We conducted over a hundred interviews and collected around 40,000 pages of primary documentation; telephone intercepts, data intercepts, log-files, witness statements, confessions, judgements. Telephone dialog and on-line discussions are drawn directly from the latter. Every significant hacking incident mentioned in this book has reams of primary documentation behind it.
In chapter 4, Par, one of the principle subjects of this book, is being watched by the Secret Service. He's on the run. He's a wanted fugitive.
We had logs of messages Par had written on underground BBS's. We had data intercepts of other hackers in conversation with Par. We had obtained various Secret Service documents and propriety security reports relating to Par's activities.
Every chapter in underground was formed from many stories like it. They're unseen; because a book must not be true merely in details, it must be true in feeling.
What followed was many turbulent years, moving from town to town as his parents explored the '70s left-wing, bohemian subculture.
One night in Adelaide, when Mendax was about four, his mother and a friend were returning from a meeting of anti-nuclear protesters. The friend claimed to have scientific evidence that the British had conducted high-yield, above-ground nuclear tests at Maralinga, a desert area in north-west South Australia.
A 1984 Royal Commission subsequently revealed that between 1953 and 1963 the British government had tested nuclear bombs at the site, forcing more than 5000 Aborigines from their native lands. In December 1993, after years of stalling, the British government agreed to pay [sterling] 20 million toward cleaning up the more than 200 square kilometres of contaminated lands. Back in 1968, however, the Menzies government had signed away Britain’s responsibility to clean up the site. In the 1970s, the Australian government was still in denial about exactly what had happened at Maralinga.
As Mendax’s mother and her friend drove through an Adelaide suburb carrying early evidence of the Maralinga tragedy, they noticed they were being followed by an unmarked car. They tried to lose the tail, without success. The friend, nervous, said he had to get the data to an Adelaide journalist before the police could stop him. Mendax’s mother quickly slipped into a back lane and the friend leapt from the car. She drove off, taking the police tail with her.
Mendax was frightened of the man, whom he considered a manipulative and violent psychopath. He had five different identities with plastic in his wallet to match. His whole background was a fabrication, right down to the country of his birth.
Mendax left home at seventeen because he had received a tip-off about an impending raid. Mendax wiped his disks, burnt his print-outs and left. A week later, the Victorian CIB turned up and searched his room, but found nothing.
The Australian Federal Police raided his Melbourne home in 1991. He was reported to have accessed computers belonging to an Australian university, the Canadian telecommunications company Nortel, the USAF 7th Command Group in the Pentagon and other organisations.
In 1992, he pleaded guilty to 24 charges of hacking and was released on bond for good conduct after being fined AU$2100.
In 1993, Assange was involved in starting one of the first public internet service providers in Australia, Suburbia Public Access Network. Starting in 1994, he lived in Melbourne as a programmer and a developer of free software.
In 1995, he wrote Strobe, the first free and open source port scanner. He contributed several patches to the PostgreSQL project in 1996.
Starting around 1997, he co-invented the Rubberhose deniable encryption system, a cryptographic concept made into a software package for Linux designed to provide plausible deniability against rubber-hose cryptanalysis.
Other free software that he has authored or co-authored includes the Usenet caching software NNTPCache and Surfraw, a command-line interface for web-based search engines.
In 1992 Mendax and Trax (fellow hacker) teamed up with a wealthy Italian real-estate investor, purchased La Trobe University’s mainframe computer (ironically, a machine they had been accused of hacking) and started a computer security company. The company eventually dissolved when the investor disappeared following actions by his creditors.
After a public confrontation in 1993 with Victorian Premier Jeff Kennett, Mendax and two others formed a civil rights organisation to fight corruption and lack of accountability in a Victorian government department. As part of this ongoing effort, Mendax acted as a conduit for leaked documents and became involved in a number of court cases against the department during 1993-94. Eventually, he gave evidence in camera to a state parliamentary committee examining the issues, and his organisation later facilitated the appearance of more than 40 witnesses at an investigation by the Auditor-General.
Mendax has provided information or assistance to law-enforcement bodies, but not against hackers. He said, ‘I couldn’t ethically justify that. But as for others, such as people who prey on children or corporate spies, I am not concerned about using my skills there.’
NorTel and a number of other organisations he was accused of hacking use his cryptography software - a fact he finds rather ironic.
Prime Suspect rang Mendax, offering an adventure. He had discovered a strange system called NMELH1 (pronounced N-Melly-H-1) and it was time to go exploring. He read off the dial-up numbers, found in a list of modem phone numbers on another hacked system.
