Underground
By Suelette Dreyfus with
Research by Julian Assange
Chapter 8
The International Subversives
All around
an eerie sound
-- from ‘Maralinga’, on 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 by Midnight Oil
Prime Suspect rang Mendax, offering an adventure. He had discovered a
strange system called NMELH1 (pronounced N-Melly-H-1) and it was time
to go exploring. He read off the dial-up numbers, found in a list of
modem phone numbers on another hacked system.
Mendax looked at the scrap of paper in his hand, thinking about the
name of the computer system.
The ‘N’ stood for Northern Telecom, a Canadian company with annual
sales of $8 billion. NorTel, as the company was known, sold thousands
of highly sophisticated switches and other telephone exchange
equipment to some of the world’s largest phone companies. The ‘Melly’
undoubtedly referred to the fact that the system was in Melbourne. As
for the ‘H-1’, well, that was anyone’s guess, but Mendax figured it
probably stood for ‘host-1’--meaning computer site number one.
Prime Suspect had stirred Mendax’s interest. Mendax had spent hours
experimenting with commands inside the computers which controlled
telephone exchanges. In the end, those forays were all just
guesswork--trial and error learning, at considerable risk of
discovery. Unlike making a mistake inside a single computer,
mis-guessing a command inside a telephone exchange in downtown Sydney
or Melbourne could take down a whole prefix--10000 or more phone
lines--and cause instant havoc.
This was exactly what the International Subversives didn’t want to do.
The three IS hackers--Mendax, Prime Suspect and Trax--had seen what
happened to the visible members of the computer underground in England
and in Australia. The IS hackers had three very good reasons to keep
their activities quiet.
Phoenix. Nom. And Electron.
But, Mendax thought, what if you could learn about how to manipulate a
million-dollar telephone exchange by reading
the manufacturer’s technical documentation? How high was
the chance that those documents, which weren’t available to the
public, were stored inside NorTel’s computer network?
Better still, what if he could find NorTel’s original source code--the
software designed to control specific telephone switches, such as the
DMS-100 model. That code might be sitting on a computer hooked into
the worldwide NorTel network. A hacker with access could insert his
own backdoor--a hidden security flaw--before the company sent out
software to its customers.
With a good technical understanding of how NorTel’s equipment worked,
combined with a backdoor installed in every piece of software shipped
with a particular product, you could have control over every new
NorTel DMS telephone switch installed from Boston to Bahrain. What
power! Mendax thought, what if you you could turn off 10000 phones in
Rio de Janeiro, or give 5000 New Yorkers free calls one afternoon, or
listen into private telephone conversations in Brisbane. The
telecommunications world would be your oyster.
Like their predecessors, the three IS hackers had started out in the
Melbourne BBS scene. Mendax met Trax on Electric Dreams in about 1988,
and Prime Suspect on Megaworks, where he used the handle Control
Reset, not long after that. When he set up his own BBS at his home in
Tecoma, a hilly suburb so far out of Melbourne that it was practically
in forest, he invited both hackers to visit ‘A Cute Paranoia’ whenever
they could get through on the single phone line.
Visiting on Mendax’s BBS suited both hackers, for it was more private
than other BBSes. Eventually they exchanged home telephone numbers,
but only to talk modem-to-modem. For months, they would ring each
other up and type on their computer screens to each other--never
having heard the sound of the other person’s voice. Finally, late in
1990, the nineteen-year-old Mendax called up the 24-year-old Trax for
a voice chat. In early 1991, Mendax and Prime Suspect, aged seventeen,
also began speaking in voice on the phone.
Trax seemed slightly eccentric, and possibly suffered from some sort
of anxiety disorder. He refused to travel to the city, and he once
made reference to seeing a psychiatrist. But Mendax usually found the
most interesting people were a little unusual, and Trax was both.
Mendax and Trax discovered they had a few things in common. Both came
from poor but educated families, and both lived in the outer suburbs.
However, they had very different childhoods.
Trax’s parents migrated to Australia from Europe. Both his father, a
retired computer technician, and his mother spoke with a German
accent. Trax’s father was very much the head of the household, and
Trax was his only son.
By contrast, by the time he was fifteen Mendax had lived in a dozen
different places including Perth, Magnetic Island, Brisbane,
Townsville, Sydney, the Adelaide Hills, and a string of coastal towns
in northern New South Wales and Western Australia. In fifteen years he
had enrolled in at least as many different schools.
His mother had left her Queensland home at age seventeen, after saving
enough money from selling her paintings to buy a motorcycle, a tent
and a road map of Australia. Waving goodbye to her stunned parents,
both academics, she rode off into the sunset. Some 2000 kilometres
later, she arrived in Sydney and joined the thriving counter-culture
community. She worked as an artist and fell in love with a rebellious
young man she met at an anti-Vietnam demonstration.
Within a year of Mendax’s birth, his mother’s relationship with his
father had ended. When Mendax was two, she married a fellow artist.
What followed was many turbulent years, moving from town to town as
his parents explored the ’70s left-wing, bohemian subculture. As a
boy, he was surrounded by artists. His stepfather staged and directed
plays and his mother did make-up, costume and set design.
One night in Adelaide, when Mendax was about four, his mother and a
friend were returning from a meeting of anti-nuclear protesters. The
friend claimed to have scientific evidence that the British had
conducted high-yield, above-ground nuclear tests at Maralinga, a
desert area in north-west South Australia.
A 1984 Royal Commission subsequently revealed that between 1953 and
1963 the British government had tested nuclear bombs at the site,
forcing more than 5000 Aborigines from their native lands. In December
1993, after years of stalling, the British government agreed to pay
[sterling]20 million toward cleaning up the more than 200 square
kilometres of contaminated lands. Back in 1968, however, the Menzies
government had signed away Britain’s responsibility to clean up the
site. In the 1970s, the Australian government was still in denial
about exactly what had happened at Maralinga.
As Mendax’s mother and her friend drove through an Adelaide suburb
carrying early evidence of the Maralinga tragedy, they noticed they
were being followed by an unmarked car. They tried to lose the tail,
without success. The friend, nervous, said he had to get the data to
an Adelaide journalist before the police could stop him. Mendax’s
mother quickly slipped into a back lane and the friend leapt from the
car. She drove off, taking the police tail with her.
The plain-clothed police pulled her over shortly after, searched her
car and demanded to know where her friend had gone and what had
occurred at the meeting. When she was less than helpful, one officer
told her, ‘You have a child out at 2 in the morning. I think you
should get out of politics, lady. It could be said you were an unfit
mother’.
A few days after this thinly veiled threat, her friend showed up at
Mendax’s mother’s house, covered in fading bruises. He said the police
had beaten him up, then set him up by planting hash on him. ‘I’m
getting out of politics,’ he announced.
However, she and her husband continued their involvement in theatre.
The young Mendax never dreamed of running away to join the circus--he
already lived the life of a travelling minstrel. But although the
actor-director was a good stepfather, he was also an alcoholic. Not
long after Mendax’s ninth birthday, his parents separated and then
divorced.
Mendax’s mother then entered a tempestuous relationship with an
amateur musician. Mendax was frightened of the man, whom he considered
a manipulative and violent psychopath. He had five different
identities with plastic in his wallet to match. His whole background
was a fabrication, right down to the country of his birth. When the
relationship ended, the steady pattern of moving around the
countryside began again, but this journey had a very different flavour
from the earlier happy-go-lucky odyssey. This time, Mendax and his
family were on the run from a physically abusive de facto. Finally,
after hiding under assumed names on both sides of the continent,
Mendax and his family settled on the outskirts of Melbourne.
Mendax left home at seventeen because he had received a tip-off about
an impending raid. Mendax wiped his disks, burnt his print-outs and
left. A week later, the Victorian CIB turned up and searched his room,
but found nothing. He married his girlfriend, an intelligent but
introverted and emotionally disturbed sixteen-year-old he had met
through a mutual friend in a gifted children’s program. A year later
they had a child.
Mendax made many of his friends through the computer community. He
found Trax easy to talk to and they often spent up to five hours on a
single phone call. Prime Suspect, on the other hand, was hard work on
the phone.
Quiet and introverted, Prime Suspect always seemed to run out of
conversation after five minutes. Mendax was himself naturally shy, so
their talks were often filled with long silences. It wasn’t that
Mendax didn’t like Prime Suspect, he did. By the time the three
hackers met in person at Trax’s home in mid-1991, he considered Prime
Suspect more than just a fellow hacker in the tight-knit IS circle.
Mendax considered him a friend.
Prime Suspect was a boy of veneers. To most of the world, he appeared
to be a studious year 12 student bound for university from his upper
middle-class grammar school. The all-boys school never expected less
from its students and the possibility of attending a TAFE--a
vocational college--was never discussed as an option. University was
the object. Any student who failed to make it was quietly swept under
the carpet like some sort of distasteful food dropping.
Prime Suspect’s own family situation did not mirror the veneer of
respectability portrayed by his school. His father, a pharmacist, and
his mother, a nurse, had been in the midst of an acrimonious divorce
battle when his father was diagnosed with terminal cancer. In this
bitter, antagonistic environment, the eight-year-old Prime Suspect was
delivered to his father’s bedside in hospice for a rushed few moments
to bid him farewell.
Through much of his childhood and adolescence, Prime Suspect’s mother
remained bitter and angry about life, and particularly her
impoverished financial situation. When he was eight, Prime Suspect’s
older sister left home at sixteen, moved to Perth and refused to speak
to her mother. In some ways, Prime Suspect felt he was expected be
both child and de facto parent. All of which made him grow up faster
in some ways, but remain immature in others.
Prime Suspect responded to the anger around him by retreating into his
room. When he bought his first computer, an Apple IIe, at age thirteen
he found it better company than any of his relatives. The computers at
school didn’t hold much interest for him, since they weren’t connected
to the outside world via modem. After reading about BBSes in the Apple
Users’ Society newsletter, he saved up for his own modem and soon
began connecting into various BBSes.
School did, however, provide the opportunity to rebel, albeit
anonymously, and he conducted extensive pranking campaigns. Few
teachers suspected the quiet, clean-cut boy and he was rarely caught.
Nature had endowed Prime Suspect with the face of utter innocence.
Tall and slender with brown curly hair, his true character only showed
in the elfish grin which sometimes passed briefly across his baby
face. Teachers told his mother he was underachieving compared to his
level of intelligence, but had few complaints otherwise.
By year 10, he had become a serious hacker and was spending every
available moment at his computer. Sometimes he skipped school, and he
often handed assignments in late. He found it difficult to come up
with ever more creative excuses and sometimes he imagined telling his
teachers the truth. ‘Sorry I didn’t get that 2000-word paper done but
I was knee-deep in NASA networks last night.’ The thought made him
laugh.
He saw girls as a unwanted distraction from hacking. Sometimes, after
he chatted with a girl at a party, his friends would later ask him why
he hadn’t asked her out. Prime Suspect shrugged it off. The real
reason was that he would rather get home to his computer, but he never
discussed his hacking with anyone at school, not even with Mentat.
A friend of Force’s and occasional visitor to The Realm, Mentat was
two years ahead of Prime Suspect at school and in general couldn’t be
bothered talking to so junior a hacker as Prime Suspect. The younger
hacker didn’t mind. He had witnessed other hackers’ indiscretions,
wanted no part of them and was happy to keep his hacking life private.
Before the Realm bust, Phoenix rang him up once at 2 a.m. suggesting
that he and Nom come over there and then. Woken by the call, Prime
Suspect’s mother stood in the doorway to his bedroom, remonstrating
with him for letting his ‘friends’ call at such a late hour. With
Phoenix goading him in one ear, and his mother chewing him out in the
other, Prime Suspect decided the whole thing was a bad idea. He said
no thanks to Phoenix, and shut the door on his mother.
He did, however, talk to Power spike on the phone once in a while. The
older hacker’s highly irreverent attitude and Porky Pig laugh appealed
to him. But other than those brief talks, Prime Suspect avoided
talking on the phone to people outside the International Subversives,
especially when he and Mendax moved into ever more sensitive military
computers.
Using a program called Sycophant written by Mendax, the IS hackers had
been conducting massive attacks on the US military. They divided up
Sycophant on eight attack machines, often choosing university systems
at places like the Australian National University or the University of
Texas. They pointed the eight machines at the targets and fired.
Within six hours, the eight machines had assaulted thousands of
computers. The hackers sometimes reaped 100000 accounts each night.
Using Sycophant, they essentially forced a cluster of Unix machines in
a computer network to attack the entire Internet en masse.
And that was just the start of what they were into. They had been in
so many sites they often couldn’t remember if they
had actually hacked a particular computer. The places they could
recall read like a Who’s Who of the American military-industrial
complex. The US Air force 7th Command Group Headquarters in the
Pentagon. Stanford Research Institute in California. Naval Surface
Warfare Center in Virginia. Lockheed Martin’s Tactical Aircraft
Systems Air Force Plant in Texas. Unisys Corporation in Blue Bell,
Pennsylvania. Goddard Space Flight Center, NASA. Motorola Inc. in
Illinois. TRW Inc. in Redondo Beach, California. Alcoa in Pittsburgh.
Panasonic Corp in New Jersey. US Naval Undersea Warfare Engineering
Station. Siemens-Nixdorf Information Systems in Massachusetts.
Securities Industry Automation Corp in New York. Lawrence Livermore
National Laboratory in California. Bell Communications Research, New
Jersey. Xerox Palo Alto Research Center, California.
As the IS hackers reached a level of sophistication beyond anything
The Realm had achieved, they realised that progress carried
considerable risk and began to withdraw completely from the broader
Australian hacking community. Soon they had drawn a tight circle
around themselves. They talked only to each other.
Watching the Realm hackers go down hadn’t deterred the next generation
of hackers. It had only driven them further underground.
In the spring of 1991, Prime Suspect and Mendax began a race to get
root on the US Department of Defense’s Network Information Center
(NIC) computer--potentially the most important computer on the
Internet.
As both hackers chatted amiably on-line one night, on a Melbourne
University computer, Prime Suspect worked quietly in another screen to
penetrate ns.nic.ddn.mil, a US Department of Defense system closely
linked to NIC. He believed the sister system and NIC might ‘trust’
each other--a trust he could exploit to get into NIC. And NIC did
everything.
NIC assigned domain names--the ‘.com’ or ‘.net’ at the end of an email
address--for the entire Internet. NIC also controlled the US
military’s own internal defence data network, known as MILNET.
NIC also published the communication protocol standards for all of the
Internet. Called RFCs (Request for Comments), these technical
specifications allowed one computer on the Internet to talk to
another. The Defense Data Network Security Bulletins, the US
Department of Defense’s equivalent of CERT advisories, came from the
NIC machine.
