over the weekend.
   I guessed Dockmaster was some navy shipyard. It wasn't important, but
   it seemed worth spending a few minutes looking into.
      The  message  gave  the  date  and  time  when someone on our Unix
   computer  tried  to  log  in to Dockmaster's computer. Our stock Unix
   accounting  file  showed a user, Sventek, logging in to our system at
   8:25,  doing  nothing  for  half  an hour, and then disconnecting. No
   time-stamped activity in between. Our homebrew software also recorded
   Sventek's  activity,  but  it showed him using the networks from 8:31
   until 9:01 a.m.
      Jeez. Another accounting problem. The timestamps didn't agree. One
   recorded activity when the other account said everything was dormant.
      Why  were  the two accounting systems keeping different times? And
   why  was  some  activity logged in one file without showing up in the
   other?  Was  this  related  to  the earlier accounting problem? Had I
   screwed things up when I poked around before? Or was there some other
   explanation-was there a hacker on the loose?
      So  how  do you find a hacker? I figured it was simple: just watch
   for anyone using Sventek's accounts, and try to trace the connection.
   I  spent  Thursday  watching people log in to the computer. I wrote a
   program  to  beep my terminal whenever someone connected. At 12:33 on
   Thursday  afternoon,  Sventek logged in. I felt a rush of adrenaline,
   then  a  complete  letdown when he disappeared within a minute. Where
   was  he?  The  only  pointer  left  for  me was the identifier of his
   terminal:  he  had  used  terminal  port  tt23. I suspected a dial-in
   modem,  connected  ftom some telephone line, but it might conceivably
   be someone at the laboratory.
      By lucky accident, the connection had left some footprints behind.
   Paul Murray, a reclusive hardware technician who hides in thickets of
   telephone  wire,  had  been  collecting statistics on how many people
   used  our  communications  switchyard.  By chance he had recorded the
   port numbers of each connection for the past month. Since I knew when
   Sventek  was  active  on port tt23, we could figure out where he came
   from.  The printout of the statistics showed a one-minute, 1,200-bit-
   per-second connection had taken place at 12:33.
      Any lab employee here on the hill would run at high speed-9,600 or
   19,200  bps.  Only someone calling through a modem would let his data
   dribble  out  a 1,200-bps soda straw. But how to catch him? About the
   only  place  to  watch our incoming traffic was in between the modems
   and  the  computers.  Our  modem lines were flat, 25-conductor wires,
   snaking  underneath  the  switchyard's  false  floor.  A  printer  or
   personal  computer  could  be  wired  in  parallel with each of these
   lines, recording every keystroke that came through.
      A kludge? Yes. Workable? Maybe.
      All we'd need were 50 teletypes, printers, and portable computers.
   I  rounded  them  up;  strewn  with four dozen obsolete teletypes and
   portable  terminals,  the  floor  looked  like  a computer engineer's
   nightmare. I slept in the middle, nursing the printers and computers.
   Each  was  grabbing  data from a different line, and whenever someone
   dialed  our system, I'd wake up to the chatter of their typing. Every
   half-hour, a printer would run out of paper or a computer out of disk
   space,  so  I'd  have  to  roll  over and reload. Saturday morning, a
   coworker shook me awake. "Well, where's your hacker? "
      The first 49 printers and monitors showed nothing interesting. But
   from  the 50th trailed 80 feet of printout. During the night, someone
   had sneaked in through a hole in the operating system.
      For  three  hours a hacker had strolled through my system, reading
   whatever  he  wished.  Unknown  to  him,  my  DECwriter had saved his
   session  on  singlespaced  computer  paper. Here was every command he
   issued, every typing mistake, and every response from the computer.
      This  printer  monitored  the  line  from Tymnet, a communications
   company  that  interconnected  computers around the world. Our hacker
   might be anywhere.
      How the Cuckoo Laid Its Egg.
      The hacker had become a super-user. He was like a cuckoo bird. The
   cuckoo  is  a  nesting  parasite  that  lays her eggs in other birds'
   nests:  some  other bird will raise her young. The survival of cuckoo
   chicks depends on the ignorance of other species.
    Our  mysterious  visitor  had laid an egg-program into our computer,
   letting the system hatch it and feed it privileges.
      That morning, the hacker wrote a short program to grab privileges.
   Normally,  Unix  won't  allow  such  a program to run, since it never
   gives  privileges  beyond  what a user is assigned. But if our hacker
   ran  this  program from a privileged account, he'd become privileged.
   His  problem was to masquerade this special program-the cuckoo's egg-
   so that it would be hatched by the system.
      Every  five  minutes,  the  Unix  system  executes its own program
   called  atrun.  In  turn, atnin schedules other jobs and does routine
   housecleaning  tasks.  It  runs  in  a privileged mode, with the full
   power  and  trust of the operating system behind it. If a bogus atrun
   program  were  substituted, it would be executed within five minutes,
   with  full  system  privileges.  For  this  reason,  atrun  sits in a
   protected  area  of the system, available only to the system manager.
   Nobody else has license to tamper with atrun.
      Here was the cuckoo's nest: for five minutes he would swap his egg
   for  the system's atrun program. For this attack, he needed to find a
   way  to  move  his  egg-program  into the protected systems nest. The
   operating  system's  barriers are built specifically to prevent this.
   But there was a wildcard that we'd never noticed.
      We used a powerful editing program called GnuEmacs. But Gnu's much
   more  than  just  a  text  editor-it's  a foundation upon which other
   programs  can  be  built. It even has its own mail facility built in.
   just one problem: there's a bug in that software.
      Because of the way it was installed on our Unix computer, the Gnu-
   Emacs  editor lets you forward a mail file from your own directory to
   anyone  else's.  It  doesn't check to see who's receiving it, or even
   whether  they want the file. No problem to send a file from your area
   to  mine.  But  you'd  better  not  be  able  to move a file into the
   protected systems area: only the systems manager is allowed there.
      Gnu didn't check. It let anyone move a file into protected systems
   space.  The  hacker  knew  this;  we  didn't. He used Gnu to swap his
   special  atrun file for the system's legitimate version. Five minutes
   later,  the  system  hatched  his  egg,  and  he  held the keys to my
   computer.
      In  front  of  me,  the  first few feet of the printout showed the
   cuckoo  preparing  the  nest,  laying  the egg, and waiting for it to
   hatch.  The  next  70  feet  showed  the fledgling cuckoo testing its
   wings.
      As  a  super-user,  he  had  the  run of our system and could read
   anybody's  work.  By  studying  several scientists' command files and
   scripts,  he  discovered  pathways  into  other  lab computers. Every
   night,  our  computer automatically calls 20 others, to exchange mail
   and  network  news.  When  the  hacker  read  these phone numbers, he
   learned 20 new targets.
      I  had  to  weave a net fine enough to catch the hacker but coarse
   enough  to  let our scientists through. I'd have to detect the hacker
   as  soon as he came online and call Tymnet's technicians to trace the
   call.