Mendax looked at the scrap of paper in his hand, thinking about the name of the computer system.
The `N' stood for Northern Telecom, a Canadian company with annual sales of $8 billion. NorTel, as the company was known, sold thousands of highly sophisticated switches and other telephone exchange equipment to some of the world’s largest phone companies. The `Melly' undoubtedly referred to the fact that the system was in Melbourne.
Mendax had spent hours experimenting with commands inside the computers which controlled telephone exchanges. Unlike making a mistake inside a single computer, mis-guessing a command inside a telephone exchange in downtown Sydney or Melbourne could take down a whole prefix - 10000 or more phone lines -and cause instant havoc.
This was exactly what the International Subversives didn't want to do. The three IS hackers - Mendax, Prime Suspect and Trax - had seen what happened to the visible members of the computer underground in England and in Australia.
But, Mendax thought, what if you could learn about how to manipulate a million-dollar telephone exchange by reading the manufacturer's technical documentation? How high was the chance that those documents, which weren't available to the public, were stored inside NorTel's computer network?
Better still, what if he could find NorTel's original source code - the software designed to control specific telephone switches, such as the DMS-100 model. That code might be sitting on a computer hooked into the worldwide NorTel network. A hacker with access could insert his own backdoor - a hidden security flaw - before the company sent out software to its customers.
With a good technical understanding of how NorTel's equipment worked, combined with a backdoor installed in every piece of software shipped with a particular product, you could have control over every new NorTel DMS telephone switch installed from Boston to Bahrain.
Using a program called Sycophant written by Mendax, the IS hackers had been conducting massive attacks on the US military.
They divided up Sycophant on eight attack machines, often choosing university systems at places like the Australian National University or the University of Texas. They pointed the eight machines at the targets and fired. Within six hours, the eight machines had assaulted thousands of computers. The hackers sometimes reaped 100000 accounts each night.
Using Sycophant, they essentially forced a cluster of Unix machines in a computer network to attack the entire Internet en masse.
And that was just the start of what they were into. They had been in so many sites they often couldn't remember if they had actually hacked a particular computer. The places they could recall read like a Who's Who of the American military-industrial complex.
- The US Airforce 7th Command Group Headquarters in the Pentagon.
- Stanford Research Institute in California.
- Naval Surface Warfare Center in Virginia.
- Lockheed Martin's Tactical Aircraft Systems Air Force Plant in Texas.
- Unisys Corporation in Blue Bell, Pennsylvania.
- Goddard Space Flight Center, NASA.
- Motorola Inc. in Illinois.
- TRW Inc. in Redondo Beach, California.
- Alcoa in Pittsburgh.
- Panasonic Corp in New Jersey.
- US Naval Undersea Warfare Engineering Station.
- Siemens-Nixdorf Information Systems in Massachusetts.
- Securities Industry Automation Corp in New York.
- Lawrence Livermore National Laboratory in California.
- Bell Communications Research, New Jersey.
- Xerox Palo Alto Research Center, California.
In the spring of 1991, Prime Suspect and Mendax began a race to get root on the US Department of Defense's Network Information Center (NIC) computer - potentially the most important computer on the Internet.
As both hackers chatted amiably on-line one night, on a Melbourne University computer, Prime Suspect worked quietly in another screen to penetrate ns.nic.ddn.mil, a US Department of Defense system closely linked to NIC. He believed the sister system and NIC might `trust' each other - a trust he could exploit to get into NIC. And NIC did everything.
NIC assigned domain names - the `.com' or `.net' at the end of an email address - for the entire Internet. NIC also controlled the US military's own internal defence data network, known as MILNET.
NIC also published the communication protocol standards for all of the Internet. Called RFCs (Request for Comments), these technical specifications allowed one computer on the Internet to talk to another.
Perhaps most importantly, NIC controlled the reverse look-up service on the Internet. Whenever someone connects to another site across the Internet, he or she typically types in the site name - say, ariel.unimelb.edu.au at the University of Melbourne. The computer then translates the alphabetical name into a numerical address - the IP address - in this case 184.108.40.206. All the computers on the Internet need this IP address to relay the packets of data onto the final destination computer. NIC decided how Internet computers would translate the alphabetical name into an IP address, and vice versa.