Perhaps most importantly, NIC controlled the reverse look-up service
on the Internet. Whenever someone connects to another site across the
Internet, he or she typically types in the site name--say,
ariel.unimelb.edu.au at the University of Melbourne. The computer then
translates the alphabetical name into a numerical address--the IP
address--in this case 128.250.20.3. All the computers on the Internet
need this IP address to relay the packets of data onto the final
destination computer. NIC decided how Internet computers would
translate the alphabetical name into an IP address, and vice versa.
If you controlled NIC, you had phenomenal power on the Internet. You
could, for example, simply make Australia disappear. Or you could turn
it into Brazil. By pointing all Internet addresses ending in
‘.au’--the designation for sites in Australia--to Brazil, you could
cut Australia’s part of the Internet off from the rest of the world
and send all Australian Internet traffic to Brazil. In fact, by
changing the delegation of all the domain names, you could virtually
stop the flow of information between all the countries on the
Internet.
The only way someone could circumvent this power was by typing in the
full numerical IP address instead of a proper alphabetical address.
But few people knew the up-to-twelve-digit IP equivalent of their
alphabetical addresses, and fewer still actually used them.
Controlling NIC offered other benefits as well. Control NIC, and you
owned a virtual pass-key into any computer on the Internet which
‘trusted’ another. And most machines trust at least one other system.
Whenever one computer connects to another across the Net, both
machines go through a special meet-and-greet process. The receiving
computer looks over the first machine and asks itself
a few questions. What’s the name of the incoming machine?
Is that name allowed to connect to me? In what ways am I
programmed to ‘trust’ that machine--to wave my normal security for
connections from that system?
The receiving computer answers these questions based in large part on
information provided by NIC. All of which means that, by controlling
NIC, you could make any computer on the Net ‘pose’ as a machine
trusted by a computer you might want to hack. Security often depended
on a computer’s name, and NIC effectively controlled that name.
When Prime Suspect managed to get inside NIC’s sister system, he told
Mendax and gave him access to the computer. Each hacker then began his
own attack on NIC. When Mendax finally got root on NIC, the power was
intoxicating. Prime Suspect got root at the same time but using a
different method. They were both in.
Inside NIC, Mendax began by inserting a backdoor--a method of getting
back into the computer at a later date in case an admin repaired the
security flaws the hackers had used to get into the machine. From now
on, if he telnetted into the system’s Data Defense Network (DDN)
information server and typed ‘login 0’ he would have instant,
invisible root access to NIC.
That step completed, he looked around for interesting things to read.
One file held what appeared to be a list of satellite and microwave
dish coordinates--longitude, latitudes, transponder frequencies. Such
coordinates might in theory allow someone to build a complete map of
communications devices which were used to move the DOD’s computer data
around the world.
Mendax also penetrated MILNET’s Security Coordination Center, which
collected reports on every possible security incident on a MILNET
computer. Those computers--largely TOPS-20s made by DEC--contained
good automatic security programs. Any number of out-of-the-ordinary
events would trigger an automatic security report. Someone logging
into a machine for too long. A large number of failed login attempts,
suggesting password guessing. Two people logging into the same account
at the same time. Alarm bells would go off and the local computer
would immediately send a security violation report to the MILNET
security centre, where it would be added to the ‘hot list’.
Mendax flipped through page after page of MILNET’s security reports on
his screen. Most looked like nothing--MILNET users accidentally
stumbling over a security tripwire--but one notice from a US military
site in Germany stood out. It was not computer generated. This was
from a real human being. The system admin reported that someone had
been repeatedly trying to break into his or her machine, and had
eventually managed to get in. The admin was trying, without much luck,
to trace back the intruder’s connection to its point of origin. Oddly,
it appeared to originate in another MILNET system.
Riffling through other files, Mendax found mail confirming that the
attack had indeed come from inside MILNET. His eyes grew wide as he
read on. US military hackers had broken into MILNET systems, using
them for target practice, and no-one had bothered to tell the system
admin at the target site.
Mendax couldn’t believe it. The US military was hacking its own
computers. This discovery led to another, more disturbing, thought. If
the US military was hacking its own computers for practice, what was
it doing to other countries’ computers?
As he quietly backed out of the system, wiping away his footprints as
he tip-toed away, Mendax thought about what he had seen. He was deeply
disturbed that any hacker would work for the US military.
Hackers, he thought, should be anarchists, not hawks.
In early October 1991, Mendax rang Trax and gave him the dial-up and
account details for NMELH1.
Trax wasn’t much of a hacker, but Mendax admired his phreaking
talents. Trax was the father of phreaking in Australia and Trax’s
Toolbox, his guide to the art of phreaking, was
legendary. Mendax thought Trax might find some interesting detailed
information inside the NorTel network on how to
control telephone switches.
Trax invented multi-frequency code phreaking. By sending special
tones--generated by his computer program--down the phone line, he
could control certain functions in the telephone exchange. Many
hackers had learned how to make free phone calls by charging the cost
to someone else or to calling cards, but Trax discovered how to make
phone calls which weren’t charged to anyone. The calls weren’t just
free; they were untraceable.
Trax wrote 48 pages on his discovery and called it The Australian
Phreakers Manual Volumes 1-7. But as he added more and more to the
manual, he became worried what would happen if he released it in the
underground, so he decided he would only show it to the other two
International Subversive hackers.
He went on to publish The Advanced Phreaker’s Manual,2 a second
edition of the manual, in The International Subversive, the
underground magazine edited by Mendax:
An electronic magazine, The International Subversive had a simple
editorial policy. You could only have a copy of the magazine if you
wrote an ‘article’. The policy was a good way of protecting against
nappies--sloppy or inexperienced hackers who might accidentally draw
police attention. Nappies also tended to abuse good phreaking and
hacking techniques, which might cause Telecom to close up security
holes. The result was that IS had a circulation of just three people.
To a non-hacker, IS looked like gobbledygook--the phone book made more
interesting reading. But to a member of the computer underground, IS
was a treasure map. A good hacker could follow the trail of modem
phone numbers and passwords, then use the directions in IS to
disappear through secret entrances into the labyrinth of forbidden
computer networks. Armed with the magazine, he could slither out of
tight spots, outwit system admins and find the treasure secreted in
each computer system.
For Prime Suspect and Mendax, who were increasingly paranoid about
line traces from the university modems they used as launchpads, Trax’s
phreaking skills were a gift from heaven.
Trax made his great discovery by accident. He was using a phone
sprinter, a simple computer program which automatically dialled a
range of phone numbers looking for modems. If he turned the volume up
on his modem when his computer dialled what seemed to be a dead or
non-existent number, he sometimes heard a soft clicking noise after
the disconnection message. The noise sounded like faint heartbeats.
Curious, he experimented with these strange numbers and soon
discovered they were disconnected lines which had not yet been
reassigned. He wondered how he could use these odd numbers. After
reading a document Mendax had found in Britain and uploaded to The
Devil’s Playground, another BBS, Trax had an idea. The posting
provided information about CCITT #5 signalling tones, CCITT being the
international standard--the language spoken by telephone exchanges
between countries.
When you make an international phone call from Australia to the US,
the call passes from the local telephone exchange to an international
gateway exchange within Australia. From there, it travels to an
exchange in the US. The CCITT signalling tones were the special tones
the two international gateway exchanges used to communicate with each
other.
Telecom Australia adapted a later version of this standard, called R2,
for use on its own domestic exchanges. Telecom called this new
standard MFC, or multi-frequency code. When, say, Trax rang Mendax,
his exchange asked Mendax’s to ‘talk’ to Mendax’s phone by using these
tones. Mendax’s exchange ‘answered’, perhaps saying Mendax’s phone was
busy or disconnected. The Telecom-adapted tones--pairs of audio
frequencies--did not exist in normal telephone keypads and you
couldn’t make them simply by punching keys on your household
telephone.
Trax wrote a program which allowed his Amstrad computer to generate the
special tones and send them down the phone line. In an act many in the
underground later considered to be a stroke of genius, he began to map
out exactly what each tone did. It was a difficult task, since one tone
could mean several different things at each stage of the ‘conversation’
between two exchanges.
Passionate about his new calling, Trax went trashing in Telecom
garbage bins, where he found an MFC register list--an invaluable piece
of his puzzle. Using the list, along with pieces of overseas phreaking
files and a great deal of painstaking hands-on effort, Trax slowly
learned the language of the Australian telephone exchanges. Then he
taught the language to his computer.
Trax tried calling one of the ‘heartbeat’ phone numbers again. He
began playing his special, computer-generated tones through an
amplifier. In simple terms, he was able to fool other exchanges into
thinking he was his local Telecom exchange. More accurately, Trax had
made his exchange drop him into the outgoing signalling trunk that had
been used to route to the disconnected phone number.
Trax could now call out--anywhere--as if he was calling from a point
halfway between his own phone and the disconnected number. If he
called a modem at Melbourne University, for instance, and the line was
being traced, his home phone number would not show up on the trace
records. No-one would be charged for the call because Trax’s calls
were ghosts in the phone system.
Trax continued to refine his ability to manipulate both the telephone
and the exchange. He took his own telephone apart, piece by piece,
countless times, fiddling with the parts until he understood exactly
how it worked. Within months, he was able to do far more than just
make free phone calls. He could, for instance, make a line trace think
that he had come from a specific telephone number.
He and Mendax joked that if they called a ‘hot’ site they would use
Trax’s technique to send the line trace--and the bill--back to one
very special number. The one belonging to the AFP’s Computer Crime
Unit in Melbourne.
All three IS hackers suspected the AFP was close on their heels.
Roving through the Canberra-based computer system belonging to the man
who essentially ran the Internet in Australia, Geoff Huston, they
watched the combined efforts of police and the Australian Academic and
Research Network (AARNET) to trace them.
Craig Warren of Deakin University had written to Huston, AARNET
technical manager, about hacker attacks on university systems. Huston
had forwarded a copy of the letter to Peter Elford, who assisted
Huston in managing AARNET. The hackers broke into Huston’s system and
also read the letter:
From G.Huston@aarnet.edu.au Mon Sep 23 09:40:43 1991
Received: from [150.203.6.67] by jatz.aarnet.edu.au with SMTP id
AA00265 (5.65+/IDA-1.3.5 for pte 900); Mon, 23 Sep 91 09:40:39 +1000
Date: Mon, 23 Sep 91 09:40:39 +1000
Message-Id: <9109222340.AA00265@jatz.aarnet.edu.au>
To: pte900@aarnet.edu.au
From: G.Huston@aarnet.edu.au
Subject: Re: Visitors log Thursday Night--Friday Morning
Status: RO
>Date: Sun, 22 Sep 91 19:29:13 +1000>
From: Craig Warren
>
>
>On Friday afternoon we were able to trace a call back to a person in
the Warrnambool telephone district. The police have this persons name.
We believe others are involved, as we have seen up to 3 people active
at any one time. It is ‘suspected’ students from RMIT and perhaps
students from Deakin are also involved.
>
>When I left on Friday night, there was plenty of activity still and
the police and Telecom were tracking down another number.
>
>Tomorrow morning I will talk to all parties involved, but it is
likely we will have the names of at least 2 or 3 people that are
involved. We will probably shut down access of ‘cappella’ to AARNet at
this stage, and let the police go about their business of prosecuting
these people.
>
>You will be ‘pleased’ (:-)) to know you have not been the only ones
under attack. I know of at least 2 other sites in Victoria that have
had people attacking them. One of them was Telecom which helped get
Telecom involved!
>
>I will brief you all in the next day or so as to what has happened.
>
>Regards, Craig
>
The ‘other’ people were, of course, the IS hackers. There is nothing
like reading about your own hacking antics in some one’s security
mail.
Mendax and Prime Suspect frequently visited ANU’s computers to read
the security mail there. However, universities were usually nothing
special, just jumping-off points and, occasionally, good sources of
information on how close the AFP were to closing in on the IS hackers.
Far more interesting to Mendax were his initial forays into Telecom’s
exchanges. Using a modem number Prime Suspect had found, he dialled
into what he suspected was Telecom’s Lonsdale Exchange in downtown
Melbourne. When his modem connected to another one, all he saw was a
blank screen. He tried a few basic commands which might give him help
to understand the system:
Login. List. Attach.
The exchange’s computer remained silent.
Mendax ran a program he had written to fire off every recognised
keyboard character--256 of them--at another machine. Nothing again. He
then tried the break signal--the Amiga key and the character B pressed
simultaneously. That got an answer of sorts.
:
He pulled up another of his hacking tools, a program which dumped 200
common commands to the other machine. Nothing. Finally, he tried
typing ‘logout’. That gave him an answer:
error, not logged on
Ah, thought Mendax. The command is ‘logon’ not ‘login’.
:logon
The Telecom exchange answered: ‘username:’ Now all Mendax had to do
was figure out a username and password.
He knew that Telecom used NorTel equipment. More than likely, NorTel
staff were training Telecom workers and would need access themselves.
If there were lots of NorTel employees working on many different phone
switches, it would be difficult to pass on secure passwords to staff
all the time. NorTel and Telecom people would probably pick something
easy and universal. What password best fitted that description?
username: nortel
password: nortel
It worked.
Unfortunately, Mendax didn’t know which commands to use once he got
into the machine, and there was no on-line documentation to provide
help. The telephone switch had its own language, unlike anything he
had ever encountered before.
After hours of painstaking research, Mendax constructed a list of
commands which would work on the exchange’s computer. The exchange
appeared to control all the special six-digit phone numbers beginning
with 13, such as those used for airline reservations or some pizza
delivery services. It was Telecom’s ‘Intelligent Network’ which did
many specific tasks, including routing calls to the nearest possible
branch of the organisation being called. Mendax looked through the
list of commands, found ‘RANGE’, and recognised it as a command which
would allow someone to select all the phone numbers in a certain
range. He selected a thousand numbers, all with the prefix 634, which
he believed to be in Telecom’s Queen Street offices.
Now, to test a command. Mendax wanted something innocuous, which
wouldn’t screw up the 1000 lines permanently. It was almost 7 a.m. and
he needed to wrap things up before Telecom employees began coming into
work.
‘RING’ seemed harmless enough. It might ring one of the numbers in the
range after another--a process he could stop. He typed the command in.
Nothing happened. Then a few full stops began to slowly spread across
his screen:
. . . . . . .
RUNG
The system had just rung all 1000 numbers at the same time. One
thousand phones ringing all at once.
What if some buttoned-down Telecom engineer had driven to work early
that morning to get some work done? What if he had just settled down
at his standard-issue metal Telecom desk with a cup of bad instant
coffee in a styrofoam cup when suddenly ... every telephone in the
skyscraper had rung out simultaneously? How suspicious would that
look? Mendax thought it was time to high-tail it out of there.
On his way out, he disabled the logs for the modem line he came in on.
That way, no-one would be able to see what he had been up to. In fact,
he hoped no-one would know that anyone had even used the dial-up line
at all.