      If  I  knew  the stolen account names, it would be easy to write a
   program that watched for the bad guy to show up. No need to check out
   every  person  using  the  computer;  just  ring a bell when a stolen
   account  was  in use. But I also had to stay invisible to the hacker,
   so I wrote the program for a new Unix-8 system we had just installed.
   I  could  connect it to our local area network, secure it against all
   possible attacks, and let it watch the other computers, all the while
   recording the traffic on printers.
      Wednesday  afternoon,  September 3, 1986, marked a week since we'd
   first  detected  the  hacker.  Suddenly,  the  terminal beeped twice:
   Sventek's account was active. I ran to the switchyard; the top of the
   ream  of  paper  showed that the hacker had logged in at 2:26 and was
   still active.
      Logged  in  as  Sventek,  he  first  listed  the names of everyone
   connected.  Lucky-there  was  nobody but the usual gang of physicists
   and  astronomers;  my  watchdog program was well concealed within the
   Unix-8 computer.
      He  didn't  become  a super-user; rather, he checked that the Gnu-
   Emacs  file  hadn't  been modified. At 2:37, 11 minutes after logging
   in, he abruptly logged off. But not before we'd started the trace.
      Ron  Vivier  traces  Tymnet's  network  within North America 'In a
   couple of minutes he had traced the connection from LBL's Tymnet port
   into an Oakland Tymnet office, where someone had dialed in.
      It's  easier  to  call  straight  into our Berkeley lab than to go
   through  Oakland's  Tymnet  office.  Calling  the local Tymnet access
   number  instead  of  our  lab was like taking the interstate to drive
   three blocks. But calling via Tymnet added one more layer to trace.
    Whoever was at the other end of the line knew how to hide.
      The  morning  after  we  had  watched  the  hacker break in to our
   system, my boss met with Aletha Owens, the lab's attorney. She wasted
   no time in calling the FBI.
      Our  local  FBI  office  didn't  raise  an  eyebrow. Fred Wyniken,
   special  agent  with the Oakland resident agency, asked incredulously
   "You're  calling  us because you've lost 75 cents in computer time? "
   Owens  tried  explaining  information  security  and the value of our
   data.  Wyniken  interrupted,  "Look, if you can demonstrate a loss of
   more  than  a  million  dollars,  or  that  someone's  prying through
   classified  data, then we'll open an investigation. Until then, leave
   us alone."
      Wednesday,  September 10, at 7:51 a.m., the hacker appeared in our
   system for six minutes. I wasn't at the lab to watch, but the printer
   saved  three  pages  of  his trail. He logged in to our computer from
   Tymnet  as Sventek, then jumped into another network. Using Milnet, a
   network  that  links  military  computers,  he  connected  to address
   26.0.0.113.  He  logged  in  there as Hunter, checked that they had a
   copy of Gnu-Emacs, and disappeared.
      The hacker left an indelible trail downstream to the Redstone Army
   Depot  in  Anniston, Alabama, the home of the army's Redstone missile
   complex2,000  miles  from  Berkeley.  He listed files at the Anniston
   system.  judging  from  the  dates  of  these  files,  he'd  been  in
   Anniston's   computers   since   early  June.  For  four  months,  an
   illegitimate system manager had been using an army computer. Yet he'd
   been  discovered  by  accident,  not  through some logic bomb or lost
   information.
      Looking  closely  at  the  morning's  printout, I saw that, on the
   Anniston  computer,  the  hacker  had  changed  Hunter's  password to
   Hedges.  A  clue  at  last:  of  zillions of possible passwords, he'd
   chosen Hedges. Hedges Hunter? Hunter Hedges? A hedge hunter?
      Time  was  running out; if I didn't catch the hacker soon, the lab
   would  shut  down  my tracking operation and put me on other work. At
   2:30  in  the  afternoon,  the printer advanced a page and the hacker
   logged in with a new stolen account, Goran. A minute after the hacker
   connected,  I  called  the  phone company and Ron Vivier at Tymnet. I
   took  notes  as  Ron  mumbled.  "He's  coming  into  your port 14 and
   entering Tymnet from Oakland. It's our port 322, which is, uh, let me
   see  here."  I could hear him tapping his keyboard. "Yeah, it's 2902.
   430-2902. That's the number to trace.'
      The  phone  company, by law, couldn't reveal information about the
   trace to me, but my printers showed his every move. While I talked to
   Tymnet  and  the  telephone  techs, the hacker had prowled through my
   computer.  He  wasn't satisfied reading the system manager's mail; he
   also snooped through mail for several nuclear physicists.
      After  15 minutes of reading our mail, he jumped back into Goran's
   stolen  account,  using  a new password, Benson. He started a program
   that searched our users' files for passwords; while that executed, he
   called  up  the  Milnet  Network  Information  Center and asked for a
   pathway into the CIA.
      Instead of their computer, though, he found four people who worked
   at the CIA. Later, I phoned one of them.
      I  didn't  know where to begin. How do you introduce yourself to a
   spy?
      "Uh, you don't know me, but I'm a computer manager, and we've been
   following a computer hacker."
      "Uh-huh."  "Well, he searched for a pathway to try to get into the
   CIA's computers. He found your name and phone number."
      "Who  are you? " Nervously, I told him, expecting him to send over
   a gang of hit men in trench coats. I described our laboratory, making
   sure he understood that the People's Republic of Berkeley didn't have
   official  diplomatic  relations with his organization. He sent over a
   delegation  several days later. OK, so they didn't wear trench coats.
   Not  even  sunglasses. just boring suits and ties. Wayne saw the four
   of  them walk up the drive and flashed a message to my terminal: "All
   hands on deck. Sales reps approach through starboard portal. Charcoal
   gray  suits.  Set  warp  speed  to avoid IBM sales pitch." If only he
   knew.
      The four spooks introduced themselves. One guy in his fifties said
   he  was  there  as a "navigator" and didn't give his name-he just sat
   there  quietly the whole time. The second spy, Greg Fennel, I guessed
   to  be  a computer jockey, because he seemed uncomfortable in a suit.
   The  third  agent,  Teejay, was built like a halfback. The fourth guy
   must have been the bigwig: everyone shut up when he talked. Together,
   they looked more like bureaucrats than spies.
      The  four  of  them  sat quietly while we gave them an overview of
   what  we'd  seen.  Mr.  Big  nodded  and asked, "What keywords has he
   scanned for? "
      "He  looks  for  words like password, nuclear, SDI, and Norad He's
   picked  some  curious  passwords: lblhack hedges, jaeger, hunter, and
   benson.  The  accounts  he  stole, Goran, Sventek, Whitberg, and Mark
   don't  say  much  about him, because the names are people here at the
   laboratory."
      Mr. Big nodded and asked, "Tell me, what did he do at Anniston? "
      "I  don't  have  much  of a printout there, " I said. "He was into
   their  system  for  several  months,  perhaps as long as a year. Now,
   since he knows they've detected him, he logs in only for a moment."
