Contents | Previous: Chapter 11 -- The Prisoner's Dilemma | Next: Underground -- Glossary and Abbreviations
It was billed as the `largest annual gathering of those in, related to, or wishing to know more about the computer underground', so I thought I had better go.
HoHoCon in Austin, Texas, was without a doubt one of the strangest conferences I have attended. During the weekend leading up to New Year's Day 1995, the Ramada Inn South was overrun by hackers, phreakers, ex-hackers, underground sympathisers, journalists, computer company employees and American law enforcement agents. Some people had come from as far away as Germany and Canada.
The hackers and phreakers slept four or six to a room--if they slept at all. The feds slept two to a room. I could be wrong; maybe they weren't feds at all. But they seemed far too well dressed and well pressed to be anything else. No one else at HoHoCon ironed their T-shirts.
I left the main conference hall and wandered into Room 518--the computer room--sat down on one of the two hotel beds which had been shoved into a corner to make room for all the computer gear, and watched. The conference organisers had moved enough equipment in there to open a store, and then connected it all to the Internet. For nearly three days, the room was almost continuously full. Boys in their late teens or early twenties lounged on the floor talking, playing with their cell phones and scanners or tapping away at one of the six or seven terminals. Empty bags of chips, Coke cans and pizza boxes littered the room. The place felt like one giant college dorm floor party, except that the people didn't talk to each other so much as to their computers.
These weren't the only interesting people at the con. I met up with an older group of nonconformists in the computer industry, a sort of Austin intelligentsia. By older, I mean above the age of 26. They were interested in many of the same issues as the young group of hackers--privacy, encryption, the future of a digital world--and they all had technical backgrounds.
This loose group of blue-jean clad thinkers, people like Doug Barnes, Jeremy Porter and Jim McCoy, like to meet over enchiladas and margueritas at university-style cafes. They always seemed to have three or four projects on the run. Digital cash was the flavour of the month when I met them. They were unconventional, perhaps even a little weird, but they were also bright, very creative and highly innovative. They were just the sort of people who might marry creative ideas with maturity and business sense, eventually making widespread digital cash a reality.
I began to wonder how many of the young men in Room 518 might follow the same path. And I asked myself: where are these people in Australia?
Largely invisible or perhaps even non-existent, it seems. Except maybe in the computer underground. The underground appears to be one of the few places in Australia where madness, creativity, obsession, addiction and rebellion collide like atoms in a cyclotron.
After the raids, the arrests and the court cases on three continents, what became of the hackers described in this book?
Most of them went on to do interesting and constructive things with their lives. Those who were interviewed for this work say they have given up hacking for good. After what many of them had been through, I would be surprised if any of them continued hacking.
Most of them, however, are not sorry for their hacking activities. Some are sorry they upset people. They feel badly that they caused system admins stress and unhappiness by hacking their systems. But most do not feel hacking is wrong--and few, if any, feel that `look-see hacking', as prosecuting barrister Geoff Chettle termed non-malicious hacking, should be a crime.
For the most part, their punishments have only hardened their views on the subject. They know that in many cases the authorities have sought to make examples of them, for the benefit of rest of the computer underground. The state has largely failed in this objective. In the eyes of many in the computer underground, these prosecuted hackers are heroes.
When I met Par in Tucson, Arizona, he had travelled from a tiny, snow-laden Mid-Western town where he was living with his grandparents. He was looking for work, but hadn't been able to find anything.
As I drove around the outskirts of Tucson, a little jetlagged and disoriented, I was often distracted from the road by the beauty of the winter sun on the Sonoran desert cacti. Sitting in the front passenger seat, Par said calmly, `I always wondered what it would be like to drive on the wrong side of the road'.
I swerved back to the right side of the road.
Par is still like that. Easy-going, rolling with the punches, taking what life hands him. He is also on the road again.
He moved back to the west coast for a while, but will likely pack up and go somewhere else before long. He picks up temporary work where he can, often just basic, dull data-entry stuff. It isn't easy. He can't just explain away a four-year gap in his resumé with `Successfully completed a telecommuting course for fugitives. Trained by the US Secret Service'. He thought he might like to work at a local college computer lab, helping out the students and generally keeping the equipment running. Without any professional qualifications, that seemed an unlikely option these days.
Although he is no longer a fugitive, Par's life hasn't changed that much. He speaks to his mother very occasionally, though they don't have much in common. Escaping his computer crimes charges proved easier than overcoming the effects of being a fugitive for so long on his personality and lifestyle. Now and again, the paranoia sets in again. It seems to come in waves. There aren't many support mechanisms in the US for an unemployed young man who doesn't have health insurance.
Prime Suspect has no regrets about his choices. He believed that he and Mendax were headed in different directions in life. The friendship would have ended anyway, so he decided that he was not willing to go to prison for Mendax.
He completed a TAFE course in computer programming and found a job in the burgeoning Internet industry. He likes his job. His employer, who knows about his hacking convictions, recently gave him a pay rise. In mid-1994, he gave up drugs for good. In 1995 he moved into a shared house with some friends, and in August 1996 he stopped smoking cigarettes.
Without hacking, there seems to be time in his life to do new things. He took up sky-diving. A single jump gives him a high which lasts for days, sometimes up to a week. Girls have captured his interest. He's had a few girlfriends and thinks he would like to settle into a serious relationship when he finds the right person.