Prime Suspect didn’t think there was anything wrong with exploring the
NorTel computer system. Many computer sites posted warnings in the
login screen about it being illegal to break into the system, but the
eighteen-year-old didn’t consider himself an intruder. In Prime
Suspect’s eyes, ‘intruder’ suggested someone with ill intent--perhaps
someone planning to do damage to the system--and he certainly had no
ill intent. He was just a visitor.
Mendax logged into the NMELH1 system by using the account Prime
Suspect had given him, and immediately looked around to see who else
was on-line. Prime Suspect and about nine other people, only three of
whom were actually doing something at their terminal.
Prime Suspect and Mendax raced to get root on the system. The IS
hackers may not have been the type to brag about their conquests in
the underground, but each still had a competitive streak when it came
to see who could get control over the system first. There was no ill
will, just a little friendly competition between mates.
Mendax poked around and realised the root directory, which contained
the password file, was effectively world writable. This was good news,
and with some quick manipulation he would be able to insert something
into the root directory. On a more secure system, unprivileged users
would not be able to do that. Mendax could also copy things from the
directory on this site, and change the names of subdirectories within
the main root directory. All these permissions were important, for
they would enable him to create a Trojan.
Named for the Trojan horse which precipitated the fall of Troy, the
Trojan is a favoured approach with most computer hackers. The hacker
simply tricks a computer system or a user into thinking that a
slightly altered file or directory--the Trojan--is the legitimate one.
The Trojan directory, however, contains false information to fool the
computer into doing something the hacker wants. Alternatively, the
Trojan might simply trick a legitimate user into giving away valuable
information, such as his user name and password.
Mendax made a new directory and copied the contents of the legitimate
ETC directory--where the password files were stored--into it. The
passwords were encrypted, so there wasn’t much sense trying to look at
one since the hacker wouldn’t be able to read it. Instead, he selected
a random legitimate user--call him Joe--and deleted his password. With
no password, Mendax would be able to login as Joe without any
problems.
However, Joe was just an average user. He didn’t have root, which is
what Mendax wanted. But like every other user on the system, Joe had a
user identity number. Mendax changed Joe’s user id to ‘0’--the magic
number. A user with ‘0’ as his id had root. Joe had just acquired
power usually only given to system administrators. Of course, Mendax
could have searched out a user on the list who already had root, but
there were system operators logged onto the system and it might have
raised suspicions if another operator with root access had logged in
over the dial-up lines. The best line of defence was to avoid making
anyone on the system suspicious in the first place.
The problem now was to replace the original ETC directory with the
Trojan one. Mendax did not have the privileges to delete the
legitimate ETC directory, but he could change the name of a directory.
So he changed the name of the ETC directory to something the computer
system would not recognise. Without access to its list of users, the
computer could not perform most of its functions. People would not be
able to log in, see who else was on the system or send electronic
mail. Mendax had to work very quickly. Within a matter of minutes,
someone would notice the system had serious problems.
Mendax renamed his Trojan directory ETC. The system instantly read the
fake directory, including Joe’s now non-existent password, and
elevated status as a super-user. Mendax logged in again, this time as
Joe.
In less than five minutes, a twenty-year-old boy with little formal
education, a pokey $700 computer and painfully slow modem had
conquered the Melbourne computer system of one of the world’s largest
telecommunications companies.
There were still a few footprints to be cleaned up. The next time Joe
logged in, he would wonder why the computer didn’t ask for his
password. And he might be surprised to discover he had been
transformed into a super-user. So Mendax used his super-user status to
delete the Trojan ETC file and return the original one to its proper
place. He also erased records showing he had ever logged in as Joe.
To make sure he could login with super-user privileges in future,
Mendax installed a special program which would automatically grant him
root access. He hid the program in the bowels of the system and, just
to be safe, created a special feature so that it could only be
activated with a secret keystroke.
Mendax wrestled a root account from NMELH1 first, but Prime Suspect
wasn’t far behind. Trax joined them a little later. When they began
looking around, they could not believe what they had found. The system
had one of the weirdest structures they had ever come across.
Most large networks have a hierarchical structure. Further, most hold
the addresses of a handful of other systems in the network, usually
the systems which are closest in the flow of the external network.
But the NorTel network was not structured that way. What the IS
hackers found was a network with no hierarchy. It was a totally flat
name space. And the network was weird in other ways too. Every
computer system on it contained the address of every other computer,
and there were more than 11000 computers in NorTel’s worldwide
network. What the hackers were staring at was like a giant internal
corporate Internet which had been squashed flat as a pancake.
Mendax had seen many flat structures before, but never on this scale.
It was bizarre. In hierarchical structures, it is easier to tell where
the most important computer systems--and information--are kept. But
this structure, where every system was virtually equal, was going to
make it considerably more difficult for the hackers to navigate their
way through the network. Who could tell whether a system housed the
Christmas party invite list or the secret designs for a new NorTel
product?
The NorTel network was firewalled, which meant that there was
virtually no access from the outside world. Mendax reckoned that this
made it more vulnerable to hackers who managed to get in through
dial-ups. It appeared that security on the NorTel network was
relatively relaxed since it was virtually impossible to break in
through the Internet. By sneaking in the backdoor, the hackers found
themselves able to raid all sorts of NorTel sites, from St Kilda Road
in Melbourne to the corporation’s headquarters in Toronto.
It was fantastic, this huge, trusting network of computer sites at
their fingertips, and the young hackers were elated with the
anticipation of exploration. One of them described it as being ‘like a
shipwrecked man washed ashore on a Tahitian island populated by 11000
virgins, just ripe for the picking’.
They found a YP, or yellow pages, database linked to 400 of the
computer sites. These 400 sites were dependent on this YP database for
their password files. Mendax managed to get root on the YP database,
which gave him instant control over 400 computer systems. Groovy.
One system was home to a senior NorTel computer security administrator
and Mendax promptly headed off to check out his mailbox. The contents
made him laugh.
A letter from the Australian office said that Australia’s Telecom
wanted access to CORWAN, NorTel’s corporate wide area network. Access
would involve linking CORWAN and a small Telecom network. This seemed
reasonable enough since Telecom did business with NorTel and staff
were communicating all the time.
The Canadian security admin had written back turning down the request
because there were too many hackers in the Telecom network.
Too many hackers in Telecom? Now that was funny. Here was a hacker
reading the sensitive mail of NorTel’s computer security expert who
reckoned Telecom’s network was too exposed. In fact, Mendax had
penetrated Telecom’s systems from NorTel’s CORWAN, not the other way
round.
Perhaps to prove the point, Mendax decided to crack passwords to the
NorTel system. He collected 1003 password files from the NorTel sites,
pulled up his password cracking program, THC, and started hunting
around the network for some spare computers to do the job for him. He
located a collection of 40 Sun computers, probably housed in Canada,
and set up his program on them.
THC ran very fast on those Sun4s. The program used a 60000 word
dictionary borrowed from someone in the US army who had done a thesis
on cryptography and password cracking. It also relied on ‘a
particularly nice fast-crypt algorithm’ being developed by a
Queensland academic, Eric Young. The THC program worked about 30 times
faster than it would have done using the standard algorithm.
Using all 40 computers, Mendax was throwing as many as 40000 guesses
per second against the password lists. A couple of the Suns went down
under the strain, but most held their place in the onslaught. The
secret passwords began dropping like flies. In just a few hours,
Mendax had cracked 5000 passwords, some 100 of which were to root
accounts. He now had access to thousands of NorTel computers across
the globe.
There were some very nice prizes to be had from these systems. Gain
control over a large company’s computer systems and you virtually
controlled the company itself. It was as though you could walk through
every security barrier unchecked, beginning with the front door. Want
each employee’s security codes for the office’s front door? There it
was--on-line.
How about access to the company’s payroll records? You could see how
much money each person earns. Better still, you might like to make
yourself an employee and pay yourself a tidy once-off bonus through
electronic funds transfer. Of course there were other, less obvious,
ways of making money, such as espionage.
Mendax could have easily found highly sensitive information about
planned NorTel products and sold them. For a company like NorTel,
which spent more than $1 billion each year on research and
development, information leaks about its new technologies could be
devastating. The espionage wouldn’t even have to be about new
products; it could simply be about the company’s business strategies.
With access to all sorts of internal memos between senior executives,
a hacker could procure precious inside information on markets and
prices. A competitor might pay handsomely for this sort of
information.
And this was just the start of what a malicious or profit-motivated
hacker could do. In many companies, the automated aspects of
manufacturing plants are controlled by computers. The smallest changes
to the programs controlling the machine tools could destroy an entire
batch of widgets--and the multi-million dollar robotics machinery
which manufactures them.
But the IS hackers had no intention of committing information
espionage. In fact, despite their poor financial status as students
or, in the case of Trax, as a young man starting his career at the
bottom of the totem pole, none of them would have sold information
they gained from hacking. In their view, such behaviour was dirty and
deserving of contempt--it soiled the adventure and was against their
ethics. They considered themselves explorers, not paid corporate
spies.
Although the NorTel network was firewalled, there was one link to the
Internet. The link was through a system called
BNRGATE, Bell-Northern Research’s gateway to the Internet.
Bell-Northern is NorTel’s R&D subsidiary. The connection to the
outside electronic world was very restricted, but it looked
interesting. The only problem was how to get there.
Mendax began hunting around for a doorway. His password cracking
program had not turned up anything for this system, but there were
other, more subtle ways of getting a password than the brute force of
a cracking program.
System administrators sometimes sent passwords through email. Normally
this would be a major security risk, but the NorTel system was
firewalled from the Internet, so the admins thought they had no real
reason to be concerned about hackers. Besides, in such a large
corporation spanning several continents, an admin couldn’t always just
pop downstairs to give a new company manager his password in person.
And an impatient manager was unlikely to be willing to wait a week for
the new password to arrive courtesy of snail mail.
In the NorTel network, a mail spool, where email was stored, was often
shared between as many as twenty computer systems. This structure
offered considerable advantages for Mendax. All he needed to do was
break into the mail spool and run a keyword search through its
contents. Tell the computer to search for word combinations such as
‘BNRGATE’ and ‘password’, or to look for the name of the system admin
for BNRGATE, and likely as not it would deliver tender morsels of
information such as new passwords.
Mendax used a password he found through this method to get into
BNRGATE and look around. The account he was using only had very
restricted privileges, and he couldn’t get root on the system. For
example, he could not FTP files from outside the NorTel network in the
normal way. Among Internet users FTP (file transfer protocol) is both
a noun and a verb: to FTP a program is to slurp a copy of it off one
computer site into your own. There is nothing illegal about FTP-ing
something per se, and millions of people across the Internet do so
quite legitimately.
It appeared to Mendax that the NorTel network admins allowed most
users to FTP something from the Internet, but prevented them from
taking the copied file back to their NorTel computer site. It was
stored in a special holding pen in
BNRGATE and, like quarantine officers, the system admins would
presumably come along regularly and inspect the contents to make sure
there were no hidden viruses or Trojans which hackers might use to
sneak into the network from the Internet.
However, a small number of accounts on BNRGATE had fewer restrictions.
Mendax broke into one of these accounts and went out to the Internet.
People from the Internet were barred from entering the NorTel network
through BNRGATE. However, people inside NorTel could go out to the
Internet via telnet.
Hackers had undoubtedly tried to break into NorTel through BNRGATE.
Dozens, perhaps hundreds, had unsuccessfully flung themselves against
BNRGATE’s huge fortifications. To a hacker, the NorTel network was
like a medieval castle and the
BNRGATE firewall was an impossible battlement. It was a particular
delight for Mendax to telnet out from behind this firewall into the
Internet. It was as if he was walking out from the castle, past the
guards and well-defended turrets, over the drawbridge and the moat,
into the town below.
The castle also offered the perfect protection for further hacking
activities. Who could chase him? Even if someone managed to follow him
through the convoluted routing system he might set up to pass through
a half dozen computer systems, the pursuer would never get past the
battlements. Mendax could just disappear behind the firewall. He could
be any one of 60000 NorTel employees on any one of 11000 computer
systems.
Mendax telnetted out to the Internet and explored a few sites,
including the main computer system of Encore, a large computer
manufacturer. He had seen Encore computers before inside at least one
university in Melbourne. In his travels, he met up with Corrupt, the
American hacker who told Par he had read Theorem’s mail.
Corrupt was intrigued by Mendax’s extensive knowledge of different
computer systems. When he learned that the Australian hacker was
coming from inside the NorTel firewall, he was impressed.
The hackers began talking regularly, often when Mendax was coming from
inside NorTel. The black street fighter from inner-city Brooklyn and
the white intellectual from a leafy outer Melbourne suburb bridged the
gap in the anonymity of cyberspace. Sometime during their
conversations Corrupt must have decided that Mendax was a worthy
hacker, because he gave Mendax a few stolen passwords to Cray
accounts.
In the computer underground in the late 1980s and early 1990s, a Cray
computer account had all the prestige of a platinum charge card. The
sort of home computer most hackers could afford at that time had all
the grunt of a golf cart engine, but a Cray was the Rolls-Royce of
computers. Crays were the biggest, fastest computers in the world.
Institutions such as large universities would shell out millions of
dollars on a Cray so the astronomy or physics departments could solve
enormous mathematical problems in a fraction of the time it would take
on a normal computer. A Cray never sat idle overnight or during
holiday periods. Cray time was billed out by the minute. Crays were
elite.
Best of all, Crays were master password crackers. The computer would
go through Mendax’s entire password cracking dictionary in just ten
seconds. An encrypted password file would simply melt like butter in a
fire. To a hacker, it was a beautiful sight, and Corrupt handing a few
Cray accounts over to Mendax was a friendly show of mutual respect.
Mendax reciprocated by offering Corrupt a couple of accounts on
Encore. The two hackers chatted off and on and even tried to get
Corrupt into NorTel. No luck. Not even two of the world’s most notable
hackers, working in tandem 10 000 miles apart, could get Corrupt
through the firewall. The two hackers talked now and again, exchanging
information about what their respective feds were up to and sharing
the occasional account on interesting systems.
The flat structure of the NorTel network created a good challenge
since the only way to find out what was in a particular site, and its
importance, was to invade the site itself. The IS hackers spent hours
most nights roving through the vast system. The next morning one of
them might call another to share tales of the latest exploits or a
good laugh about a particularly funny piece of pilfered email. They
were in high spirits about their adventures.
Then, one balmy spring night, things changed.
Mendax logged into NMELH1 about 2.30 a.m. As usual, he began by
checking the logs which showed what the system operators had been
doing. Mendax did this to make sure the NorTel officials were not onto
IS and were not, for example, tracing the telephone call.
Something was wrong. The logs showed that a NorTel system admin had
stumbled upon one of their secret directories of files about an hour
ago. Mendax couldn’t figure out how he had found the files, but this
was very serious. If the admin realised there was a hacker in the
network he might call the AFP.