      Mr.  Big  fidgeted  a  bit,  meaning that the meeting was about to
   break  up.  Greg  asked  one  more  question.  "What  machines has he
   attacked? "
      "Ours, of course, and the army base in Anniston. He's tried to get
   into White Sands Missile Range, and some navy shipyard in Maryland. I
   think   it's   called   Dockmaster."   "Shit]   "   Greg  and  Teejay
   simultaneously  exclaimed.  Greg  said,  "How  do  you  know  he  hit
   Dockmaster? "
      "About the same time he screwed up our accounting, this Dockmaster
   place  sent  us  a  message saying that someone had tried to break in
   there.".
      "Did  he  succeed?  "  "I  don't think so. What is this Dockmaster
   place, anyway? Aren't they some navy shipyard? "
      They   whispered  among  themselves,  and  Mr.  Big  nodded.  Greg
   explained:  "Dockmaster  isn't  a  navy  shipyard.  It's  run  by the
   National Security Agency."
      A  hacker  breaking into the NSA? Bizarre. This wanted to get into
   the CIA, the NSA, army missile bases, and the North
      American  Air  Defense  headquarters.  "Dockmaster  is  NSA's only
   unclassified computer, " Greg said.
    "It belongs to its computer security group, which is actually public
   ."  Mr. Big started talking slowly. "There's not much we can do about
   this affair. I think there's no evidence of foreign espionage."
      "Well, who should be working on this case? " I asked.
      "The  FBI.  I'm  sorry,  but  this isn't our bailiwick. Our entire
   involvement  has  been  the  exposure  of  four  names-names that are
   already in the public domain, I might add."
      Then they were gone.
      The  spooks were no help, so I was on my own again. I searched the
   Berkeley phone book for Jaegers and Bensons; I figured I ought to try
   Stanford as well. So I stopped by the library. Maggie Morley, our 45-
   year-old  documentmeister, plays rough-and-tumble Scrabble: posted on
   her door is a list of all legal three-letter Scrabble words.
      "I need a Stanford telephone book, " I I'm looking for everyone in
   Silicon Valley named Jaeger or Benson."
      'Jaeger. A word that's been kind to me, " Maggie smiled. "Worth 16
   points,  but  I  once  won  a  game with it, when the \J\ landed on a
   triple-letter score. Turned into 75 points."
      "Yeah,  but  I  need it because it's the hacker's password. Hey, I
   didn't know names were legal in Scrabble."
      "Jaeger's not a name. Well, maybe it's a nameEllsworth jaeger, the
   famous  omithologist,  for instance-but it's a type of bird. Gets its
   name from the German word meaning hunter."
      "Huh? Did you say hunter? "
      "Yes.  Jaegers are hunting birds that badger other birds with full
   beaks. They harass weaker birds until they drop their prey."
      "Hot  ziggity]  You  answered  my question. I don't need the phone
   book." "Well, what else I can do for you? "
      "How  about  explaining the relationship between the words hedges,
   jaeger, hunter, and benson? "
      "Well,  jaeger  and  hunter is obvious to anyone who knows German.
   And smokers know Benson & Hedges."
      Omigod-my  hacker  smokes  Benson  &  Hedges.  Maggie had won on a
   triple-word score.
      During  one of the phone traces, I had copied down all the numbers
   and  digits I heard from the technician. I called all combinations of
   them  and ended up at a computer modem at Mitre, a defense contractor
   just  down  the  road  from CIA headquarters in McLean, Virginia. How
   deeply  was  Mitre's system infested? By listing its directory, I saw
   that  the hacker had created a Trojan horse there on June 17. For six
   months, someone had silently booby-trapped Mitre's computers.
      In  alllikelihood, Mitre served as a way station, a stepping-stone
   on  the  way  to  breaking  into other computers. Someone dialed into
   Mitre,  turned  around,  and dialed out from it. This way, Mitre paid
   the  bills both ways: the incoming Tymnet connection and the outgoing
   long-distance phone call. Even nicer, Mitre served as a hiding place,
   a hole in the wall that couldn't be traced.
      Monday  morning,  I  called a man named Bill Chandler at Mitre and
   told  him  the  news. Bill wanted me to be quiet about the problems I
   had found. Well, yes, but I had a price.
      "Say,  Bill,  could  you  send  me copies of your computer's phone
   bills?  " "What for? " "It might be fun to see where else this hacker
   got  into."  Two  weeks later, a thick envelope arrived, stuffed with
   long-distance  bills from Chesapeake and Potomac. Six months of phone
   bills.  Dates,  times,  phone  numbers, and cities. Probably 5,000 in
   all.  So  many  that  I  couldn't  analyze  them by hand. Perfect for
   analyzing on a computer-there's plenty of software designed to search
   out  correlations.  All  I had to do was enter them into my Macintosh
   computer and run a few programs.
      Ever  type 5,000 phone numbers? It's as boring as it sounds. And I
   had  to do it twice, to make sure I didn't make any mistakes. Took me
   two days.
      After  running  an  analysis, I found that this hacker hadn't just
   broken  into  my  computer. He was into more than six, and possibly a
   dozen.
      From  Mitre,  the hacker had made long connections to Norfolk, Oak
   Ridge, Omaha, San Diego, Pasadena, Livermore, and Atlanta.
      At  least as interesting: he had made hundreds of one-minute phone
   calls, all across the country.
    To  air  force bases, navy shipyards, aircraft builders, and defense
   contractors.  What  can  you  learn from a oneminute phone call to an
   army proving ground?
      For  six  months,  this  hacker  had  been breaking into bases and
   computers  all  across the country. Nobody knew it. He was out there,
   alone,  silent,  anonymous, persistent, and apparently successful-but
   why?  What was he after? What had he already learned? And what was he
   doing with this information? Friday, December 5, the hacker showed up
   again at 1:21 in the afternoon. Nine minutes later, he disappeared.
      Enough  time  for  me  to  trace the connection to Tymnet. But the
   network's sorcerer, Ron Vivier, was taking a long lunch that day, so
      Tymnet couldn't make the trace. Another chance lost.
      Ron returned my call an hour later.
      "Hey, Cliff, how come you never call me at night? "
      "Guess  the  hacker  doesn't  show  up at night. I wonder why." He
   started  me  thinking.  My logbook recorded every time the hacker had
   shown up. On the average, when was he active?
      I'd  remembered  him  on  at  6  a.m.  and  at 7 p.m. But never at
   midnight. Isn't midnight operation the very image of a hacker?
      On  the  average,  the  hacker showed up at noon, Pacific time. So
   what did this mean? Suppose he lives in California. Then he's hacking
   during  the day. If he's on the East Coast, he's three hours ahead of
   us, so he works around 3 or 4 in the afternoon.
      This  didn't  make  sense.  He'd  work  at  night to save on long-
   distance  telephone  fees.  To avoid network congestion. And to avoid
   detection. Yet he brazenly breaks in during the day. Why?
      When  it's  noon  in  California, I wondered, where is it evening?