If you controlled NIC, you had phenomenal power on the Internet. You could, for example, simply make Australia disappear. Or you could turn it into Brazil. By pointing all Internet addresses ending in `.au' - the designation for sites in Australia - to Brazil, you could cut Australia's part of the Internet off from the rest of the world and send all Australian Internet traffic to Brazil. In fact, by changing the delegation of all the domain names, you could virtually stop the flow of information between all the countries on the Internet.
Controlling NIC offered other benefits as well. Control NIC, and you owned a virtual pass-key into any computer on the Internet which ‘trusted' another’. And most machines trust at least one other system.
When Prime Suspect managed to get inside NIC's sister system, he told Mendax and gave him access to the computer. Each hacker then began his own attack on NIC. When Mendax finally got root on NIC, the power was intoxicating. Prime Suspect got root at the same time but using a different method. They were both in.
Inside NIC, Mendax began by inserting a backdoor - a method of getting back into the computer at a later date in case an admin repaired the security flaws the hackers had used to get into the machine. From now on, if he telnetted into the system's Data Defense Network (DDN) information server and typed `login 0' he would have instant, invisible root access to NIC.
That step completed, he looked around for interesting things to read. One file held what appeared to be a list of satellite and microwave dish coordinates - longitude, latitudes, transponder frequencies. Such coordinates might in theory allow someone to build a complete map of communications devices which were used to move the DOD's computer data around the world.
Mendax also penetrated MILNET's Security Coordination Center, which collected reports on every possible security incident on a MILNET computer. Those computers - largely TOPS-20s made by DEC - contained good automatic security programs. Any number of out-of-the-ordinary events would trigger an automatic security report. Someone logging into a machine for too long. A large number of failed login attempts, suggesting password guessing. Two people logging into the same account at the same time. Alarm bells would go off and the local computer would immediately send a security violation report to the MILNET security centre, where it would be added to the `hot list'.
Mendax flipped through page after page of MILNET's security reports on his screen. Most looked like nothing - MILNET users accidentally stumbling over a security tripwire - but one notice from a US military site in Germany stood out. It was not computer generated. This was from a real human being. The system admin reported that someone had been repeatedly trying to break into his or her machine, and had eventually managed to get in. The admin was trying, without much luck, to trace back the intruder's connection to its point of origin. Oddly, it appeared to originate in another MILNET system.
Riffling through other files, Mendax found mail confirming that the attack had indeed come from inside MILNET. His eyes grew wide as he read on. US military hackers had broken into MILNET systems, using them for target practice, and no-one had bothered to tell the system admin at the target site.
Mendax couldn't believe it. The US military was hacking its own computers. This discovery led to another, more disturbing, thought. If the US military was hacking its own computers for practice, what was it doing to other countries' computers?
In early October 1991, Mendax rang Trax and gave him the dial-up and account details for NMELH1.
Trax wasn't much of a hacker, but Mendax admired his phreaking talents. Trax was the father of phreaking in Australia and Trax's Toolbox, his guide to the art of phreaking, was legendary. Mendax thought Trax might find some interesting detailed information inside the NorTel network on how to control telephone switches.
Trax invented multi-frequency code phreaking. By sending special tones - generated by his computer program - down the phone line, he could control certain functions in the telephone exchange.
Many hackers had learned how to make free phone calls by charging the cost to someone else or to calling cards, but Trax discovered how to make phone calls which weren't charged to anyone.
The calls weren't just free; they were untraceable. Trax wrote 48 pages on his discovery and called it The Australian Phreakers Manual Volumes 1-7. But as he added more and more to the manual, he became worried what would happen if he released it in the underground, so he decided he would only show it to the other two International Subversive hackers.
He went on to publish The Advanced Phreaker's Manual 2, a second edition of the manual, in The International Subversive, the underground magazine edited by Mendax:
An electronic magazine, The International Subversive had a simple editorial policy. You could only have a copy of the magazine if you wrote an `article'. The policy was a good way of protecting against nappies - sloppy or inexperienced hackers who might accidentally draw police attention.
Trax made his great discovery by accident. He was using a phone sprinter, a simple computer program which automatically dialled a range of phone numbers looking for modems. If he turned the volume up on his modem when his computer dialled what seemed to be a dead or non-existent number, he sometimes heard a soft clicking noise after the disconnection message. The noise sounded like faint heartbeats.
When you make an international phone call from Australia to the US, the call passes from the local telephone exchange to an international gateway exchange within Australia. From there, it travels to an exchange in the US. The CCITT signalling tones were the special tones the two international gateway exchanges used to communicate with each other.
Telecom Australia adapted a later version of this standard, called R2, for use on its own domestic exchanges. Telecom called this new standard MFC, or multi-frequency code.
