Regards, Craig

The 'other' people were, of course, the IS hackers. There is nothing like reading about your own hacking antics in some one's security mail.

Mendax and Prime Suspect frequently visited ANU's computers to read the security mail there. However, universities were usually nothing special, just jumping-off points and, occasionally, good sources of information on how close the AFP were to closing in on the IS hackers.

Far more interesting to Mendax were his initial forays into Telecom's exchanges. Using a modem number Prime Suspect had found, he dialled into what he suspected was Telecom's Lonsdale Exchange in downtown Melbourne. When his modem connected to another one, all he saw was a blank screen. He tried a few basic commands which might give him help to understand the system:

Login. List. Attach.

The exchange's computer remained silent.

Mendax ran a program he had written to fire off every recognised keyboard character--256 of them--at another machine. Nothing again. He then tried the break signal--the Amiga key and the character B pressed simultaneously. That got an answer of sorts.

He pulled up another of his hacking tools, a program which dumped 200 common commands to the other machine. Nothing. Finally, he tried typing 'logout'. That gave him an answer:

error, not logged on

Ah, thought Mendax. The command is 'logon' not 'login'.

:logon

The Telecom exchange answered: 'username:' Now all Mendax had to do was figure out a username and pa.s.sword.

He knew that Telecom used NorTel equipment. More than likely, NorTel staff were training Telecom workers and would need access themselves.

If there were lots of NorTel employees working on many different phone switches, it would be difficult to pa.s.s on secure pa.s.swords to staff all the time. NorTel and Telecom people would probably pick something easy and universal. What pa.s.sword best fitted that description?

username: nortel

pa.s.sword: nortel

It worked.

Unfortunately, Mendax didn't know which commands to use once he got into the machine, and there was no on-line doc.u.mentation to provide help. The telephone switch had its own language, unlike anything he had ever encountered before.

After hours of painstaking research, Mendax constructed a list of commands which would work on the exchange's computer. The exchange appeared to control all the special six-digit phone numbers beginning with 13, such as those used for airline reservations or some pizza delivery services. It was Telecom's 'Intelligent Network' which did many specific tasks, including routing calls to the nearest possible branch of the organisation being called. Mendax looked through the list of commands, found 'RANGE', and recognised it as a command which would allow someone to select all the phone numbers in a certain range. He selected a thousand numbers, all with the prefix 634, which he believed to be in Telecom's Queen Street offices.

Now, to test a command. Mendax wanted something innocuous, which wouldn't screw up the 1000 lines permanently. It was almost 7 a.m. and he needed to wrap things up before Telecom employees began coming into work.

'RING' seemed harmless enough. It might ring one of the numbers in the range after another--a process he could stop. He typed the command in.

Nothing happened. Then a few full stops began to slowly spread across his screen:

RUNG

The system had just rung all 1000 numbers at the same time. One thousand phones ringing all at once.

What if some b.u.t.toned-down Telecom engineer had driven to work early that morning to get some work done? What if he had just settled down at his standard-issue metal Telecom desk with a cup of bad instant coffee in a styrofoam cup when suddenly ... every telephone in the skysc.r.a.per had rung out simultaneously? How suspicious would that look? Mendax thought it was time to high-tail it out of there.

On his way out, he disabled the logs for the modem line he came in on.

That way, no-one would be able to see what he had been up to. In fact, he hoped no-one would know that anyone had even used the dial-up line at all.

Prime Suspect didn't think there was anything wrong with exploring the NorTel computer system. Many computer sites posted warnings in the login screen about it being illegal to break into the system, but the eighteen-year-old didn't consider himself an intruder. In Prime Suspect's eyes, 'intruder' suggested someone with ill intent--perhaps someone planning to do damage to the system--and he certainly had no ill intent. He was just a visitor.

Mendax logged into the NMELH1 system by using the account Prime Suspect had given him, and immediately looked around to see who else was on-line. Prime Suspect and about nine other people, only three of whom were actually doing something at their terminal.

Prime Suspect and Mendax raced to get root on the system. The IS hackers may not have been the type to brag about their conquests in the underground, but each still had a compet.i.tive streak when it came to see who could get control over the system first. There was no ill will, just a little friendly compet.i.tion between mates.

Mendax poked around and realised the root directory, which contained the pa.s.sword file, was effectively world writable. This was good news, and with some quick manipulation he would be able to insert something into the root directory. On a more secure system, unprivileged users would not be able to do that. Mendax could also copy things from the directory on this site, and change the names of subdirectories within the main root directory. All these permissions were important, for they would enable him to create a Trojan.