   Lunchtime  in  Berkeley  is  bedtime in Europe. Was the hacker coming
   from Europe?
      On  a  Saturday afternoon, the hacker hit again. I called Tymnet's
   Ron Vivier at home.
      "I've got a live one for you, " I gasped. "Just trace my port 14."
   "Right.  It'll  take a minute." A couple of eons passed, and Ron came
   back  on  the  line.  "Hey, Cliff, are you certain that it's the same
   guy?, ".
      I  watched  the  hacker searching for the word \DI on our computer
   "Yes, it's him."
      "He's  coming  in  from  a  gateway  that I've never heard of. I'm
   locked onto his network address, so it doesn't matter if he hangs up.
   But the guy's coming from somewhere strange."
      "Where's that? "
      "I don't know. It's Tymnet node 3513, which is a strange one. I'll
   have  to  look  it  up  in  our  directory." In the background, Ron's
   keyboard clicked. "Here it is.
    Your  hacker is coming from outside the Tymnet system. He's entering
   Tymnet  from  a  communications  line  operated  by the International
   Telephone and Telegraph company."
      "So what? "
      "ITT  takes  a  Westar downlink, the communications satellite over
   the Atlantic. It handles ten or twenty thousand phone calls at once."
      "So my hacker is coming from Europe? "
      "For sure."
      "Where? "
      "That's  the part I don't know, and I probably can't find out. But
   hold on, and I'll see what's there." More keyboard clicks.
      Ron came back to the phone. "Well, ITT identifies the line as DSEA
   744031.  That's  their  line  number. It can connect to either Spain,
   France, Germany, or Britain.".
      "Well,  which is it? " "Sorry, I don't know. In three days they'll
   send  us  billing  information,  and then I can find out. Meantime, I
   can't tell you much more than that." Ron rang off, but the hacker was
   still  on  my computer, trying to chisel into the Navy Research Labs,
   when  one of Tymnet's international specialists, Steve White, called.
   "Ron can't trace any farther, " Steve said. "I'll do the trace myself
   "  I  kept  watching the hacker on my screen, hoping that he wouldn't
   hang up while Steve made the trace.
      Steve  came  back on the line. In his modulated, almost theatrical
   British  accent,  he  said, "Your hacker has the calling address DNIC
   dash 2624 dash 542104214."
      "So where's the hacker coming from? "
      "West Germany. The German Datex network."
      "What's that? "
      "It's  their national network to connect computers together. We'll
   have to call the Bundespost to find out more."
      "Who's the Bundespost? "
      "They're   the  German  national  postal  office.  The  government
   communications monopoly."
      Steve  seemed  pessimistic  about completing a successful "We know
   where   he  connects  into  the  system.  But  there's  a  couple  of
   possibilities  there.  The  hacker might be at a computer in Germany,
   simply  connected  over the German Datex network. If that's the case,
   then  we've  got him cold, We know his address, the address points to
   his computer, and the computer points to him.".
      "It is unlikely. More likely, the hacker is coming into the German
   Datex network through a dial-in modem."
      Just  like  Tymnet,  Datex  let  anyone  dial  into its system and
   connect to computers on the network.
    Perfect for businesspeople and scientists. And hackers.
      "The  real  problem is in German law, " Steve said. "I don't think
   they recognize hacking as a crime."
      "You're  kidding,  of course." "No, " he said. "A lot of countries
   have outdated laws. In Canada, a hacker who broke into a computer was
   convicted of stealing electricity, rather
      than  trespassing.  He  was prosecuted only because the connection
   had used a microwatt of power from the computer."
      Steve's pessimism was contagious. But his trace jogged my spirits.
   So  what if we couldn't nail the hacker-our circle was closing around
   him.
      Germany.  I  remembered  my  librarian  recognizing  the  hacker's
   password.  "Jaeger-it's a German word meaning hunter." The answer had
   been right in front of me, but I'd been blind.
      Some  details  were still fuzzy, but I understood how he operated.
   Somewhere in Europe, the hacker called into the German Datex network.
   He  asked for Tymnet, and the Bundespost made the connection. Once he
   reached  the States, he connected to my laboratory and hacked his way
   around Milnet.
      Mitre  must have been his stopover point. Now I realized why Mitre
   paid  for  a  thousand  one-minutelong  phone calls. The hacker would
   connect  to  Mitre and instruct the system to phone another computer.
   When  it  answered,  he  would  try to log in with a default name and
   password. Usually he failed and went on to another phone number. He'd
   been scanning computers, with Mitre picking up the tab.
      But he'd left a trail. On Mitre's phone bills.
      The  path  led  back  to  Germany,  but  it  might  not end there.
   Conceivably,  someone in Berkeley could have called Berlin, connected
   to  the  Datex  network,  connected  through Tymnet, and come back to
   Berkeley.  Maybe  the start of the path was in Mongolia. Or Moscow. I
   couldn't  tell.  For  the  present,  my  working  hypothesis would be
   Germany.
      And he scanned for militaly secrets. Could I be following a spy? A
   real spy, working for them-but who's "them"?
      Three  months  ago, I'd seen some mouse droppings in my accounting
   files.  Quietly  we'd  watched this mouse sneak through our computer,
   out through a hole, and into the military networks and computers.
      At  last I knew what this rodent was after. And where he was from.
   I'd been mistaken.
      This wasn't a mouse. It was a rat.
      Curious  whether  other people might have a similar problem with a
   hacker, I spent a few hours one early December day searching bulletin
   boards  on the  Usenet  network for news about  hackers and found one
   note from Toronto. I called the  author on the phone - I didn't trust
   electronic mail. Bob Orr, the manager of the University  of Toronto's
   physics computers, told a familiar story.
      "Some  hackers  from  Germany  have  invaded  our system, changing
   programs and damaging our operating system."
      "How'd  they get in? " "We collaborate with the Swiss physics lab,
   CERN.  And  a  group  of  German  hackers  called  the Chaos Club has
   thoroughly  walked  through  their  computers.  They  probably  stole
   passwords to our system and linked directly to us."
      As  an  aside, Bob mentioned that the Chaos Club might have gotten
   into the US Fermilab computer as well.
      "One  guy  uses  the  pseudonym  Hagbard,  " he told me. "Another,
   Pengo. I don't know their real names."
      Next I called Stanford and asked one of their system managers, Dan
   Kolkowitz, if he'd heard anything from Germany.
      "Come  to  think  of  it,  someone  broke  in  a few months ago. I
   monitored what he did and have a listing of him."
      Dan  read the listing over the phone. Some hacker with the nom-de-
   guerre  of  Hagbard  was  sending a file of passwords to some hackers
   named Zombie and Pengo.
      Hagbard and Pengo again. I wrote them in my logbook.
      One  good  thing  was  happening. One by one, I was making contact
   with other people who were losing sleep and slugging down Maalox over
   the same troubles that obsessed me. It was comforting to learn that I
   wasn't completely alone.