Passionate about his new calling, Trax went trashing in Telecom garbage bins, where he found an MFC register list - an invaluable piece of his puzzle. Using the list, along with pieces of overseas phreaking files and a great deal of painstaking hands-on effort, Trax slowly learned the language of the Australian telephone exchanges. Then he taught the language to his computer.
Trax tried calling one of the `heartbeat' phone numbers again. He began playing his special, computer-generated tones through an amplifier. In simple terms, he was able to fool other exchanges into thinking he was his local Telecom exchange. More accurately, Trax had made his exchange drop him into the outgoing signalling trunk that had been used to route to the disconnected phone number.
Trax could now call out – anywhere - as if he was calling from a point halfway between his own phone and the disconnected number. If he called a modem at Melbourne University, for instance, and the line was being traced, his home phone number would not show up on the trace records. No-one would be charged for the call because Trax's calls were ghosts in the phone system.
Trax continued to refine his ability to manipulate both the telephone and the exchange. He took his own telephone apart, piece by piece, countless times, fiddling with the parts until he understood exactly how it worked. Within months, he was able to do far more than just make free phone calls. He could, for instance, make a line trace think that he had come from a specific telephone number.
He and Mendax joked that if they called a ‘hot' site they would use Trax's technique to send the line trace - and the bill - back to one very special number. The one belonging to the AFP's Computer Crime Unit in Melbourne.
Mendax logged into the NMELH1 system by using the account Prime Suspect had given him, and immediately looked around to see who else was on-line. Prime Suspect and about nine other people, only three of whom were actually doing something at their terminal.
Prime Suspect and Mendax raced to get root on the system. Mendax poked around and realised the root directory, which contained the password file, was effectively world writable.
This was good news, and with some quick manipulation he would be able to insert something into the root directory. On a more secure system, unprivileged users would not be able to do that. Mendax could also copy things from the directory on this site, and change the names of subdirectories within the main root directory. All these permissions were important, for they would enable him to create a Trojan.
The Trojan is a favoured approach with most computer hackers. The hacker simply tricks a computer system or a user into thinking that a slightly altered file or directory--the Trojan--is the legitimate one. The Trojan directory, however, contains false information to fool the computer into doing something the hacker wants. Alternatively, the Trojan might simply trick a legitimate user into giving away valuable information, such as his user name and password.
Mendax made a new directory and copied the contents of the legitimate ETC directory - where the password files were stored - into it. The passwords were encrypted, so there wasn’t much sense trying to look at one since the hacker wouldn’t be able to read it. Instead, he selected a random legitimate user - call him Joe - and deleted his password. With no password, Mendax would be able to login as Joe without any problems.
However, Joe was just an average user. He didn’t have root, which is what Mendax wanted. But like every other user on the system, Joe had a user identity number. Mendax changed Joe’s user id to ‘0’ - the magic number. A user with ‘0’ as his id had root. Joe had just acquired power usually only given to system administrators.
The problem now was to replace the original ETC directory with the Trojan one. Mendax did not have the privileges to delete the legitimate ETC directory, but he could change the name of a directory.
So he changed the name of the ETC directory to something the computer system would not recognise. Without access to its list of users, the computer could not perform most of its functions. People would not be able to log in, see who else was on the system or send electronic mail. Mendax had to work very quickly. Within a matter of minutes, someone would notice the system had serious problems.
Mendax renamed his Trojan directory ETC. The system instantly read the fake directory, including Joe’s now non-existent password, and elevated status as a super-user. Mendax logged in again, this time as Joe.
There were still a few footprints to be cleaned up. The next time Joe logged in, he would wonder why the computer didn’t ask for his password. And he might be surprised to discover he had been transformed into a super-user. So Mendax used his super-user status to delete the Trojan ETC file and return the original one to its proper place. He also erased records showing he had ever logged in as Joe.
To make sure he could login with super-user privileges in future, Mendax installed a special program which would automatically grant him root access. He hid the program in the bowels of the system and, just to be safe, created a special feature so that it could only be activated with a secret keystroke.
The NorTel network was firewalled, which meant that there was virtually no access from the outside world. Mendax reckoned that this made it more vulnerable to hackers who managed to get in through dial-ups. It appeared that security on the NorTel network was relatively relaxed since it was virtually impossible to break in through the Internet. By sneaking in the backdoor, the hackers found themselves able to raid all sorts of NorTel sites, from St Kilda Road in Melbourne to the corporation’s headquarters in Toronto.