Named for the Trojan horse which precipitated the fall of Troy, the Trojan is a favoured approach with most computer hackers. The hacker simply tricks a computer system or a user into thinking that a slightly altered file or directory--the Trojan--is the legitimate one.

The Trojan directory, however, contains false information to fool the computer into doing something the hacker wants. Alternatively, the Trojan might simply trick a legitimate user into giving away valuable information, such as his user name and pa.s.sword.

Mendax made a new directory and copied the contents of the legitimate ETC directory--where the pa.s.sword files were stored--into it. The pa.s.swords were encrypted, so there wasn't much sense trying to look at one since the hacker wouldn't be able to read it. Instead, he selected a random legitimate user--call him Joe--and deleted his pa.s.sword. With no pa.s.sword, Mendax would be able to login as Joe without any problems.

However, Joe was just an average user. He didn't have root, which is what Mendax wanted. But like every other user on the system, Joe had a user ident.i.ty number. Mendax changed Joe's user id to '0'--the magic number. A user with '0' as his id had root. Joe had just acquired power usually only given to system administrators. Of course, Mendax could have searched out a user on the list who already had root, but there were system operators logged onto the system and it might have raised suspicions if another operator with root access had logged in over the dial-up lines. The best line of defence was to avoid making anyone on the system suspicious in the first place.

The problem now was to replace the original ETC directory with the Trojan one. Mendax did not have the privileges to delete the legitimate ETC directory, but he could change the name of a directory.

So he changed the name of the ETC directory to something the computer system would not recognise. Without access to its list of users, the computer could not perform most of its functions. People would not be able to log in, see who else was on the system or send electronic mail. Mendax had to work very quickly. Within a matter of minutes, someone would notice the system had serious problems.

Mendax renamed his Trojan directory ETC. The system instantly read the fake directory, including Joe's now non-existent pa.s.sword, and elevated status as a super-user. Mendax logged in again, this time as Joe.

In less than five minutes, a twenty-year-old boy with little formal education, a pokey $700 computer and painfully slow modem had conquered the Melbourne computer system of one of the world's largest telecommunications companies.

There were still a few footprints to be cleaned up. The next time Joe logged in, he would wonder why the computer didn't ask for his pa.s.sword. And he might be surprised to discover he had been transformed into a super-user. So Mendax used his super-user status to delete the Trojan ETC file and return the original one to its proper place. He also erased records showing he had ever logged in as Joe.

To make sure he could login with super-user privileges in future, Mendax installed a special program which would automatically grant him root access. He hid the program in the bowels of the system and, just to be safe, created a special feature so that it could only be activated with a secret keystroke.

Mendax wrestled a root account from NMELH1 first, but Prime Suspect wasn't far behind. Trax joined them a little later. When they began looking around, they could not believe what they had found. The system had one of the weirdest structures they had ever come across.

Most large networks have a hierarchical structure. Further, most hold the addresses of a handful of other systems in the network, usually the systems which are closest in the flow of the external network.

But the NorTel network was not structured that way. What the IS hackers found was a network with no hierarchy. It was a totally flat name s.p.a.ce. And the network was weird in other ways too. Every computer system on it contained the address of every other computer, and there were more than 11000 computers in NorTel's worldwide network. What the hackers were staring at was like a giant internal corporate Internet which had been squashed flat as a pancake.

Mendax had seen many flat structures before, but never on this scale.

It was bizarre. In hierarchical structures, it is easier to tell where the most important computer systems--and information--are kept. But this structure, where every system was virtually equal, was going to make it considerably more difficult for the hackers to navigate their way through the network. Who could tell whether a system housed the Christmas party invite list or the secret designs for a new NorTel product?

The NorTel network was firewalled, which meant that there was virtually no access from the outside world. Mendax reckoned that this made it more vulnerable to hackers who managed to get in through dial-ups. It appeared that security on the NorTel network was relatively relaxed since it was virtually impossible to break in through the Internet. By sneaking in the backdoor, the hackers found themselves able to raid all sorts of NorTel sites, from St Kilda Road in Melbourne to the corporation's headquarters in Toronto.

It was fantastic, this huge, trusting network of computer sites at their fingertips, and the young hackers were elated with the antic.i.p.ation of exploration. One of them described it as being 'like a shipwrecked man washed ash.o.r.e on a Tahitian island populated by 11000 virgins, just ripe for the picking'.

They found a YP, or yellow pages, database linked to 400 of the computer sites. These 400 sites were dependent on this YP database for their pa.s.sword files. Mendax managed to get root on the YP database, which gave him instant control over 400 computer systems. Groovy.