      A  few  days  later,  I received a call telling me that the German
   Bundespost had determined that the hacker came from the University of
   Bremen.  Soon  they  found the account he was using to connect across
   the  Atlantic. They set a trap on that account: the next time someone
   used it, they'd trace the can.
      The  Germans  weren't  sining around. The university would monitor
   the  suspicious  account,  and the Bundespost would keep track of the
   network activity. More and more mouseholes were being watched.
      Friday,  December  19,  1986,  at  1:38 p.m., the hacker showed up
   again. Stayed around for two hours, fishing on the Milnet. A pleasant
   Friday  afternoon,  trying  to  guess  passwords to the Strategic Air
   Command,  the  European  Milnet  Gateway,  the  West  Point Geography
   Department, and 70 other assorted military computers.
      I  phoned  Steve  White  at Tymnet. "The hacker's on our computer.
   Tymnet's logical port number 14."
      "OK,  "  Steve said. The usual keyboard clatter in the background.
   Twenty seconds elapsed, and he called"Got it] "
      Steve  had  traced a connection from California to Germany in less
   than a minute.
      "He's  not  coming from Bremen, " he told me. "Today, he's dialing
   into Hannover.".
      "So  where  is he? In Bremen or Hannover? " "Wolfgang Hoffman, the
   Datex  network  manager  in Germany, doesn't know. For all we know he
   could be in Paris, calling long distance."
      Yesterday  it  was  Bremen.  Today  Hannover.  Where would he hide
   tomorrow?  The  hacker,  I  discovered, didn't take holidays; he even
   logged in on New Year's Day. His hacker's celebration was saved on my
   printers. I scribbled notes on the printouts, next to his:
      WELCOME TO THE ARMY OPTIMIS DATABASE
      PLEASE ENTER A WORD OR 'EXIT'.
      / SDI Looking for SDI dope
      THE WORD "SDI" WAS NOT FOUND. But there's none there
      PLEASE ENTER A WORD OR 'EXIT'.
      / STEALTH Any word on the Stealth bomber?
      THE WORD "STEALTH" WAS NOT FOUND. No such luck
      PLEASE ENTER A WORD OR 'EXIT'.
      / SAC Strategic Air Command?
      THE WORD "SAC" WAS NOT FOUND. Nope
      PLEASE ENTER A WORD OR 'EXIT'.
      / NUCLEAR
      THANK YOU.
      I HAVE FOUND 29 DOCUMENT(S) CONTAINING THE PHRASE 'NUCLEAR'.
      ITEM* MARKS* TITLE
      1 20-lF IG INSPECTIONS (HEADQUARTERS, DEPART
      MENT OF THE ARMY).
      2 50A NUCLEAR, CHEMICAL, AND BIOLOGICAL NATION
      AL SECURITY AFFAIRS
      3 50B NUCLEAR, CHEMICAL, AND BIOLOGICAL WAR
      FARE ARMS CONTROLS
      4 50D NUCLEAR AND CHEMICAL STRATEGY
      FORMULATIONS 5 50E NUCLEAR AND CHEMICAL POLITICO-MILITARY
      AFFAIRS 6 5OF NUCLEAR AND CHEMICAL REQUIREMENTS
      7 5OG NUCLEAR AND CHEMICAL CAPABILITIES
      8 50H THEATER NUCLEAR FORCE STRUCTURE
      DEVELOPMENTS 9 501 NUCLEAR AND CHEMICAL WARFARE BUDGET
      FORMULATIONS 10 50J NUCLEAR AND CHEMICAL PROGRESS AND STA
      TISTICAL REPORTS 11 50K ARMY NUCLEAR, CHEMICAL, AND BIOLOGICAL
      DEFENSE PROGRAM 12 50M NUCLEAR AND CHEMICAL COST ANALYSES
      13 5ON NUCLEAR, CHEMICAL WARFARE, AND BIOLOGI
      CAL DEFENSE SCIENTIFIC AND TECHNICAL
      INFORMATION 14 50P NUCLEAR COMMAND AND CONTROL
      COMMUNICATIONS
      15 50Q CHEMICAL AND NUCLEAR DEMILITARIZATIONS
      16 5OR CHEMICAL AND NUCLEAR PLANS
      17 50-5A NUCLEAR ACCIDENT/INCIDENT CONTROLS
      18 50-5B NUCLEAR MANPOWER ALLOCATIONS
      19 50-5C NUCLEAR SURETY FILES
      20 50-5D NUCLEAR SITE RESTORATIONS
      21 50,5-lA NUCLEAR SITE UPGRADING FILES
      22 50-115A NUCLEAR SAFETY FILES
      23 55-355FRTD DOMESTIC SHIPMENT CONTROLS
      24 200-IC HAZARDOUS MATERIAL MANAGEMENT FILES.
      25 385-11K RADIATION INCIDENT CASES
      26 385-11M RADIOACTIVE MATERIAL LICENSING
      27 385-40C RADIATION INCIDENT CASES
      28 700-65A INTERNATIONAL NUCLEAR LOGISTICS FILES
      29 1125-2-300A PLANT DATA
      And  he  wasn't  satisfied  with  the titles to these documents-he
   dumped  all 29 over the line printer. Page after page was filled with
   army  doubletalk.  At one point, my printer jammed. The old DECwriter
   had paid its dues for the past ten years and now needed an adjustment
   with  a  sledgehammer.  Damn.  Right  where the hacker had listed the
   army's plans for nuclear bombs in the central European theater, there
   was only an ink blot.
      Around  noon on Sunday, January 4, my beeper sounded. I jumped for
   the  computer,  checked that the hacker was around, then called Steve
   White. Within a minute, he'd started the trace.
      The  hacker  tried  the Air Force Systems Command, Space Division,
   and  managed  to log in as Field Service: not as an ordinary user but
   as one
      with a completely privileged account.
      His first command was to show what privileges he'd
      garnered.  The  air force computer responded automatically: System
   Privilege, and a slew of other rights, including the ability to read,
   write, or erase any file on the system.
      He  was  even  authorized  to run security audits on the air force
   computer. I could imagine him sitting behind his terminal in Germany,
   staring  in  disbelief at the screen. He didn't just have free run of
   the Space Command's computer; he controlled it.
      Confident that he was undetected, he probed nearby computers. In a
   moment,  he'd  discovered four on the air force network and a pathway
   to connect to others. From his high ground, none of these were hidden
   from  him;  if their passwords weren't guessable, he could steal them
   by setting up Trojan horses.
      This  wasn't  a little desktop computer he'd broken into. He found
   thousands of files on the system, and hundreds of users.
      He  commanded  the air force computer to list the names of all its
   files;  it  went  merrily  along typing out names like "Laser-design-
   plans"  and  "Shuttlelaunch-manifest." But he didn't know how to shut
   off  the  spigot.  For  two hours, it poured a Niagara of information
   onto his terminal.
      Finally, at 2:30, he hung up. While the hacker stepped through the
   air  force computer, Steve White traced Tymnet's lines. I asked Steve
   for the details.