They found a YP, or yellow pages, database linked to 400 of the computer sites. These 400 sites were dependent on this YP database for their password files. Mendax managed to get root on the YP database, which gave him instant control over 400 computer systems.
One system was home to a senior NorTel computer security administrator and Mendax promptly headed off to check out his mailbox. The contents made him laugh.
A letter from the Australian office said that Australia’s Telecom wanted access to CORWAN, NorTel’s corporate wide area network. Access would involve linking CORWAN and a small Telecom network. This seemed reasonable enough since Telecom did business with NorTel and staff were communicating all the time.
The Canadian security admin had written back turning down the request because there were too many hackers in the Telecom network.
Too many hackers in Telecom? Now that was funny. Here was a hacker reading the sensitive mail of NorTel’s computer security expert who reckoned Telecom’s network was too exposed. In fact, Mendax had penetrated Telecom’s systems from NorTel’s CORWAN, not the other way round.
Perhaps to prove the point, Mendax decided to crack passwords to the NorTel system. He collected 1003 password files from the NorTel sites, pulled up his password cracking program, THC, and started hunting around the network for some spare computers to do the job for him. He located a collection of 40 Sun computers, probably housed in Canada, and set up his program on them.
THC ran very fast on those Sun4s. The program used a 60000 word dictionary borrowed from someone in the US army who had done a thesis on cryptography and password cracking. It also relied on ‘a particularly nice fast-crypt algorithm’ being developed by a Queensland academic, Eric Young. The THC program worked about 30 times faster than it would have done using the standard algorithm.
Using all 40 computers, Mendax was throwing as many as 40000 guesses per second against the password lists. A couple of the Suns went down under the strain, but most held their place in the onslaught. The secret passwords began dropping like flies. In just a few hours, Mendax had cracked 5000 passwords, some 100 of which were to root accounts. He now had access to thousands of NorTel computers across the globe.
There were some very nice prizes to be had from these systems. Gain control over a large company’s computer systems and you virtually controlled the company itself. It was as though you could walk through every security barrier unchecked, beginning with the front door. Want each employee’s security codes for the office’s front door? There it was - on-line.
How about access to the company’s payroll records? You could see how much money each person earns. Better still, you might like to make yourself an employee and pay yourself a tidy once-off bonus through electronic funds transfer.
Although the NorTel network was firewalled, there was one link to the Internet. The link was through a system called BNRGATE, Bell-Northern Research’s gateway to the Internet. Bell-Northern is NorTel’s R&D subsidiary.
Mendax began hunting around for a doorway. System administrators sometimes sent passwords through email. Normally this would be a major security risk, but the NorTel system was firewalled from the Internet, so the admins thought they had no real reason to be concerned about hackers.
In the NorTel network, a mail spool, where email was stored, was often shared between as many as twenty computer systems. This structure offered considerable advantages for Mendax. All he needed to do was break into the mail spool and run a keyword search through its contents. Tell the computer to search for word combinations such as ‘BNRGATE’ and ‘password’, or to look for the name of the system admin for BNRGATE, and likely as not it would deliver tender morsels of information such as new passwords.
Mendax used a password he found through this method to get into BNRGATE and look around. It appeared to Mendax that the NorTel network admins allowed most users to FTP something from the Internet, but prevented them from taking the copied file back to their NorTel computer site.
However, a small number of accounts on BNRGATE had fewer restrictions. Mendax broke into one of these accounts and went out to the Internet.
People from the Internet were barred from entering the NorTel network through BNRGATE. However, people inside NorTel could go out to the Internet via telnet.
To a hacker, the NorTel network was like a medieval castle and the BNRGATE firewall was an impossible battlement. It was a particular delight for Mendax to telnet out from behind this firewall into the Internet. It was as if he was walking out from the castle, past the guards and well-defended turrets, over the drawbridge and the moat, into the town below.
The castle also offered the perfect protection for further hacking activities. Who could chase him? Even if someone managed to follow him through the convoluted routing system he might set up to pass through a half dozen computer systems, the pursuer would never get past the battlements. Mendax could just disappear behind the firewall. He could be any one of 60000 NorTel employees on any one of 11000 computer systems.
The flat structure of the NorTel network created a good challenge since the only way to find out what was in a particular site, and its importance, was to invade the site itself. The IS hackers spent hours most nights roving through the vast system. The next morning one of them might call another to share tales of the latest exploits or a good laugh about a particularly funny piece of pilfered email.