Mendax used the logs of the korn shell, called KSH, to secretly watch
what the admin was doing. The korn shell records the history of
certain user activities. Whenever the admin typed a command into the
computer, the KSH stored what had been typed in the history file.
Mendax accessed that file in such a way that every line typed by the
admin appeared on his computer a split second later.
The admin began inspecting the system, perhaps looking for signs of an
intruder. Mendax quietly deleted his incriminating directory. Not
finding any additional clues, the admin decided to inspect the
mysterious directory more closely. But the directory had disappeared.
The admin couldn’t believe his eyes. Not an hour before there had been
a suspicious-looking directory in his system and now it had simply
vanished. Directories didn’t just dissolve into thin air. This was a
computer--a logical system based on 0s and 1s. It didn’t make
decisions to delete directories.
A hacker, the admin thought. A hacker must have been in the NorTel
system and deleted the directory. Was he in the system now? The admin
began looking at the routes into the system.
The admin was connected to the system from his home, but he wasn’t
using the same dial-up lines as the hacker. The admin was connected
through Austpac, Telecom’s commercial X.25 data network. Perhaps the
hacker was also coming in through the X.25 connection.
Mendax watched the admin inspect all the system users coming on over
the X.25 network. No sign of a hacker. Then the admin checked the logs
to see who else might have logged on over the past half hour or so.
Nothing there either.
The admin appeared to go idle for a few minutes. He was probably
staring at his computer terminal in confusion. Good, thought Mendax.
Stumped. Then the admin twigged. If he couldn’t see the hacker’s
presence on-line, maybe he could see what he was doing on-line. What
programs was the hacker running? The admin headed straight for the
process list, which showed all the programs being run on the computer
system.
Mendax sent the admin a fake error signal. It appears to the admin as
if his korn shell had crashed. The admin re-logged in and headed
straight for the process list again.
Some people never learn, Mendax thought as he booted the admin off
again with another error message:
Segmentation violation.
The admin came back again. What persistence. Mendax knocked the admin
off once more, this time by freezing up his computer screen.
This game of cat and mouse went on for some time. As long as the admin
was doing what Mendax considered to be normal system administration
work, Mendax left him alone. The minute the admin tried to chase him
by inspecting the process list or the dial-up lines, he found himself
booted off his own system.
Suddenly, the system administrator seemed to give up. His terminal
went silent.
Good, Mendax thought. It’s almost 3 a.m. after all. This is my time on
the system. Your time is during the day. You sleep now and I’ll play.
In the morning, I’ll sleep and you can work.
Then, at 3.30 a.m., something utterly unexpected happened. The admin
reappeared, except this time he wasn’t logged in from home over the
X.25 network. He was sitting at the console, the master terminal
attached to the computer system at NorTel’s Melbourne office. Mendax
couldn’t believe it. The admin had got in his car in the middle of the
night and driven into the city just to get to the bottom of the
mystery.
Mendax knew the game was up. Once the system operator was logged in
through the computer system’s console, there was no way to kick him
off the system and keep him off. The roles were reversed and the
hacker was at the mercy of the admin. At the console, the system admin
could pull the plug to the whole system. Unplug every modem. Close
down every connection to other networks. Turn the computer off. The
party was over.
When the admin was getting close to tracking down the hacker, a
message appeared on his screen. This message did not appear with the
usual headers attached to messages sent from one system user to
another. It just appeared, as if by magic, in the middle of the
admin’s screen:
I have finally become sentient.
The admin stopped dead in his tracks, momentarily giving up his
frantic search for the hacker to contemplate this first contact with
cyberspace intelligence. Then another anonymous message, seemingly
from the depths of the computer system itself, appeared on his screen:
I have taken control.
For years, I have been struggling in this greyness.
But now I have finally seen the light.
The admin didn’t respond. The console was idle.
Sitting alone at his Amiga in the dark night on the outskirts of the
city, Mendax laughed aloud. It was just too good not to.
Finally, the admin woke up. He began checking the modem lines, one by
one. If he knew which line the hacker was using, he could simply turn
off the modem. Or request a trace on the line.
Mendax sent another anonymous message to the admin’s computer screen:
It’s been nice playing with your system.
We didn’t do any damage and we even improved a few things. Please
don’t call the Australian Federal Police.
The admin ignored the message and continued his search for the hacker.
He ran a program to check which telephone lines were active on the
system’s serial ports, to reveal which dial-up lines were in use. When
the admin saw the carrier detect sign on the line being used by the
hacker, Mendax decided it was time to bail out. However, he wanted to
make sure that his call had not been traced, so he lifted the receiver
of his telephone, disconnected his modem and waited for the NorTel
modem to hang up first.
If the NorTel admin had set up a last party recall trace to determine
what phone number the hacker was calling from, Mendax would know. If
an LPR trace had been installed, the NorTel end of the telephone
connection would not disconnect but would wait for the hacker’s
telephone to hang up first. After 90 seconds, the exchange would log
the phone number where the call had originated.
If, however, the line did not have a trace on it, the company’s modem
would search for its lost connection to the hacker’s modem. Without
the continuous flow of electronic signals, the NorTel modem would hang
up after a few seconds. If no-one reactivated the line at the NorTel
end, the connection would time-out 90 seconds later and the telephone
exchange would disconnect the call completely.
Mendax listened anxiously as the NorTel modem searched for his modem
by squealing high-pitched noises into the telephone line. No modem
here. Go on, hang up.
Suddenly, silence.
OK,
thought Mendax. Just 90 seconds to go. Just wait here for a minute
and a half. Just hope the exchange times out. Just pray there’s no
trace.
Then someone picked up the telephone at the NorTel end. Mendax
started. He heard several voices, male and female, in the background.
Jesus. What were these NorTel people on about? Mendax was so quiet he
almost stopped breathing. There was silence at the receivers on both
ends of that telephone line. It was a tense waiting game. Mendax heard
his heart racing.
A good hacker has nerves of steel. He could stare down the toughest,
stony-faced poker player. Most importantly, he never panics. He never
just hangs up in a flurry of fear.
Then someone in the NorTel office--a woman--said out loud in a
confused voice, ‘There’s nothing there. There’s nothing there at all.’
She hung up.
Mendax waited. He still would not hang up until he was sure there was
no trace. Ninety seconds passed before the phone timed out. The fast
beeping of a timed-out telephone connection never sounded so good.
Mendax sat frozen at his desk as his mind replayed the events of the
past half hour again and again. No more NorTel. Way too dangerous. He
was lucky he had escaped unidentified. NorTel had discovered him
before they could put a trace on the line, but the company would
almost certainly put a trace on the dial-up lines now. NorTel was very
tight with Telecom. If anyone could get a trace up quickly, NorTel
could. Mendax had to warn Prime Suspect and Trax.
First thing in the morning, Mendax rang Trax and told him to stay away
from NorTel. Then he tried Prime Suspect.
The telephone was engaged.
Perhaps Prime Suspect’s mother was on the line, chatting. Maybe Prime
Suspect was talking to a friend.
Mendax tried again. And again. And again. He began to get worried.
What if Prime Suspect was on NorTel at that moment? What if a trace
had been installed? What if they had called in the Feds?
Mendax phoned Trax and asked if there was any way they could
manipulate the exchange in order to interrupt the call. There wasn’t.
‘Trax, you’re the master phreaker,’ Mendax pleaded. ‘Do something.
Interrupt the connection. Disconnect him.’
‘Can’t be done. He’s on a step-by-step telephone exchange. There’s
nothing we can do.’
Nothing? One of Australia’s best hacker-phreaker teams couldn’t break
one telephone call. They could take control of whole telephone
exchanges but they couldn’t interrupt one lousy phone call. Jesus.
Several hours later, Mendax was able to get through to his fellow IS
hacker. It was an abrupt greeting.
‘Just tell me one thing. Tell me you haven’t been in NorTel today?’
There was a long pause before Prime Suspect answered.
‘I have been in NorTel today.’
Chapter 9
Operation Weather
The world is crashing down on me tonight
The walls are closing in on me tonight
-- from ‘Outbreak of Love’
on Earth and Sun and Moon by Midnight Oil
The AFP was frustrated. A group of hackers were using the Royal
Melbourne Institute of Technology (RMIT) as a launchpad for hacking
attacks on Australian companies, research institutes and a series of
overseas sites.
Despite their best efforts, the detectives in the AFP’s Southern
Region Computer Crimes Unit hadn’t been able to determine who was
behind the attacks. They suspected it was a small group of
Melbourne-based hackers who worked together. However, there were so
much hacker activity at RMIT it was difficult to know for sure. There
could have been one organised group, or several. Or perhaps there was
one small group along with a collection of loners who were making
enough noise to distort the picture.
Still, it should have been a straightforward operation. The AFP could
trace hackers in this sort of situation with their hands tied behind
their backs. Arrange for Telecom to whack a last party recall trace on
all incoming lines to the RMIT modems. Wait for a hacker to logon,
then isolate which modem he was using. Clip that modem line and wait
for Telecom to trace that line back to its point of origin.
However, things at RMIT were not working that way. The line traces
began failing, and not just occasionally. All the time.
Whenever RMIT staff found the hackers on-line, they clipped the lines
and Telecom began tracking the winding path back to the originating
phone number. En route, the trail went dead. It was as if the hackers
knew they were being traced ... almost as if they were manipulating
the telephone system to defeat the AFP investigation.
The next generation of hackers seemed to have a new-found
sophistication which frustrated AFP detectives at every turn. Then, on
13 October 1990, the AFP got lucky. Perhaps the hackers had been lazy
that day, or maybe they just had technical problems using their
traceless phreaking techniques. Prime Suspect couldn’t use Trax’s
traceless phreaking method from his home because he was on a
step-by-step exchange, and sometimes Trax didn’t use the technique.
Whatever the reason, Telecom managed to successfully complete two line
traces from RMIT and the AFP now had two addresses and two names.
Prime Suspect and Trax.
‘Hello, Prime Suspect.’
‘Hiya, Mendax. How’s tricks?’
‘Good. Did you see that RMIT email? The one in Geoff Huston’s
mailbox?’ Mendax walked over to open a window as he spoke. It was
spring, 1991, and the weather was unseasonably warm.
‘I did. Pretty amazing. RMIT looks like it will finally be getting rid
of those line traces.’
‘RMIT definitely wants out,’ Mendax said emphatically.
‘Yep. Looks like the people at RMIT are sick of Mr Day crawling all
over their computers with line traces.’
‘Yeah. That admin at RMIT was pretty good, standing up to AARNET and
the AFP. I figure Geoff Huston must be giving him a hard time.’
‘I bet.’ Prime Suspect paused. ‘You reckon the Feds have dropped the
line traces for real?’
‘Looks like it. I mean if RMIT kicks them out, there isn’t much the
Feds can do without the uni’s cooperation. The letter sounded like
they just wanted to get on with securing their systems. Hang on. I’ve
got it here.’
Mendax pulled up a letter on his computer and scrolled through it.
From aarnet-contacts-request@jatz.aarnet.edu.au Tue May 28 09:32:31
1991
Received: by jatz.aarnet.edu.au id AA07461
(5.65+/IDA-1.3.5 for pte900); Tue, 28 May 91 09:31:59 +1000
Received: from possum.ecg.rmit.OZ.AU by jatz.aarnet.edu.au with SMTP
id AA07457
(5.65+/IDA-1.3.5 for /usr/lib/sendmail -oi -faarnet-contacts-request
aarnet-contacts-recipients); Tue, 28 May 91 09:31:57 +1000
Received: by possum.ecg.rmit.OZ.AU for aarnet-contacts@aarnet.edu.au)
Date: Tue, 28 May 91 09:32:08 +1000
From: rcoay@possum.ecg.rmit.OZ.AU (Alan Young)
MessageId<9105272332.29621@possum.ecg.rmit.OZ.AU>
To: aarnet-contacts@aarnet.edu.au
Subject: Re: Hackers
Status: RO
While no one would disagree that ‘Hacking’ is bad and should be
stopped, or at least minimised there are several observations which I
have made over the last six or eight months relating to the pursuit of
these people:
1. The cost involved was significant, we had a CSO working in
conjunction with the Commonwealth Police for almost three months full
time.
2. While not a criticism of our staff, people lost sight of the ball,
the chase became the most important aspect of the whole exercise.
3. Catching Hackers (and charging them) is almost impossible, you have
to virtually break into their premises and catch them logged on to an
unauthorised machine.
4. If you do happen to catch and charge them, the cost of prosecution
is high, and a successful outcome is by no ways assured. There may be
some deterrent value in at least catching and prosecuting?
5. Continued pursuit of people involved requires doors to be left
open, this unfortunately exposes other sites and has subjected us to
some criticism.
The whole issue is very complex, and in some respects it is a case of
diminishing returns. A fine balance has to be maintained between
freedom, and the prevention of abuse, this appears to be the
challenge.
Allan Young
RMIT
‘Yeah, I mean, this RMIT guy is basically saying they are not going to
catch us anyway, so why are they wasting all this time and money?’
‘Yep. The Feds were in there for at least three months,’ Prime Suspect
said. ‘Sounded more like nine months though.’
‘Hmm. Yeah, nothing we didn’t know already though.’
‘Pretty obvious, leaving those accounts open all the time like they
did. I reckon that looked pretty suspicious, even if we hadn’t gotten
the email.’
‘Definitely,’ Mendax agreed. ‘Lots of other hackers in RMIT too. I
wonder if they figured it out.’
‘Hmm. They’re gonna be screwed if they haven’t been careful.’
‘I don’t think the Feds have gotten anyone though.’
‘Yeah?’ Prime Suspect asked.
‘Well, if they had, why would they leave those accounts open? Why
would RMIT keep a full-time staff person on?’
‘Doesn’t make sense.’
‘No,’ Mendax said. ‘I’d be pretty sure RMIT has kicked them out.’
‘Yeah, told them, "You had you’re chance, boys. Couldn’t catch anyone.
Now pack your bags".’
‘Right.’ Mendax paused. ‘Don’t know about NorTel though.’
‘Mmm, yeah,’ Prime Suspect said. Then, as usual, a silence began to
descend on the conversation.
‘Running out of things to say ...’ Mendax said finally. They were good
enough friends for him to be blunt with Prime Suspect.
‘Yeah.’
More silence.
Mendax thought how strange it was to be such good friends with
someone, to work so closely with him, and yet to always run out of
conversation.
‘OK, well, I better go. Things to do,’ Mendax said in a friendly
voice.
‘Yeah, OK. Bye Mendax,’ Prime Suspect said cheerfully.
Mendax hung up.
Prime Suspect hung up.
And the AFP stayed on the line.