      "I  checked  with Wolfgang Hoffman at the Bundespost. Your visitor
   is coming from Karlsruhe today. The University of Karlsruhe.".
      My hacker was moving around. Or maybe he was staying in one place,
   playing  a  shell  game  with  the telephone system. Perhaps he was a
   student,  visiting different campuses and showing off to his friends.
   Was  I  certain  that  there  was  only  one hacker-or was I watching
   several people?
      Two  days  later,  the  hacker was back. He went straight over thc
   Milnet to the Air Force Space Division. I watched him log in as Field
   Service.
      He  didn't  waste  a minute. He went straight to the authorization
   software,  searched  for  an  old,  unused  account, and modified it,
   giving it system privileges and a new password: AFHACK.
      AFHACK-what arrogance. He's thumbing his nose at the United States
   Air Force.
      From  now  on, he didn't need the field service account. Disguised
   as  an officer in the air force, he had unlimited access to the Space
   Division's computer.
      A  call  to  Steve  White  started  a  trace  rolling. Within five
   minutes,  he'd  traced  the  connection  to  Hannover  and called the
   Bundespost.
      A few minutes of silence then: "Cliff does the con
      nection look like it will be
      a long one? "
      "I can't tell, but I think so, " I said.
      "OK."  Steve  was  on  another  telephone;  I  could  hear only an
   occasional shout.
      In  a  minute, Steve returned to my fine. "Wolfgang is tracing the
   call in Hannover. It's a local call. They're going to try to trace it
   all the way."
      Here's  news]  A  local call in Hannover meant that the hacker was
   somewhere in Hannover.
      Steve  shouted instructions from Wolfgang: "Whatever you do, don't
   disconnect the hacker. Keep him on the line if you can] "
      But  he's rifling files at the air force base. It was like letting
   a burglar rob your home while you watched.
      He  went  for  operational  plans.  Documents describing air force
   payloads for the space shuttle. Test results from satellite detection
   systems.  SDI  research  proposals.  A  description  of an astronaut-
   operated camera system.
      Tymnet came back on the I'm sorry, Cliff, but the trace in Germany
   is stymied."
      "Can't  they trace the call? " "Well, the hacker's line comes from
   Hannover,  all  right,  "  Steve replied. "But Hannover's phone fines
   connect  through  mechanical  switches-noisy, complicated widgets-and
   these can be traced only by people, not by computers."
      Another  opportunity  lost.  I  cut off the hacker's connection so
   that he couldn't do more harm.
      Later, Steve White explained that American telephones are computer
   controlled,  so  it's  pretty easy to trace them. But in Germany they
   need someone at the Hannover exchange to trace the call.
      "So  we  can't trace him unless the hacker calls during the day or
   evening? " I asked.
      "Worse than that. It'll take an hour or two to make the trace once
   it's started."
      Lately, the hacker had been showing up for five minutes at a time.
   Long  enough  to  wake me up, but hardly enough for a two-hour trace.
   How could I keep him on for a couple of hours?
      The  answer,  I  realized,  was disarmingly simplegive him what he
   wants:  all  the  classified  data, all the top-secret information he
   could  gather.  Not  for real, of course. Instead, I'd create a phony
   database.  Its  documents  would describe a new Star Wars project. An
   outsider   reading   them   would   believe  that  Lawrence  Berkeley
   Laboratories  had  just  landed a fat government contract to manage a
   new computer network. The SDI Network.
      This bogus network, which would apparently link together scores of
   classified  computers,  would  extend  to  military  bases around the
   world.  By  reading  the  files, you'd find lieutenants and colonels,
   scientists  and  engineers.  Here  and  there,  I would drop hints of
   meetings and classified reports.
      And  I  invented  Barbara  Sherwin,  the sweet, bumbling secretary
   trying  to  figure  out  her new word processor and keep track of the
   endless stream of documents produced by our newly invented "Strategic
   Defense Initiative Network Office.".
      My  snare  was  baited.  If the hacker bit, he'd take two hours to
   swallow the bait. Long enough for the Germans to track him down.
      The next move was the hacker's.
      My  beeper  sounded  at 5:14 p.m., Friday, January 16. There's the
   hacker.  It  didn't  take  him very long to swallow the hook; soon he
   broke  into  my  phony  SDInet.  Quickly, I got on the phone to Steve
   White.
      "Steve, call Germany. The hacker's on, and it'll be a long session
   ."  "Spot-on,  Cliff.  Call you back in ten minutes." For the next 45
   minutes,  the  hacker  dumped  out  file  after file, reading all the
   garbage  that  I had created. Boring, tedious ore, with an occasional
   nugget of technical information.
      Then he dumped the file named FORM LETTER:
      DEAR SIR:
      THANK  YOU  FOR  YOUR INQUIRY ABOUT SDINET. WE ARE HAPPY TO COMPLY
   WITH  YOUR  REQUEST  FOR  MORE  INFORMATION  ABOUT  THIS NETWORK. THE
   FOLLOWING  DOCUMENTS  ARE  AVAILABLE  FROM  THIS OFFICE. PLEASE STATE
   WHICH DOCUMENTS YOU WISH MAILED TO YOU:
      #37.6 SDINET OVERVIEW DESCRIPTION DOCUMENT
      19 PAGES, REVISED SEPT. 1985
      #41.7 STRATEGIC DEFENSE INITIATIVE AND COMPUTER NETWORKS:
      PLANS  AND  IMPLEMENTATIONS  (CONFERENCE NOTES) 227 PAGES, REVISED
   SEPT. 1985.
      #45.2 STRATEGIC DEFENSE INITIATIVE AND COMPUTER NETWORKS:
      PLANS AND IMPLEMENTATIONS (CONFERENCE NOTES) 300 PAGES, JUNE 1986
      #47.3 SDINET CONNECTIVITY REQUIREMENTS
      65 PAGES, REVISED APRIL 1986
      #48.8 How TO LINK INTO THE SDINET
      25 PAGES, JULY 1986
      #49.1 X.25 AND X.75 CONNECTIONS TO SDINET (INCLUDES JAPA
      NESE,  EUROPEAN,  AND HAWAIIAN NODES) 8 PAGES, DECEMBER 1986 #55.2
   SDINET MANAGEMENT PLAN FOR 1986 TO 1988
      47 PAGES, NOVEMBER 1985
      #62.7 UNCLASSIFIED SDINET MEMBERSHIP LIST (INCLUDES MAJOR
      MILNET CONNECTIONS) 24 PAGES, NOVEMBER 1986
      #65.3 CLASSIFIED SDINET MEMBERSHIP LIST
      9 PAGES, NOVEMBER 1986
      #69.1 DEVELOPMENTS IN SDINET AND SDI DISNET
      28 PAGES, OCTOBER 1986
      SINCERELY YOURS,
      MRS. BARBARA SHERWIN
      DOCUMENTS SECRETARY
      SDINET PROJECT
      Steve  White called back from Tymnet. "I've traced your connection
   over  to  the University of Bremen. And the Bundespost has traced the
   Datex  line  from  Bremen  into  Hannover. In the past half hour, the
   technician  traced  the  line  and  has narrowed it down to one of 50
   telephone numbers.".
      "Why can't they get the actual number? " "Wolfgang's unclear about
   that. It sounds like they've determined the number to be from a group
   of local phones, but the next time they make a trace, they'll zero in
   on  the  actual  telephone.  From  tile  sound of Wolfgang's message,
   they're excited about solving this case."
      The  next  day, at 10:17 a.m., the hacker came back. This time, he
   wasn't interested in SDI files. Instead, he went out over the Milnet,
   trying to break into military computers.
      He  was  concentrating  on air force and army computers, though he
   occasionally  knocked  on  the  navy's door as well. Places I'd never
   heard  of,  like  the Air Force Weapons Lab, Descom headquarters, Air
   Force CC OIS, and the CCA-amc. Fifty places, all without success.
      Then  he  slid across the Milnet into a computer named Buckner. He
   got  right  in . . . didn't even need a password on the account named
   "guest."
      He'd  broken  into  the Army Communications Center in Building 23,
   Room 121, of Fort Buckner. Fort Buckner was in Okinawa.
      What  a  connection]  From Hannover, Germany, the hacker linked to
   the  University  of Bremen, across a transatlantic cable into Tymnet,
   then into my Berkeley computer, and into the Milnet, finally reaching
   Okinawa.
      A  bit  after  11 in the morning, he finally grew tired and logged
   off.  While he'd circled the globe with his spiderweb of connections,
   the German Bundespost had homed in on him.
      The  phone  rang-had  to  be Steve White. "Hi Cliff, " Steve said,
   "The  trace  is complete." "The Germans got the guy? " "They know his
   phone number." "Well, who is he? " I asked.
      "They can't say right now, but you're supposed to tell the FBI."
      "Just  tell  me this much, " I asked Steve. "Is it a computer or a
   person?  " "A person with a computer at his home. Or should I say, at
   his  business."  Days  later, Tymnet passed along a chilling message:
   "This  is  not a benign hacker. It is quite serious. The scope of the
   investigation  is  being  extended.  Thirty people are now working on
   this  case.  Instead of simply breaking into the apartments of one or
   two  people, locksmiths are making keys to the houses of the hackers,
   and  the  arrests  will  be  made when the hackers cannot destroy the
   evidence. These hackers are linked to the shady dealings of a private
   company."
      Throughout the spring, I kept making new bait. My mythical Barbara
   Sherwin  created  memos  and letters, requisitions and travel orders.
   Here  and  there,  she sprinkled a few technical articles, explaining
   how the SDI network interconnected all sorts of classified computers.
      On  Monday,  April  27,  came  one of the biggest shocks. A letter
   arrived, addressed to the imaginary Barbara Sherwin.
      Triam International, Inc.
      6512 Ventura Drive
      Pittsburgh, PA 15236 April 21, 1987
      Dear Mrs. Sherwin:
      I am interested in the following documents. Please send me a price
   list  and  an  update  on  SDI  Network  Project.  Thank you for your
   cooperation.
      Very truly yours,
      Laszlo J. Balogh
      Balogh  then  asked  for every phony document I had made up in the
   file called FORM LETTER.
      Someone   had   swallowed   the  bait  and  was  asking  for  more
   information]  I could understand it if the letter came from Hannover.
   But Pittsburgh?
      I  called  Mike  Gibbons at the Alexandria FBI office and told him
   about it.
      "OK, " Mike said. "Listen up carefully. Don't touch that letter.
    Especially,  don't  touch  around  the  edges.  Go  find  a glassine
   envelope.  Gently insert the paper in the envelope. Then express mail
   it to me. Whatever you do, don't handle it. Wear gloves if you must."
      This  sounded  like  Dick Tracy's "Crimestoppers, " but I followed
   orders.
      A  hacker  in  Hannover,  Germany,  learns a secret from Berkeley,
   California.  Three  months  later,  a  Hungarian  named Laszlo Balogh
   living  in  Pittsburgh  writes  us  a  letter. What's happening here?
   Tuesday moming, June 23, Mike Gibbons called from the FBI.
      "You  can  close  up  shop,  Cliff."  "What's  happened? " "Arrest
   warrants  were  issued  this  morning  at IO." "Anyone arrested? " "I
   can't say." Something was happening. But Mike wouldn't say what.
      A  few hours later, Wolfgang Hoffman sent a message: "An apartment
   and  a  company  were  searched,  and  nobody  was  home at the time.
   Printouts,  disks,  and tapes were seized and will be analyzed in the
   next few days. Expect no further break-ins."
      Finally,  it was over. The FBI still wasn't talking, but I managed
   to fmd out who the Germans had fingered; I could now attach a name to
   the shadowy hacker I had chased across two continents: Markus Hess.
      So  what  really  happened?  Was  Hess working alone, or was he in
   league  with  others? And why was he breaking into defense department
   computers?  Here's  my estimate, based on interviews, police reports,
   newspaper accounts, and messages from German computer programmers. In
   the mid-1980s, a dozen hackers started the Chaos Computer Club, whose
   members specialized in creating viruses, breaking into computers, and
   serving  as  a  computer  counterculture. Through electronic bulletin
   boards  and telephone links, they anonymously exchanged phone numbers
   of hacked computers, as well as stolen passwords and credit cards.
      Markus  Hess  knew  of  the  Chaos  Club,  although he was never a
   central  figure  there.  Rather,  he kept his distance as a freelance
   hacker.  During  thc  day,  he  worked  at  a  small software firm in
   downtown Hannover.
      Over  a  crackling  phone  connection,  an  astronomer  friend  in
   Hannover  explained  to  me, "You see, Hess knew Hagbard, who kept in
   touch  with other hackers in Germany, Eke Pengo and Frimp. Hagbard is
   a pseudonym, of course, his real name is . . . "
      Hagbard.  I'd heard that name before-he'd broken into Fermilab and
   Stanford.
      Hagbard  worked  closely  with  Markus  Hess.  The two drank beers
   together at Hannover bars and spent evenings behind Hess's computer.
      Apparently,  Hess  apparently  just  played around the networks at
   first,  searching  for  ways to connect around the world. Like a ham-
   radio  operator,  he  started  out a hobbyist, trying to reach as far
   away  as  possible.  In  the  beginning,  he  managed  to  connect to
   Karlsruhe; later he reached Bremen over the Datex network.
      Soon  he  discovered that many system managers hadn't locked their
   back  doors. Usually these were university computers, but Markus Hess
   began  to  wonder:  how many other systems were wide open? What other
   ways could you sneak into computers?
      By  September 1985, Hagbard and Pengo were routinely breaking into
   computers  in  North  America: mostly high energy physics labs, but a
   few  NASA sites as well. Excitedly, Hagbard described his exploits to
   Hess.