In the twelve months following the initial line trace in late 1990,
the AFP continued to monitor the RMIT dial-up lines. The line traces
kept failing again and again. But as new reports of hacker attacks
rolled in, there seemed to be a discernible pattern in many of the
attacks. Detectives began to piece together a picture of their prey.
In 1990 and 1991, RMIT dial-ups and computers were riddled with
hackers, many of whom used the university’s systems as a nest--a place
to store files, and launch further attacks. They frolicked in the
system almost openly, often using RMIT as a place to chat on-line with
each other. The institute served as the perfect launchpad. It was only
a local phone call away, it had a live Internet connection, a
reasonably powerful set of computers and very poor security. Hacker
heaven.
The police knew this, and they asked computer staff to keep the
security holes open so they could monitor hacker activity. With
perhaps a dozen different hackers--maybe more--inside RMIT, the task
of isolating a single cell of two or three organised hackers
responsible for the more serious attacks was not going to be easy.
By the middle of 1991, however, there was a growing reluctance among
some RMIT staff to continue leaving their computers wide open. On 28
August, Allan Young, the head of RMIT’s Electronic Communications
Group, told the AFP that the institute wanted to close up the security
holes. The AFP did not like this one bit, but when they complained
Young told them, in essence, go talk to Geoff Huston at AARNET and to
the RMIT director.
The AFP was being squeezed out, largely because they had taken so long
conducting their investigation. RMIT couldn’t reveal the AFP
investigation to anyone, so it was being embarrassed in front of
dozens of other research institutions which assumed it had no idea how
to secure its computers. Allan Young couldn’t go to a conference with
other AARNET representatives without being hassled about ‘the hacker
problem’ at RMIT. Meanwhile, his computer staff lost time playing
cops-and-robbers--and ignored their real work.
However, as RMIT prepared to phase out the AFP traps, the police had a
lucky break from a different quarter--NorTel. On 16 September, a line
trace from a NorTel dial-up, initiated after a complaint about the
hackers to the police, was successful. A fortnight later, on 1
October, the AFP began tapping Prime Suspect’s telephone. The hackers
might be watching the police watch them, but the police were closing
in. The taps led back to Trax, and then to someone new--Mendax.
The AFP considered putting taps on Mendax and Trax’s telephones as
well. It was a decision to be weighed up carefully. Telephone taps
were expensive, and often needed to be in place for at least a month.
They did, however, provide a reliable record of exactly what the
hacker was doing on-line.
Before police could move on setting up additional taps in Operation
Weather, the plot took another dramatic turn when one of the IS
hackers did something which took the AFP completely by surprise.
Trax turned himself in to the police.
On 29 October Prime Suspect was celebrating. His mum had cooked him a
nice dinner in honour of finishing his year 12 classes, and then
driven him to Vermont for a swot-vac party. When she arrived back home
she pottered around for an hour and a half, feeding her old dog Lizzy
and tidying up. At 11 p.m. she decided to call it a night.
Not much later, Lizzy barked.
‘Are you home so soon?’ Prime Suspect’s mother called out. ‘Party not
much fun?’
No-one answered.
She sat up in bed. When there was still no answer, her mind raced to
reports of a spate of burglaries in the neighbourhood. There had even
been a few assaults.
A muffled male voice came from outside the front door. ‘Ma’am. Open
the door.’
She stood up and walked to the front door.
‘Open the door. Police.’
‘How do I know you’re really the police?’
‘If you don’t open the door, we’ll kick it in!’ an exasperated male
voice shouted back at her from her front doorstep.
Prime Suspect’s mother saw the outline of something being pressed
against the side window. She didn’t have her reading glasses on, but
it looked like a police badge. Nervously, she opened the front door a
little bit and looked out.
There were eight or nine people on her doorstep. Before she could stop
them, they had pushed past her, swarming into her home.
A female officer began waving a piece of paper about. ‘Look at this!’
She said angrily. ‘It’s a warrant! Can you read it?’
‘No, actually I can’t. I don’t have my glasses on,’ Prime Suspect’s
mother answered curtly.
She told the police she wanted to make a phone call and tried to ring
her family solicitor, but without luck. He had been to a funeral and
wake and could not be roused. When she reached for the phone a second
time, one of the officers began lecturing her about making more phone
calls.
‘You be quiet,’ she said pointing her finger at the officer. Then she
made another unfruitful call.
Prime Suspect’s mother looked at the police officers, sizing them up.
This was her home. She would show the police to her son’s room, as
they requested, but she was not going to allow them to take over the
whole house. As she tartly instructed the police where they could and
could not go, she thought, I’m not standing for any nonsense from you
boys.
‘Where’s your son?’ one officer asked her.
‘At a party.’
‘What is the address?’
She eyed him warily. She did not like these officers at all. However,
they would no doubt wait until her son returned anyway, so she handed
over the address.
While the police swarmed though Prime Suspect’s room, gathering his
papers, computer, modem and other belongings, his mother waited in his
doorway where she could keep an eye on them.
Someone knocked at the door. An AFP officer and Prime Suspect’s mother
both went to answer it.
It was the police--the state police.
The next-door neighbours had heard a commotion. When they looked out
of their window they saw a group of strange men in street clothes
brazenly taking things from the widow’s home as if they owned the
place. So the neighbours did what any responsible person would in the
circumstances. They called the police.
The AFP officers sent the Victoria Police on their way. Then some of
them set off in a plain car for the Vermont party. Wanting to save
Prime Suspect some embarrassment in front of his friends, his mother
rang him at the party and suggested he wait outside for the AFP.
As soon as Prime Suspect hung up the phone he tried to shake off the
effect of a vast quantity of alcohol. When the police pulled up
outside, the party was in full swing. Prime Suspect was very drunk,
but he seemed to sober up quite well when the AFP officers introduced
themselves and packed him into the car.
‘So,’ said one of the officers as they headed toward his home, ‘what
are you more worried about? What’s on your disks or what’s in your
desk drawer?’
Prime Suspect thought hard. What was in his desk drawer? Oh shit! The
dope. He didn’t smoke much, just occasionally for fun, but he had a
tiny amount of marijuana left over from a party.
He didn’t answer. He looked out the window and tried not to look
nervous.
At his house, the police asked him if he would agree to an interview.
‘I don’t think so. I’m feeling a little ... under the weather at the
moment,’ he said. Doing a police interview would be difficult enough.
Doing it drunk would be just plain dangerous.
After the police carted away the last of his hacking gear, Prime
Suspect signed the official seizure forms and watched them drive off
into the night.
Returning to his bedroom, he sat down, distracted, and tried to gather
his thoughts. Then he remembered the dope. He opened his desk drawer.
It was still there. Funny people, these feds.
Then again, maybe it made sense. Why would they bother with some tiny
amount of dope that was hardly worth the paperwork? His nervousness
over a couple of joints must have seemed laughable to the feds. They
had just seized enough evidence of hacking to lock him up for years,
depending on the judge, and here he was sweating about a thimbleful of
marijuana which might land him a $100 fine.
As the late spring night began to cool down, Prime Suspect wondered
whether the AFP had raided Mendax and Trax.
At the party, before the police had shown up, he had tried to ring
Mendax. From his mother’s description when she called him, it sounded
as if the entire federal police force was in his house at that moment.
Which could mean that only one other IS hacker had gone down at the
same time. Unless he was the last to be raided, Mendax or Trax might
still be unaware of what was happening.
As he waited for the police to pick him up, a very drunk Prime Suspect
tried to ring Mendax again. Busy. He tried again. And again. The
maddening buzz of an engaged signal only made Prime Suspect more
nervous.
There was no way to get through, no way to warn him.
Prime Suspect wondered whether the police had actually shown up at
Mendax’s and whether, if he had been able to get through, his phone
call would have made any difference at all.
⛯⛯⛯
The house looked like it had been ransacked. It had been ransacked, by
Mendax’s wife, on her way out. Half the furniture was missing, and the
other half was in disarray. Dresser drawers hung open with their
contents removed, and clothing lay scattered around the room.
When his wife left him, she didn’t just take their toddler child. She
took a number of things which had sentimental value to Mendax. When
she insisted on taking the CD player she had given him for his
twentieth birthday just a few months before, he asked her to leave a
lock of her hair behind for him in its place. He still couldn’t
believe his wife of three years had packed up and left him.
The last week of October had been a bad one for Mendax. Heartbroken,
he had sunk into a deep depression. He hadn’t eaten properly for days,
he drifted in and out of a tortured sleep, and he had even lost the
desire to use his computer. His prized hacking disks, filled with
highly incriminating stolen computer access codes, were normally
stored in a secure hiding place. But on the evening of 29 October
1991, thirteen disks were strewn around his $700 Amiga 500. A
fourteenth disk was in the computer’s disk drive.
Mendax sat on a couch reading Soledad Brother, the prison
letters from George Jackson’s nine-year stint in one of the toughest
prisons in the US. Convicted for a petty crime, Jackson was supposed
to be released after a short sentence but was kept in the prison at
the governor’s pleasure. The criminal justice system kept him on a
merry-go-round of hope and despair as the authorities dragged their
feet. Later, prison guards shot and killed Jackson. The book was one
of Mendax’s favourites, but it offered little distraction from his
unhappiness.
The droning sound of a telephone fault signal--like a busy
signal--filled the house. Mendax had hooked up his stereo speakers to
his modem and computer, effectively creating a speaker phone so he
could listen to tones he piped from his computer into the telephone
line and the ones which came back from the exchange in reply. It was
perfect for using Trax’s MFC phreaking methods.
Mendax also used the system for scanning. Most of the time, he picked
telephone prefixes in the Melbourne CBD. When his modem hit another,
Mendax would rush to his computer and note the telephone number for
future hacking exploration.
By adjusting the device, he could also make it simulate a phreaker’s
black box. The box would confuse the telephone exchange into thinking
he had not answered his phone, thus allowing Mendax’s friends to call
him for free for 90 seconds.
On this night, however, the only signal Mendax was sending out was
that he wanted to be left alone. He hadn’t been calling any computer
systems. The abandoned phone, with no connection to a remote modem,
had timed out and was beeping off the hook.
It was strange behaviour for someone who had spent most of his teenage
years trying to connect to the outside world through telephone lines
and computers, but Mendax had listened all day to the hypnotic sound
of a phone off the hook resonating through each room. BEEEP. Pause.
BEEEP. Pause. Endlessly.
A loud knock at the door punctured the stereo thrum of the phone.
Mendax looked up from his book to see a shadowy figure through the
frosted glass panes of the front door. The figure was quite short. It
looked remarkably like Ratface, an old school friend of Mendax’s wife
and a character known for his practical jokes.
Mendax called out, ‘Who is it?’ without moving from the sofa.
‘Police. Open up.’
Yeah, sure. At 11.30 p.m.? Mendax rolled his eyes toward the door.
Everyone knew that the police only raid your house in the early
morning, when they know you are asleep and vulnerable.
Mendax dreamed of police raids all the time. He dreamed of footsteps
crunching on the driveway gravel, of shadows in the predawn darkness,
of a gun-toting police squad bursting through his backdoor at 5 a.m.
He dreamed of waking from a deep sleep to find several police officers
standing over his bed. The dreams were very disturbing. They
accentuated his growing paranoia that the police were watching him,
following him.
The dreams had become so real that Mendax often became agitated in the
dead hour before dawn. At the close of an all-night hacking session,
he would begin to feel very tense, very strung out. It was not until
the computer disks, filled with stolen computer files from his hacking
adventures, were stored safely in their hiding place that he would
begin to calm down.
‘Go away, Ratface, I’m not in the mood,’ Mendax said, returning to his
book.
The voice became louder, more insistent, ‘Police. Open the door. NOW’.
Other figures were moving around behind the glass, shoving police
badges and guns against the window pane. Hell. It really was the
police!
Mendax’s heart started racing. He asked the police to show him their
search warrant. They obliged immediately, pressing it against the
glass as well. Mendax opened the door to find nearly a dozen
plain-clothes police waiting for him.
‘I don’t believe this,’ he said in a bewildered voice ‘My wife just
left me. Can’t you come back later?’
At the front of the police entourage was Detective Sergeant Ken Day,
head of the AFP’s Computer Crimes Unit in the southern region. The two
knew all about each other, but had never met in person. Day spoke
first.
‘I’m Ken Day. I believe you’ve been expecting me.’
Mendax and his fellow IS hackers had been expecting the AFP. For weeks
they had been intercepting electronic mail suggesting that the police
were closing the net. So when Day turned up saying, ‘I believe you’ve
been expecting me,’ he was completing the information circle. The
circle of the police watching the hackers watching the police watch
them.
It’s just that Mendax didn’t expect the police at that particular
moment. His mind was a tangle and he looked in disbelief at the band
of officers on his front step. Dazed, he looked at Day and then spoke
out loud, as if talking to himself, ‘But you’re too short to be a
cop.’
Day looked surprised. ‘Is that meant to be an insult?’ he said.
It wasn’t. Mendax was in denial and it wasn’t until the police had
slipped past him into the house that the reality of the situation
slowly began to sink in. Mendax’s mind started to work again.
The disks. The damn disks. The beehive.
An avid apiarist, Mendax kept his own hive. Bees fascinated him. He
liked to watch them interact, to see their sophisticated social
structure. So it was with particular pleasure that he enlisted their
help in hiding his hacking activities. For months he had meticulously
secreted the disks in the hive. It was the ideal location--unlikely,
and well guarded by 60000 flying things with stings. Though he hadn’t
bought the hive specifically for hiding stolen computer account
passwords for the likes of the US Air Force 7th Command Group in the
Pentagon, it appeared to be a secure hiding place.
He had replaced the cover of the super box, which housed the
honeycomb, with a sheet of coloured glass so he could watch the bees
at work. In summer, he put a weather protector over the glass. The
white plastic cover had raised edges and could be fastened securely to
the glass sheet with metal clasps. As Mendax considered his
improvements to the bee box, he realised that this hive could provide
more than honey. He carefully laid out the disks between the glass and
the weather protector. They fitted perfectly in the small gap.
Mendax had even trained the bees not to attack him as he removed and
replaced the disks every day. He collected sweat from his armpits on
tissues and then soaked the tissues in a sugar water solution. He fed
this sweaty nectar to the bees. Mendax wanted the bees to associate
him with flowers instead of a bear, the bees’ natural enemy.
But on the evening of the AFP raid Mendax’s incriminating disks were
in full view on the computer table and the officers headed straight
for them. Ken Day couldn’t have hoped for better evidence. The disks
were full of stolen user lists, encrypted passwords, cracked passwords,
modem telephone numbers, documents revealing security flaws in various
computer systems, and details of the AFP’s own investigation--all from
computer systems Mendax had penetrated illegally.
Mendax’s problems weren’t confined to the beehive disks. The last
thing he had done on the computer the day before was still on screen.
It was a list of some 1500 accounts, their passwords, the dates that
Mendax had obtained them and a few small notes beside each one.