      Hess  began  to explore outside of Germany. But he no longer cared
   about  universities  and  physics  laboratories-he  wanted  some real
   excitement.  Hess now targeted the military. The leaders of the Chaos
   Computer Club had issued a warning to their members: "Never penetrate
   a  military  computer.  The security people on the other side will be
   playing  a  game  with  youalmost  like  chess. Remember that they've
   practiced  this  game  for  a  long  time. . . . " Markus Hess wasn't
   listening.
      Hess  apparently  found  his  way  into  an  unprotected  computer
   belonging  to  a  German subsidiary of U.S. defense contractor Mitre.
   Once  inside that system, he discovered detailed instructions to link
   into   Mitre's  computers  in  Bedford,  Massachusetts,  and  McLean,
   Virginia.  By summer 1986, Hess and Hagbard were operating separately
   but  frequently  comparing notes. Meanwhile, Hess worked in Hannover,
   programming VAX computers and managing several systems.
      Hess  soon expanded his beachhead at Mitre. He explored the system
   internally, then sent out tentacles into other American computers. He
   collected  telephone  numbers  and network addresses and methodically
   attacked  these  systems.  On  August 20, he struck Lawrence Berkeley
   Labs.
      Even then, Hess was only fooling around. He'd realized that he was
   privy  to  secrets,  both industrial and national, but kept his mouth
   shut.  Then,  around  the  end  of  September,  in  a  smoky Hannover
   beergarden, he described his latest exploit to Hagbard.
      Hagbard  smelled money. And Hagbard knew who to contact: Pengo, in
   West Berlin.
      Pengo,  with  his  contacts to hackers across Germany, knew how to
   use  Hess's information. Carrying Hess's printouts, one of the Berlin
   hackers  crossed  into  East Berlin and met with agents from the East
   German Staatssicherheitsdienst-the Secret Service.
      The   deal  was.  made:  around  30,000  deutschemarks-$18,000-for
   printouts and passwords.
      From  there,  who knows what happened to the information? The East
   German  Secret Service cooperates closely with the Soviet KGB; surely
   the Staatssicherheitsdienst would tell the KGB about this new form of
   espionage.
      The KGB wasn't just paying for printouts, though. Hess and company
   apparently  sold  their  techniques  as  well:  how to break into VAX
   computers;  which networks to use when crossing the Atlantic; details
   on how the Milnet operates.
      Even  more  important to the KGB was obtaining research data about
   Western  technology,  including  integrated circuit design, computer-
   aided  manufacturing, and, especially, operating system software that
   was under U.S. export control. They offered 250,000 deutschemarks for
   copies of Digital Equipment's VMS operating system.
      According to the German television station NDR, the Berlin hackers
   supplied  much  of  this  order,  including  source  code to the Unix
   operating  system  designs for high-speed gallium-arsenide integrated
   circuits,  and  computer  programs  used  to engineer computer memory
   chips. Hagbard wanted more than money. He demanded co
      caine. The East German Secret Service was a willing supplier.
      Hagbard passed some of the money (but none of the cocaine) to Hess
   in retum for printouts, passwords, and network information. Hagbard's
   cut  went  toward  paying his telephone bill which sometimes ran over
   $1,000  a  month  as he called computers around the world. Hess saved
   everything.  He kept a detailed notebook and saved every session on a
   floppy  disk.  This  way,  after  he  disconnected  from  a  military
   computer,  he  could  print  out the interesting parts and pass these
   along to Hagbard and on to the KGB.
      Also on the KGB's wish list was SDI data. As Hess searched for it,
   I  naturally  detected  SDI showing up in his requests. And I had fed
   Hess plenty of SDI fodder. But could the East Germans (or KGB?) trust
   these  printouts? How could they be sure Hagbard wasn't inventing all
   of this to feed his own coke habit?
      The  KGB  decided  to  verify the German hacker ring. The mythical
   Barbara  Sherwin served as a perfect way to test the validity of this
   new form of espionage. She had, after all, invited people to write to
   her for more information.
      But  secret  services  don't  handle  things  directly.  They  use
   intermediaries.  The  East  Germans  (KGB?) contacted another agency-
   either the Hungarian or Bulgarian intelligence service. They, in tum,
   apparently   had  a  professional  relationship  with  a  contact  in
   Pittsburgh: Laszlo Balogh.
      Does  the  FBI  have enough evidence to indict Laszlo Balogh? They
   won't  tell  me.  But the way I see it, Laszlo's in deep trouble: the
   FBI  is  watching him, and whoever's pulling his puppet strings isn't
   pleased.
      The  West  German  police, though, have plenty of evidence against
   Markus Hess. Printouts, phone traces, and my logbook. When they broke
   into  his  apartment  on  June 29, 1987, they seized a hundred floppy
   disks,  a computer, and documentation describing the U.S. Milnet. But
   when  the  police  raided Hess's apartment, nobody was home. Though I
   was  waiting  patiently  for him to appear on my computer, the German
   police entered his place when he wasn't connected.
      At his first trial, Hess got off on appeal. His lawyer argued that
   since  Hess  wasn't connected at the moment his apartment was raided,
   he might not have done the hacking. This, along with a problem in the
   search  warrants,  was  enough  to  overtum  the case against Hess on
   computer   theft.   But   the  German  federal  police  continued  to
   investigate.
      On  March  2,  1989,  German  authorities charged five people with
   espionage:  Pengo,  Hagbard,  Peter  Carl, Dirk Bresinsky, and Markus
   Hess.
      Peter  Carl  met regularly with KGB agents in East Berlin, selling
   any data the others could find.
    When  the  German  officials caught up with him, he was about to run
   off  to  Spain.  He's now in jail, waiting for trial, along with Dirk
   Bresinsky, who was jailed for desertion from the German army.
      Pengo  is  having  second thoughts about his years working for the
   KGB.  He  says  that  he  hopes he "did the right thing by giving the
   German police detailed information about my involvement." But as long
   as there's an active criminal case, he'll say no more.
      All  the  same,  the  publicity hasn't helped Pengo's professional
   life  as a computer consultant. His business partners have shied away
   from  backing  him,  and  several of his computing projects have been
   canceled.  Outside of his business losses, I'm not sure that he feels
   there's anything wrong with what he did.
      Today,  Markus  Hess  is  walking the streets of Hannover, free on
   bail while awaiting a trial for espionage.
      Hagbard,  who  hacked  with  Hess  for  a  year, tried to kick his
   cocaine  habit in late 1988. But not before spending his profits from
   the  KGB:  he  was  deep in debt and without a job. In spring 1989 he
   found  a  job  at  the  office  of  a political party in Hannover. By
   cooperating  with  the  police,  he and Pengo avoided prosecution for
   espionage.
      Hagbard was last seen alive on May 23, 1989. In an isolated forest
   outside  of Hannover, police found his chaffed bones next to a melted
   can  of gasoline. A borrowed car was parked nearby, keys still in the
   ignition.
      No suicide note was found.