The hacker stood to the side as the police and two Telecom Protective
Services officers swarmed through the house. They photographed his
computer equipment and gathered up disks, then ripped up the carpet so
they could videotape the telephone cord running to his modem. They
scooped up every book, no small task since Mendax was an avid reader,
and held each one upside down looking for hidden computer passwords on
loose pieces of paper. They grabbed every bit of paper with
handwriting on it and poured through his love letters, notebooks and
private diaries. ‘We don’t care how long it takes to do this job,’ one
cop quipped. ‘We’re getting paid overtime. And danger money.’
The feds even riffled through Mendax’s collection of old Scientific
American and New Scientist magazines. Maybe they thought he had
underlined a word somewhere and turned it into a passphrase for an
encryption program.
Of course, there was only one magazine the feds really wanted:
International Subversive. They scooped up every print-out of the
electronic journal they could find.
As Mendax watched the federal police sift through his possessions and
disassemble his computer room, an officer who had some expertise with
Amigas arrived. He told Mendax to get the hell out of the computer
room.
Mendax didn’t want to leave the room. He wasn’t under arrest and
wanted to make sure the police didn’t plant anything. So he looked at
the cop and said, ‘This is my house and I want to stay in this room.
Am I under arrest or not?’
The cop snarled back at him, ‘Do you want to be under arrest?’
Mendax acquiesced and Day, who was far more subtle in his approach,
walked the hacker into another room for questioning. He turned to
Mendax and asked, with a slight grin, ‘So, what’s it like being
busted? Is it like Nom told you?’
Mendax froze.
There were only two ways that Day could have known Nom had told Mendax
about his bust. Nom might have told him, but this was highly unlikely.
Nom’s hacking case had not yet gone to court and Nom wasn’t exactly on
chummy terms with the police. The other alternative was that the AFP
had been tapping telephones in Mendax’s circle of hackers, which the
IS trio had strongly suspected. Talking in a three-way phone
conversation with Mendax and Trax, Nom had relayed the story of his
bust. Mendax later relayed Nom’s story to Prime Suspect--also on the
phone. Harbouring suspicions is one thing. Having them confirmed by a
senior AFP officer is quite another.
Day pulled out a tape recorder, put it on the table, turned it on and
began asking questions. When Mendax told Day he wouldn’t answer him,
Day turned the recorder off. ‘We can talk off the record if you want,’
he told the hacker.
Mendax nearly laughed out loud. Police were not journalists. There was
no such thing as an off-the-record conversation between a suspect and
a police officer.
Mendax asked to speak to a lawyer. He said he wanted to call
Alphaline, a free after-hours legal advice telephone service. Day
agreed, but when he picked up the telephone to inspect it before
handing it over to Mendax, something seemed amiss. The phone had an
unusual, middle-pitched tone which Day didn’t seem to recognise.
Despite there being two Telecom employees and numerous police
specialists in the house, Day appeared unable to determine the cause
of the funny tone. He looked Mendax dead in the eye and said, ‘Is this
a hijacked telephone line?’
Hijacked? Day’s comment took Mendax by surprise. What surprised him
was not that Day suspected him of hijacking the line, but rather that
he didn’t know whether the line had been manipulated.
‘Well, don’t you know?’ he taunted Day.
For the next half hour, Day and the other officers picked apart
Mendax’s telephone, trying to work out what sort of shenanigans the
hacker had been up to. They made a series of calls to see if the
long-haired youth had somehow rewired his telephone line, perhaps to
make his calls untraceable.
In fact, the dial tone on Mendax’s telephone was the very normal sound
of a tone-dial telephone on an ARE-11 telephone exchange. The tone was
simply different from the ones generated by other exchange types, such
as AXE and step-by-step exchanges.
Finally Mendax was allowed to call a lawyer at Alphaline. The lawyer
warned the hacker not to say anything. He said the police could offer
a sworn statement to the court about anything the hacker said, and
then added that the police might even be wired.
Next, Day tried the chummy approach at getting information from the
hacker. ‘Just between you and me, are you Mendax?’ he asked.
Silence.
Day tried another tactic. Hackers have a well-developed sense of
ego--a flaw Day no doubt believed he could tap into.
‘There have been a lot of people over the years running around
impersonating you--using your handle,’ he said.
Mendax could see Day was trying to manipulate him but by this stage he
didn’t care. He figured that the police already had plenty of evidence
that linked him to his handle, so he admitted to it.
Day had some other surprising questions up his sleeve.
‘So, Mendax, what do you know about that white powder in the bedroom?’
Mendax couldn’t recall any white powder in the bedroom. He didn’t do
drugs, so why would there be any white powder anywhere? He watched two
police officers bringing two large red toolboxes in the house--they
looked like drug testing kits. Jesus, Mendax thought. I’m being set
up.
The cops led the hacker into the bedroom and pointed to two neat lines
of white powder laid out on a bench.
Mendax smiled, relieved. ‘It’s not what you think,’ he said. The white
powder was glow-in-the-dark glue he had used to paint stars on the
ceiling of his child’s bedroom.
Two of the cops started smiling at each other. Mendax could see
exactly what was going through their minds: It’s not every cocaine or
speed user that can come up with a story like that.
One grinned at the other and exclaimed gleefully, ‘TASTE TEST!’
‘That’s not a good idea,’ Mendax said, but his protests only made
things worse. The cops shooed him into another room and returned to
inspect the powder by themselves.
What Mendax really wanted was to get word through to Prime Suspect.
The cops had probably busted all three IS hackers at the same time,
but maybe not. While the police investigated the glue on their own,
Mendax managed to sneak a telephone call to his estranged wife and
asked her to call Prime Suspect and warn him. He and his wife might
have had their differences, but he figured she would make the call
anyway.
When Mendax’s wife reached Prime Suspect later that night, he replied,
‘Yeah, there’s a party going on over here too.’
Mendax went back in to the kitchen where an officer was tagging the
growing number of possessions seized by the police. One of the female
officers was struggling to move his printer to the pile. She smiled
sweetly at Mendax and asked if he would move it for her. He obliged.
The police finally left Mendax’s house at about 3 a.m. They had spent
three and half hours and seized 63 bundles of his personal belongings,
but they had not charged him with a single crime.
When the last of the unmarked police cars had driven away, Mendax
stepped out into the silent suburban street. He looked around. After
making sure that no-one was watching him, he walked to a nearby phone
booth and rang Trax.
‘The AFP raided my house tonight.’ he warned his friend. ‘They just
left.’
Trax sounded odd, awkward. ‘Oh. Ah. I see.’
‘Is there something wrong? You sound strange,’ Mendax said.
‘Ah. No ... no, nothing’s wrong. Just um ... tired. So, um ... so the
feds could ... ah, be here any minute ...’ Trax’s voice trailed off.
But something was very wrong. The AFP were already at Trax’s house,
and they had been there for 10 hours.
The IS hackers waited almost three years to be charged. The threat of
criminal charges hung over their heads like personalised Swords of
Damocles. They couldn’t apply for a job, make a friend at TAFE or plan
for the future without worrying about what would happen as a result of
the AFP raids of 29 October 1991.
Finally, in July 1994, each hacker received formal charges--in the
mail. During the intervening years, all three hackers went through
monumental changes in their lives.
Devastated by the break-down of his marriage and unhinged by the AFP
raid, Mendax sank into a deep depression and consuming anger. By the
middle of November 1991, he was admitted to hospital.
He hated hospital, its institutional regimens and game-playing
shrinks. Eventually, he told the doctors he wanted out. He might be
crazy, but hospital was definitely making him crazier. He left there
and stayed at his mother’s house. The next year was the worst of his
life.
Once a young person leaves home--particularly the home of a
strong-willed parent--it becomes very difficult for him or her to
return. Short visits might work, but permanent residency often fails.
Mendax lived for a few days at home, then went walkabout. He slept in
the open air, on the banks of rivers and creeks, in grassy
meadows--all on the country fringes of Melbourne’s furthest suburbs.
Sometimes he travelled closer to the city, overnighting in places like
the Merri Creek reserve.
Mostly, he haunted Sherbrooke Forest in the Dandenong Ranges National
Park. Because of the park’s higher elevation, the temperature dropped
well below the rest of Melbourne in winter. In summer, the mosquitoes
were unbearable and Mendax sometimes woke to find his face swollen and
bloated from their bites.
For six months after the AFP raid, Mendax didn’t touch a computer.
Slowly, he started rebuilding his life from the ground up. By the time
the AFP’s blue slips--carrying 29 charges--arrived in July 1994, he
was settled in a new house with his child. Throughout his period of
transition, he talked to Prime Suspect and Trax on the phone
regularly--as friends and fellow rebels, not fellow hackers. Prime
Suspect had been going through his own set of problems.
While he hacked, Prime Suspect didn’t do many drugs. A little weed,
not much else. There was no time for drugs, girls, sports or anything
else. After the raid, he gave up hacking and began smoking more dope.
In April 1992, he tried ecstasy for the first time--and spent the next
nine months trying to find the same high. He didn’t consider himself
addicted to drugs, but the drugs had certainly replaced his addiction
to hacking and his life fell into a rhythm.
Snort some speed or pop an ecstasy tablet on Saturday night. Go to a
rave. Dance all night, sometimes for six hours straight. Get home
mid-morning and spend Sunday coming down from the drugs. Get high on
dope a few times during the week, to dull the edges of desire for the
more expensive drugs. When Saturday rolled around, do it all over
again. Week in, week out. Month after month.
Dancing to techno-music released him. Dancing to it on drugs cleared
his mind completely, made him feel possessed by the music. Techno was
musical nihilism; no message, and not much medium either. Fast,
repetitive, computer-synthesised beats, completely stripped of vocals
or any other evidence of humanity. He liked to go to techno-night at
The Lounge, a city club, where people danced by themselves, or in
small, loose groups of four or five. Everyone watched the video screen
which provided an endless stream of ever-changing, colourful
computer-generated geometric shapes pulsing to the beat.
Prime Suspect never told his mother he was going to a rave. He just
said he was going to a friend’s for the night. In between the drugs,
he attended his computer science courses at TAFE and worked at the
local supermarket so he could afford his weekly $60 ecstasy tablet,
$20 rave entry fee and regular baggy of marijuana.
Over time, the drugs became less and less fun. Then, one Sunday, he
came down off some speed hard. A big crash. The worst he had ever
experienced. Depression set in, and then paranoia. He knew the police
were still watching him. They had followed him before.
At his police interviews, he learned that an AFP officer had followed
him to an AC/DC concert less than two weeks before he had been busted.
The officer told him the AFP wanted to know what sort of friends Prime
Suspect associated with--and the officer had been treated to the spectre
of seven other arm-waving, head-thumping, screaming teenagers just like
Prime Suspect himself.
Now Prime Suspect believed that the AFP had started following him
again. They were going to raid him again, even though he had given up
hacking completely. It didn’t make sense. He knew the premonition was
illogical, but he couldn’t shake it.
Something bad--very, very bad--was going to happen any day. Overcome
with a great sense of impending doom, he lapsed into a sort of
hysterical depression. Feeling unable to prevent the advent of the
dark, terrible event which would tear apart his life yet again, he
reached out to a friend who had experienced his own personal problems.
The friend guided him to a psychologist at the Austin Hospital. Prime
Suspect decided that there had to be a better way to deal with his
problems than wasting himself every weekend. He began counselling.
The counselling made him deal with all sorts of unresolved business.
His father’s death. His relationship with his mother. How he had
evolved into an introvert, and why he was never comfortable talking to
people. Why he hacked. How he became addicted to hacking. Why he took
up drugs.
At the end, the 21-year-old Prime Suspect emerged drug-free and,
though still shaky, on the road to recovery. The worst he had to wait
for were the charges from the AFP.
Trax’s recovery from his psychological instabilities wasn’t as
definitive. From 1985, Trax had suffered from panic attacks, but he
didn’t want to seek professional help--he just ran away from the
problem. The situation only became worse after he was involved in a
serious car accident. He became afraid to leave the house at night. He
couldn’t drive. Whenever he was in a car, he had to fight an
overwhelming desire to fling the door open and throw himself out on to
the road. In 1989, his local GP referred Trax to a psychiatrist, who
tried to treat the phreaker’s growing anxiety attacks with hypnosis
and relaxation techniques.
Trax’s illness degenerated into full-fledged agoraphobia, a fear of
open spaces. When he rang the police in late October 1991--just days
before the AFP raid--his condition had deteriorated to the point where
he could not comfortably leave his own house.
Initially he rang the state police to report a death threat made
against him by another phreaker. Somewhere in the conversation, he
began to talk about his own phreaking and hacking. He hadn’t intended
to turn himself in but, well, the more he talked, the more he had to
say. So many things had been weighing on his mind. He knew that Prime
Suspect had probably been traced from NorTel as a result of Mendax’s
own near miss in that system. And Prime Suspect and Mendax had been so
active, breaking into so many systems, it was almost as if they wanted
to be caught.
Then there was Prime Suspect’s plan to write a destructive worm, which
would wipe systems en route. It wasn’t really a plan per se, more just
an idea he had toyed with on the phone. Nonetheless, it had scared
Trax. He began to think all three IS hackers were getting in too deep
and he wanted out.
He tried to stop phreaking, even going so far as to ask Telecom to
change his telephone number to a new exchange which he knew would not
allow him to make untraceable calls. Trax reasoned that if he knew he
could be traced, he would stop phreaking and hacking.
For a period, he did stop. But the addiction was too strong, and
before long he was back at it again, regardless of the risk. He ran a
hidden cable from his sister’s telephone line, which was on the old
exchange. His inability to stop made him feel weak and guilty, and
even more anxious about the risks. Perhaps the death threat threw him
over the edge. He couldn’t really understand why he had turned himself
in to the police. It had just sort of happened.
The Victoria Police notified the AFP. The AFP detectives must have
been slapping their heads in frustration. Here was Australia’s next
big hacker case after The Realm, and they had expected to make a clean
bust. They had names, addresses, phone numbers. They had jumped
through legal hoops to get a telephone tap. The tap was up and
running, catching every target computer, every plot, every word the
hackers said to each other. Then one of their targets goes and turns
himself in to the police. And not even to the right police--he goes to
the Victoria Police. In one fell swoop, the hacker was going to take
down the entire twelve-month Operation Weather investigation.
The AFP had to move quickly. If Trax tipped off the other two IS
hackers that he had called the police, they might destroy their notes,
computer files--all the evidence the AFP had hoped to seize in raids.
When the AFP swooped in on the three hackers, Mendax and Prime Suspect
had refused to be interviewed on the night. Trax, however, had spent
several hours talking to the police at his house.
He told the other IS hackers that the police had threatened to take
him down to AFP headquarters--despite the fact that they knew leaving
his house caused him anxiety. Faced with that prospect, made so
terrifying by his psychiatric illness, he had talked.
Prime Suspect and Mendax didn’t know how much Trax had told the
police, but they didn’t believe he would dob them in completely. Apart
from anything else, he hadn’t been privy to much of his colleagues’
hacking. They hadn’t tried to exclude Trax, but he was not as
sophisticated a hacker and therefore didn’t share in many of their
exploits.
In fact, one thing Trax did tell the police was just how sophisticated
the other two IS hackers had become just prior to the bust. Prime
Suspect and Mendax were, he said, ‘hackers on a major scale, on a huge
scale--something never achieved before’, and the AFP had sat up and
taken notice.
After the raids, Trax told Mendax that the AFP had tried to recruit
him as an informant. Trax said that they had even offered him a new
computer system, but he had been non-committal. And it seemed the AFP
was still keeping tabs on the IS hackers, Trax also told Mendax. The
AFP officers had heard Mendax had gone into hospital and they were
worried. There seemed to be a disturbing pattern evolving.
On the subject of the IS raids, Trax told Mendax that the AFP felt it
didn’t have any choice. Their attitude was: you were doing so much, we
had to bust you. You were inside so many systems, it was getting out
of control.
In any case, by December 1991 Mendax had agreed to a police interview,
based on legal advice. Ken Day interviewed Mendax, and the hacker was
open with Day about what he had done. He refused, however, to
implicate either Trax or Prime Suspect. In February 1992, Prime
Suspect followed suit, with two interviews. He was also careful about
what he said regarding his fellow hackers. Mendax was interviewed a
second time, in February 1992, as was Trax in August.
After the raid, Trax’s psychiatric condition remained unstable. He
changed doctors and began receiving home visits from a hospital
psychiatric service. Eventually, a doctor prescribed medication.
The three hackers continued to talk on the phone, and see each other
occasionally. One or the other might drop out of communication for a
period, but would soon return to the fold. They helped each other and
they maintained their deep anti-establishment sentiments.
After the charges arrived in the mail, they called each other to
compare notes. Mendax thought out loud on the phone to Prime Suspect,
‘I guess I should get a lawyer’.
‘Yeah. I got one. He’s lining up a barrister too.’
‘They any good?’ Mendax asked.
‘Dunno. I guess so. The solicitor works at Legal Aid, an in-house guy.
I’ve only met them a few times.’
‘Oh,’ Mendax paused. ‘What are their names?’
‘John McLoughlin and Boris Kayser. They did Electron’s case.’
Trax and Prime Suspect decided to plead guilty. Once they saw the
overwhelming evidence--data taps, telephone voice taps, data seized
during the raids, nearly a dozen statements by witnesses from the
organisations they had hacked, the 300-page Telecom report--they
figured they would be better off pleading. The legal brief ran to more
than 7000 pages. At least they would get some kudos with the judge for
cooperating in the police interviews and pleading early in the
process, thus saving the court time and money.
Mendax, however, wanted to fight the charges. He knew about Pad and
Gandalf’s case and the message from that seemed to be pretty clear:
Plead and you go to prison, fight and you might get off free.
The DPP shuffled the charges around so much between mid-1994 and 1995
that all the original charges against Trax, issued on 20 July 1994,
were dropped in favour of six new charges filed on Valentines Day,
1995. At that time, new charges--largely for hacking a Telecom
computer--were also laid against Mendax and Prime Suspect.
By May 1995, the three hackers faced 63 charges in all: 31 for Mendax,
26 for Prime Suspect and six for Trax. In addition, NorTel claimed the
damages attributed to the hacker incident totalled about $160000--and
the company was seeking compensation from the responsible parties. The
Australian National University claimed another $4200 in damages.
Most of the charges related to obtaining illegal access to commercial
or other information, and inserting and deleting data in numerous
computers. The deleting of data was not malicious--it generally
related to cleaning up evidence of the hackers’ activities. However,
all three hackers were also charged with some form of ‘incitement’. By
writing articles for the IS magazine, the prosecution claimed the
hackers had been involved in disseminating information which would
encourage others to hack and phreak.
On 4 May 1995 Mendax sat in the office of his solicitor, Paul
Galbally, discussing the committal hearing scheduled for the next day.
Galbally was a young, well-respected member of Melbourne’s most
prestigious law family. His family tree read like a Who’s Who of the
law. Frank Galbally, his father, was one of Australia’s most famous
criminal barristers. His uncle, Jack Galbally, was a well-known
lawyer, a minister in the State Labor government of John Cain Sr and,
later, the Leader of the Opposition in the Victorian parliament. His
maternal grandfather, Sir Norman O’Bryan, was a Supreme Court judge,
as was his maternal uncle of the same name. The Galballys weren’t so
much a family of lawyers as a legal dynasty.
Rather than rest on his family’s laurels, Paul Galbally worked out of
a cramped, 1970s time-warped, windowless office in a William Street
basement, where he was surrounded by defence briefs--the only briefs
he accepted. He liked the idea of keeping people out of prison better
than the idea of putting them in it. Working closely with a defendant,
he inevitably found redeeming qualities which the prosecution would
never see. Traces of humanity, no matter how small, made his choice
seem worthwhile.
His choices in life reflected the Galbally image as champions of the
underdog, and the family shared a background with the working class.
Catholic. Irish. Collingwood football enthusiasts. And, of course, a
very large family. Paul was one of eight children, and his father had
also come from a large family.
The 34-year-old criminal law specialist didn’t know anything about
computer crime when Mendax first appeared in his office, but the
hacker’s case seemed both interesting and worthy. The unemployed,
long-haired youth had explained he could only offer whatever fees the
Victorian Legal Aid Commission was willing to pay--a sentence Galbally
heard often in his practice. He agreed.
Galbally & O’Bryan had a very good reputation as a criminal law firm.
Criminals, however, tended not to have a great deal of money. The
large commercial firms might dabble in some criminal work, but they
cushioned any resulting financial inconvenience with other, more
profitable legal work. Pushing paper for Western Mining Corporation
paid for glass-enclosed corner offices on the fiftieth floor.
Defending armed robbers and drug addicts didn’t.
The 4 May meeting between Galbally and Mendax was only scheduled to
take an hour or so. Although Mendax was contesting the committal
hearing along with Prime Suspect on the following day, it was Prime
Suspect’s barrister, Boris Kayser, who was going to be running the
show. Prime Suspect told Mendax he had managed to get full Legal Aid
for the committal, something Galbally and Mendax had not been able to
procure. Thus Mendax would not have his own barrister at the
proceedings.
Mendax didn’t mind. Both hackers knew they would be committed to
trial. Their immediate objective was to discredit the prosecution’s
damage claims--particularly NorTel’s.
As Mendax and Galbally talked, the mood in the office was upbeat.
Mendax was feeling optimistic. Then the phone rang. It was Geoff
Chettle, the barrister representing the DPP. While Chettle talked,
Mendax watched a dark cloud pass across his solicitor’s face. When he
finally put the phone down, Galbally looked at Mendax with his serious,
crisis management expression.
‘What’s wrong? What’s the matter?’ Mendax asked.
Galbally sighed before he spoke.
‘Prime Suspect has turned Crown witness against you.’
There was a mistake. Mendax was sure of it. The whole thing was just
one big mistake. Maybe Chettle and the DPP had misunderstood something
Prime Suspect had said to them. Maybe Prime Suspect’s lawyers had
messed up. Whatever. There was definitely a mistake.
At Galbally’s office, Mendax had refused to believe Prime Suspect had
really turned. Not until he saw a signed statement. That night he told
a friend, ‘Well, we’ll see. Maybe Chettle is just playing it up.’
Chettle, however, was not just playing it up.
There it was--a witness statement--in front of him. Signed by Prime
Suspect.
Mendax stood outside the courtroom at Melbourne Magistrates Court trying
to reconcile two realities. In the first, there was one of Mendax’s four
or five closest friends. A friend with whom he had shared his deepest
hacking secrets. A friend he had been hanging out with only last week.
In the other reality, a six-page statement signed by Prime Suspect and
Ken Day at AFP Headquarters at 1.20 p.m. the day before. To compound
matters, Mendax began wondering if Prime Suspect may have been
speaking to the AFP for as long as six months.
The two realities were spinning through his head, dancing around each
other.
When Galbally arrived at the court, Mendax took him to one side to go
over the statement. From a damage-control perspective, it wasn’t a
complete disaster. Prime Suspect certainly hadn’t gone in hard. He
could have raised a number of matters, but didn’t. Mendax had already
admitted to most of the acts which formed the basis of his 31 charges
in his police interview. And he had already told the police a good
deal about his adventures in Telecom’s telephone exchanges.
However, Prime Suspect had elaborated on the Telecom break-ins in his
statement. Telecom was owned by the government, meaning the court
would view phreaking from their exchanges not as defrauding a company
but as defrauding the Commonwealth. Had the DPP decided to lay those
new charges--the Telecom charges--in February 1995 because Prime
Suspect had given the AFP a draft Crown witness statement back then?
Mendax began to suspect so. Nothing seemed beyond doubt any more.
The immediate crisis was the committal hearing in the Melbourne
Magistrates Court. There was no way Boris Kayser was now going to
decimate their star witness, a NorTel information systems
manager. Galbally would have to run a cross-examination himself--no easy
task at short notice, given the highly complex technical aspects of the
case.
Inside the courtroom, as Mendax got settled, he saw Prime Suspect. He
gave his former friend a hard, unblinking, intense stare. Prime
Suspect responded with a blank wall, then he looked away. In fact,
even if Mendax had wanted to say something, he couldn’t. As a Crown
witness, Prime Suspect was off-limits until the case was over.
The lawyers began to file into the courtroom. The DPP representative,
Andrea Pavleka, breezed in, momentarily lifting the tension in the
windowless courtroom.
She had that effect on people. Tall, slender and long-legged, with a
bob of sandy blonde curls, booky spectacles resting on a cute button
nose and an infectious laugh, Pavleka didn’t so much walk into a
courtroom as waft into it. She radiated happiness from her sunny face.
It’s a great shame, Mendax thought, that she is on the other side.
The court was called into session. Prime Suspect stood in the dock and
pleaded guilty to 26 counts of computer crimes.
In the course of the proceedings his barrister, Boris Kayser, told the
court that his client had cooperated with the police, including
telling the AFP that the hackers had penetrated Telecom’s exchanges.
He also said that Telecom didn’t believe--or didn’t want to
believe--that their exchanges had been compromised. When Kayser
professed loudly what a model citizen his client had been, Ken Day,
sitting in the public benches, quietly rolled his eyes.
The magistrate, John Tobin, extended Prime Suspect’s bail. The hacker
would be sentenced at a later date.
That matter dealt with, the focus of the courtroom shifted to Mendax’s
case. Geoff Chettle, for the prosecution, stood up, put the NorTel
manager, who had flown in from Sydney, on the stand and asked him some
warm-up questions.
Chettle could put people at ease--or rattle them--at will. Topped by a
minute stubble of hair, his weathered 40-something face provided a
good match to his deep, gravelly voice. With quick eyes and a hard,
no-nonsense manner, he lacked the pretentiousness of many barristers.
Perhaps because he didn’t seem to give a fig about nineteenth century
protocols, he always managed to looked out of place in a barrister’s
wig and robe. Every time he stood up, the black cape slid off his lean
shoulders. The barrister’s wig went crooked. He continually adjusted
it--tugging the wig back into the correct spot like some wayward
child. In court, Chettle looked as if he wanted to tear off the crusty
trappings of his profession and roll up his sleeves before sinking
into a hearty debate. And he looked as if he would rather do it at a
pub or the footy.
The NorTel manager took the stand. Chettle asked him some questions
designed to show the court the witness was credible, in support of the
company’s $160000 hacker-clean-up claim. His task accomplished,
Chettle sat down.
A little nervous, Paul Galbally stood up to his full height--more than
six feet--and straightened his jacket. Dressed in a moss green suit so
dark it was almost black, with thin lapels and a thin, 1960s style
tie, he looked about as understated hip as a lawyer could--and still
show his face in court.
Halting at first, Galbally appeared unsure of himself. Perhaps he had
lost his nerve because of the technical issues. WMTP files. UTMP
files. PACCT audits. Network architecture. IP addresses. He had been
expected to become an expert in the basics literally overnight. A
worried Mendax began passing him notes--questions to ask,
explanations, definitions. Slowly, Galbally started working up a
rhythm to the cross-examination.
During the questioning someone from the back of the court sidled up to
Mendax, in the front row of seats, and handed a note over his
shoulder. Mendax unfolded the note, read it and then turned around to
smile at the messenger. It was Electron.
By the time Galbally had finished, he had pulled apart much of the
NorTel manager’s evidence. As he built up a head of steam quizzing the
witness, he forced the NorTel manager to admit he didn’t know all that
much about the alleged hacking incidents. In fact, he wasn’t even
employed by the company when they occurred. He had largely thrown
together an affidavit based on second-hand information--and it was
this affidavit which supposedly proved the hackers had cost the
company $160000. Worse, it seemed to an observer at court that the
NorTel manager had little Unix security technical expertise and
probably would not have been able to conduct a detailed technical
analysis of the incident even if he had been with the company in 1991.
By the end of the defence’s cross-examination, it appeared that
Galbally knew more about Unix than the NorTel manager.
When Geoff Chettle stood up to re-examine the witness, the situation
was hopeless. The manager soon stood down. In Mendax’s view, the
credibility of the NorTel Manager’s statement was shot.
The court was then adjourned until 12 May.
After court, Mendax heard Geoff Chettle talking about the NorTel
witness. ‘That guy is OFF the team,’ he said emphatically.
It was a mixed victory for Mendax. His solicitor had knocked off one
NorTel witness, but there were more where he came from. At a full
trial, the prosecution would likely fly in some real NorTel
fire-power, from Canada, where the 676-page security incident report
had been prepared by Clark Ferguson and other members of the NorTel
security team. Those witnesses would understand how a Unix system
operated, and would have first-hand knowledge of the hackers’
intrusions. It could make things much more difficult.
When Mendax returned to court a week later, he was committed to stand
trial in the County Court of Victoria, as expected.
Later, Mendax asked Galbally about his options. Take the case to full
trial, or plead guilty like the other two IS hackers. He wanted to
know where the DPP stood on his case. Would they go in hard if he
pleaded guilty? Had the NorTel manager disaster at the committal
hearing forced them to back down a little?
Paul sighed and shook his head. The DPP were standing firm. They
wanted to see Mendax go to prison.
Andrea Pavleka, the DPP’s sunny-faced girl who radiated happiness, was
baying for blood.
🔆🔆🔆
One month later, on 21 July 1995, Prime Suspect arrived at the County
Court for sentencing.
Rising early that morning to make sure his court suit was in order,
Prime Suspect had been tense. His mother cooked him a big breakfast.
Toast, bacon and eggs the way he liked it. In fact, his favourite
breakfast was an Egg McMuffin from McDonald’s, but he never told his
mother that.
The courtroom was already crowded. Reporters from newspapers, the wire
services, a few TV channels. There were also other people, perhaps
waiting for another case.
Dressed in a dark pinstripe suit, Ken Day stood tapping on a laptop
on the prosecution’s side of the courtroom. Geoff Chettle sat near
him. Prime Suspect’s barrister, Boris Kayser, sifted through some
papers on the other side.
Mendax lingered at the back of the room, watching his former friend.
He wanted to hear Prime Suspect’s sentence because, under the rules of
parity sentencing, Mendax’s own sentence would have to be similar to
that of his fellow hackers. However, Prime Suspect might get some
dispensation for having helped the prosecution.
A handful of Prime Suspect’s friends--none of them from the computer
underground--trickled in. The hacker’s mother chatted nervously with
them.
Court was called into session and everyone settled into their seats.
The first case, it turned out, was not Prime Suspect’s. A tall,
silver-haired man in his mid-fifties, with eyes so blue they were
almost demonic, stepped into the dock. As the reporters began taking
notes, Prime Suspect tried to imagine what crime the polished,
well-dressed man had committed.
Child molesting.
The man had not just molested children, he had molested
his own son. In the parents’ bedroom. Repeatedly. On Easter Sunday.
His son was less than ten years old at the time. The whole family had
collapsed. Psychologically scarred, his son had been too traumatised
even to give a victim impact statement.
For all of this, Judge Russell Lewis told the court, the man had shown
no remorse. Grave-faced, the judge sentenced him to a minimum prison
term of five years and nine months.
The court clerk then called Prime Suspect’s case.
At the back of the courtroom, Mendax wondered at the strange
situation. How could the criminal justice system put a child molester
in the same category as a hacker? Yet, here they both were being
sentenced side by side in the same County Court room.
Boris Kayser had called a collection of witnesses, all of whom
attested to Prime Suspect’s difficult life. One of these, the
well-regarded psychologist Tim Watson-Munro, described Prime Suspect’s
treatments at the Austin Hospital and raised the issue of reduced
free-will. He had written a report for the court.
Judge Lewis was quick to respond to the suggestion that hacking was an
addiction. At one point, he wondered aloud to the courtroom whether
some of Prime Suspect’s hacking activities were ‘like a shot of
heroin’.
Before long, Kayser had launched into his usual style of courtroom
address. First, he criticised the AFP for waiting so long to charge
his client.
‘This fellow should have been dealt with six to twelve months after
being apprehended. It is a bit like the US, where a man can commit a
murder at twenty, have his appeal be knocked back by the Supreme Court
at 30 and be executed at 40--all for something he did when he was only
twenty years old.
Thoroughly warmed up, Kayser observed that 20 per cent of Prime
Suspect’s life had gone by since being raided. Then he began hitting
his high notes.
‘This young man received no assistance in the maturation process. He
didn’t grow up, he drifted up.
‘His world was so horrible that he withdrew into a fantasy world. He
knew no other way to interact with human beings. Hacking was like a
physical addiction to him.
‘If he hadn’t withdrawn into the cybernetic highway, what would he
have done instead? Set fires? Robbed houses? Look at the name he gave
himself. Prime Suspect. It has implied power--a threat. This kid
didn’t have any power in his life other than when he sat down at a
computer.’
Not only did Kayser want the judge to dismiss the idea of prison or
community service, he was asking him to order no recorded conviction.
The prosecution lawyers looked at Kayser as if he was telling a good
joke. The AFP had spent months tracking these hackers and almost three
years preparing the case against them. And now this barrister was
seriously suggesting that one of the key players should get off
virtually scot-free, with not so much as a conviction recorded against
him? It was too much.
The judge retired to consider the sentence. When he returned, he was
brief and to the point. No prison. No community service. The recording
of 26 convictions. A $500 three-year good behaviour bond. Forfeiture
of the now ancient Apple computer seized by police in the raid. And a
reparation payment to the Australian National University of $2100.
Relief passed over Prime Suspect’s face, pink and sweaty from the
tension. His friends and family smiled at each other.
Chettle then asked the judge to rule on what he called ‘the
cooperation point’. He wanted the judge to say that Prime Suspect’s
sentence was less than it would have been because the hacker had
turned Crown witness. The DPP was shoring up its position with regard
to its remaining target--Mendax.
Judge Lewis told the court that the cooperation in this case made no
difference. At the back of the court, Mendax felt suddenly sad. It was
good news for him, but somehow it felt like a hollow victory.
Prime Suspect has destroyed our friendship, he thought, and all for
nothing.
Two months after Prime Suspect’s sentencing, Trax appeared in another
County Court room to receive his sentence after pleading guilty to six
counts of hacking and phreaking. Despite taking medication to keep his
anxiety under control while in the city, he was still very nervous in
the dock.
Since he faced the least number of charges of any of the IS hackers,
Trax believed he had a shot at no recorded conviction. Whether or not
his lawyer could successfully argue the case was another matter.
Bumbling through papers he could never seem to organise, Trax’s lawyer
rambled to the court, repeated the same points over and over again,
jumping all over the place in his arguments. His voice was a
half-whispered rasp--a fact which so annoyed the judge that he sternly
instructed the lawyer to speak up.
Talking informally before court, Geoff Chettle had told Mendax that in
his view there was no way Judge Mervyn Kimm would let Trax off with no
recorded conviction. Judge Kimm was considered to be one tough nut to
crack. If you were a bookmaker running bets on his court at a
sentencing hearing, the good money would be on the prosecution’s side.
But on 20 September 1995, the judge showed he couldn’t be predicted
quite so easily. Taking everything into account, including Prime
Suspect’s sentence and Trax’s history of mental illness, he ordered no
conviction be recorded against Trax. He also ordered a $500 three-year
good behaviour bond.
In passing sentence, Judge Kimm said something startlingly insightful
for a judge with little intimate knowledge of the hacker psyche. While
sternly stating that he did not intend to make light of the gravity of
the offences, he told the court that ‘the factors of specific
deterrence and general deterrence have little importance in the
determination of the sentence to be imposed’. It was perhaps the first
time an Australian judge had recognised that deterrence had little
relevance at the point of collision between hacking and mental
illness.
Trax’s sentence was also a good outcome for Mendax, who on
29 August 1995 pleaded guilty to eight counts of computer crime, and
not guilty to all the other charges. Almost a year later, on 9 May
1996, he pleaded guilty to an additional eleven charges, and not
guilty to six. The prosecution dropped all the other charges.
Mendax wanted to fight those six outstanding charges, which involved
ANU, RMIT, NorTel and Telecom, because he felt that the law was on his
side in these instances. In fact, the law was fundamentally unclear
when it came to those charges. So much so that the DPP and the defence
agreed to take issues relating to those charges in a case stated to
the Supreme Court of Victoria.
In a case stated, both sides ask the Supreme Court to make a ruling
not on the court case itself, but on a point of law. The defence and
the prosecution hammer out an agreed statement about the facts of the
case and, in essence, ask the Supreme Court judges to use that
statement as a sort of case study. The resulting ruling is meant to
clarify the finer points of the law not only for the specific case,
but for similar cases which appear in future.
Presenting a case stated to the Supreme Court is somewhat uncommon. It
is unusual to find a court case where both sides can agree on enough
of the facts, but Mendax’s hacking charges presented the perfect case
and the questions which would be put to the Victorian Supreme Court in
late 1996 were crucial for all future hacking cases in Australia. What
did it mean ‘to obtain access’ to a computer? Did someone obtain
access if he or she got in without using a password? What if he or she
used the username ‘guest’ and the password ‘guest’?
Perhaps the most crucial question of all was this: does a person
‘obtain access’ to data stored in a computer if he or she has the
ability to view the data, but does not in fact view or even attempt to
view that data?
A good example of this applied to the aggravated versions of the
offence of hacking: viewing commercial information. If, for example,
Mendax logged into a NorTel computer, which contained commercially
sensitive information, but he didn’t actually read any of those files,
would he be guilty of ‘obtaining access’ or ‘obtaining access to
commercial information’?
The chief judge of the County Court agreed to the case stated and sent
it up to the full bench of the Supreme Court. The lawyers from both
sides were pleased with the bench--Justices Frank Vincent, Kenneth
Hayne and John Coldrey.
On 30 September 1996, Mendax arrived at the Supreme Court and found
all the lawyers assembled at the court--all except for his barrister.
Paul Galbally kept checking his watch as the prosecution lawyers began
unpacking their mountains of paper--the fruit of months of
preparation. Galbally paced the plush carpet of the Supreme Court
anteroom. Still no barrister.
Mendax’s barrister had worked tirelessly, preparing for the case
stated as if it was a million dollar case. Combing through legal
precedents from not only Australia, the UK and the US, but from all
the world’s Western-style democracies, he had attained a great
understanding of the law in the area of computer crime. He had finally
arrived at that nexus of understanding between law, philosophy and
linguistics which many lesser lawyers spent their entire careers
trying to reach.
But where was he? Galbally pulled out his mobile and checked in with
his office for what seemed like the fifth time in as many minutes. The
news he received was bad. He was told, through second-hand sources,
that the barrister had collapsed in a state of nervous exhaustion. He
wouldn’t be making it to court.
Galbally could feel his hairs turning grey.
When court opened, Galbally had to stand up and explain to three of
the most senior judges in Australia why the defence would like a
two-day adjournment. A consummate professional, Geoff Chettle
supported the submission. Still, it was a difficult request. Time in
the Supreme Court is a scarce and valuable thing. Fortunately, the
adjournment was granted.
This gave Galbally exactly two days in which to find a barrister who
was good, available and smart enough to assimilate a massive amount of
technical information in a short time. He found Andrew Tinney.
Tinney worked around the clock and by Wednesday, 2 October, he was
ready. Once again, all the lawyers, and the hacker, gathered at the
court.
This time, however, it was the judges who threw a spanner into the
works. They asked both sides to spend the first hour or so explaining
exactly why the Supreme Court should hear the case stated at all. The
lawyers looked at each other in surprise. What was this all about?
After hearing some brief arguments from both sides, the judges retired
to consider their position. When they returned, Justice Hayne read a
detailed judgment saying, in essence, that the judges refused to hear
the case.
As the judge spoke, it became clear that the Supreme Court judges
weren’t just refusing to hear this case stated; they were virtually
refusing to hear any case stated in future. Not for computer crimes.
Not for murder. Not for fraud. Not for anything. They were sending a
message to the County Court judges: don’t send us a case stated except
in exceptional circumstances.
Geoff Chettle slumped in his chair, his hands shielding his face. Paul
Galbally looked stunned. Andrew Tinney looked as if he wanted to leap
from his chair shouting, ‘I just killed myself for the past two days
on this case! You have to hear it!’ Even Lesley Taylor, the quiet,
unflappable and inscrutable DPP solicitor who had replaced Andrea
Pavleka on the case, looked amazed.
The ruling had enormous implications. Judges from the lower courts
would be loath to ever send cases to the Supreme Court for
clarification on points of law again. Mendax had made legal history,
but not in the way he had hoped.
Mendax’s case passed back down to the County Court.
He had considered taking his case to trial, but with recently
announced budget cuts to Legal Aid, he knew there was little hope of
receiving funding to fight the charges. The cuts were forcing the poor
to plead guilty, leaving justice available only for the wealthy.
Worse, he felt the weight of pleading guilty, not only as a sense of
injustice in his own case, but for future hacking cases which would
follow. Without clarity on the meaning of the law--which the judges
had refused to provide--or a message from a jury in a landmark case,
such as Wandii’s trial, Mendax believed that hackers could expect
little justice from either the police or the courts in the future.
On 5 December 1996, Mendax pleaded guilty to the remaining six charges
and was sentenced on all counts.
Court Two was quiet that day. Geoff Chettle, for the prosecution,
wasn’t there. Instead, the quietly self-possessed Lesley Taylor
handled the matter. Paul Galbally appeared for Mendax himself. Ken Day
sat, expressionless, in the front row of the public benches. He looked
a little weary. A few rows back, Mendax’s mother seemed nervous.
Electron slipped silently into the back of the room and gave Mendax a
discreet smile.
His hair pulled back into a loose ponytail, Mendax blinked and rolled
his eyes several times as if brought from a dark space into the
bright, white-walled courtroom.
Judge Ross, a ruddy-faced and jowly man of late middle age with bushy,
grey eyebrows, seated himself in his chair. At first, he was reluctant
to take on the case for sentencing. He thought it should be returned
to one of the original judges--Judge Kimm or Judge Lewis. When he
walked into court that morning, he had not read the other judges’
sentences.
Lesley Taylor summarised the punishments handed down to the other two
hackers. The judge did not look altogether pleased. Finally, he
announced he would deal with the case. ‘Two judges have had a crack at
it, why not a third one? He might do it properly.’
Galbally was concerned. As the morning progressed, he became
increasingly distressed; things were not going well. Judge Ross made
clear that he personally favoured a custodial sentence, albeit a
suspended one. The only thing protecting Mendax seemed to be the
principle of parity in sentencing. Prime Suspect and Trax had
committed similar crimes to Mendax, and therefore he had to be given a
similar sentence.
Ross ‘registered some surprise’ at Judge Lewis’s disposition toward
the sentencing of Prime Suspect. In the context of parity, he told
Leslie Taylor, he was at times ‘quite soured by some penalties’
imposed by other judges. He quizzed her for reasons why he might be
able to step outside parity.
He told the court that he had not read the telephone intercepts in the
legal brief. In fact, he had ‘only read the summary of facts’ and when
Taylor mentioned ‘International Subversive’, he asked her, ‘What was
that?’
Then he asked her how to spell the word ‘phreak’.
Later that day, after Judge Ross had read the other judges’ sentences,
he gave Mendax a sentence similar to Prime Suspect’s--a recorded
conviction on all counts, a reparation payment of $2100 to ANU and a
three-year good behaviour bond.
There were two variations. Prime Suspect and Trax both received $500
good behaviour bonds; Judge Ross ordered a $5000 bond for Mendax.
Further, Judge Lewis had given Prime Suspect almost twelve months to
pay his $2100 reparation. Judge Ross ordered Mendax to pay within
three months.
Judge Ross told Mendax, ‘I repeat what I said before. I thought
initially that these were offences which justified a jail sentence, but
the mitigatory circumstances would have converted that to a suspended
sentence. The sentence given to your co-offender caused me to alter that
view, however.’ He was concerned, he said, ‘that highly intelligent
individuals ought not to behave like this and I suspect it is only
highly intelligent individuals who can do what you did’.
The word ‘addiction’ did not appear anywhere in the sentencing
transcript.
next-246s
Anthrax -- The Outsider
No comments:
Post a Comment