Recently, Prime Suspect has been studying martial arts. He tries to attend at least four classes a week, sometimes more, and says he has a special interest in the spiritual and philosophical sides of martial arts. Most days, he rises at 5 a.m., either to jog or to meditate.
In 1992 Mendax and Trax teamed up with a wealthy Italian real-estate investor, purchased La Trobe University's mainframe computer (ironically, a machine they had been accused of hacking) and started a computer security company. The company eventually dissolved when the investor disappeared following actions by his creditors.
After a public confrontation in 1993 with Victorian Premier Jeff Kennett, Mendax and two others formed a civil rights organisation to fight corruption and lack of accountability in a Victorian government department. As part of this ongoing effort, Mendax acted as a conduit for leaked documents and became involved in a number of court cases against the department during 1993-94. Eventually, he gave evidence in camera to a state parliamentary committee examining the issues, and his organisation later facilitated the appearance of more than 40 witnesses at an investigation by the Auditor-General.
Mendax volunteers his time and computer expertise for several other non-profit community organisations. He believes strongly in the importance of the non-profit sector, and spends much of his free time as an activist on different community projects. Mendax has provided information or assistance to law-enforcement bodies, but not against hackers. He said, `I couldn't ethically justify that. But as for others, such as people who prey on children or corporate spies, I am not concerned about using my skills there.'
Still passionate about coding, Mendax donates his time to various international programming efforts and releases some of his programs for free on the Internet. His philosophy is that most of the lasting social advances in the history of man have been a direct result of new technology.
NorTel and a number of other organisations he was accused of hacking use his cryptography software--a fact he finds rather ironic.
Anthrax moved to Melbourne, where he is completing a university course and working on freelance assignments in the computer networking area of a major corporation.
His father and mother are divorcing. Anthrax doesn't talk to his father at all these days.
Anthrax's mother's health has stabilised somewhat since the completion of the court case, though her condition still gives her chronic pain. Despite some skin discolouration caused by the disease, she looks well. As a result of her years of work in the local community, she has a loyal group of friends who support her through bad bouts of the illness. She tries to live without bitterness and continues to have a good relationship with both her sons.
Anthrax is no longer involved in the Nation of Islam, but he is still a devout Muslim. An acquaintance of his, an Albanian who ran a local fish and chips shop, introduced him to a different kind of Islam. Not long after, Anthrax became a Sunni Muslim. He doesn't drink alcohol or gamble, and he attends a local mosque for Friday evening prayers. He tries to read from the Qu'raan every day and to practise the tenets of his religion faithfully.
With his computer and business skills now sought after by industry, he is exploring the possibility of moving to a Muslim country in Asia or the Middle East. He tries to promote the interests of Islam worldwide.
Most of his pranking needs are now met by commercial CDs--recordings of other people's pranking sold through underground magazines and American mail order catalogues. Once in a long while, he still rings Mr McKenny in search of the missing shovel.
Anthrax felt aggrieved at the outcome of his written complaint to the Office of the Ombudsman. In the complaint, Anthrax gave an account of how he believed the AFP had behaved inappropriately throughout his case. Specifically, he alleged that the AFP had pressured his mother with threats and had harassed him, taken photographs of him without his permission, given information to his university about his case prior to the issue of a summons and the resolution of his case, and made racist comments toward him during the raid.
In 1995-96, a total of 1157 complaints were filed against the AFP, 683 of which were investigated by the Commonwealth Ombudsman. Of the complaint investigations completed and reviewed, only 6 per cent were substantiated. Another 9 per cent were deemed to be `incapable of determination', about 34 per cent were `unsubstantiated', and in more than a quarter of all cases the Ombudsman either chose not to investigate or not to continue to investigate a complaint.
The Office of the Ombudsman referred Anthrax's matter to the AFP's Internal Investigations office. Although Anthrax and his mother both gave statements to the investigating officers, there was no other proof of Anthrax's allegations. In the end, it came down to Anthrax and his mother's words against those of the police.
The AFP's internal investigation concluded that Anthrax's complaints could either not be substantiated or not be determined, in part due to the fact that almost two years had passed since the original raid. For the most part, the Ombudsman backed the AFP's finding. No recommendation was made for the disciplining of any officers.
Anthrax's only consolation was a concern voiced by the Ombudsman's Office. Although the investigating officer agreed with the AFP investigators that the complaint could not be substantiated, she wrote, `I am concerned that your mother felt she was compelled to pressure you into attending an interview based on a fear that she would be charged because her phone was used to perpetrate the offences'.
Anthrax remains angry and sceptical about his experience with the police. He believes a lot of things need to be changed about the way the police operate. Most of all, he believes that justice will never be assured in a system where the police are allowed to investigate themselves.
After Pad and Gandalf were released from prison, they started up a free security advisory service on the Internet. One reason they began releasing 8lgm advisories, as they were known, was to help admins secure their own systems. The other reason was to thumb their noses at the conservatives in the security industry.
Many on the Internet considered the 8lgm advisories to be the best available at the time--far better than anything CERT had ever produced. Pad and Gandalf were sending their own message back to the establishment. The message, though never openly stated, was something like this: `You busted us. You sent us to prison. But it didn't matter. You can't keep information like this secret. Further, we are still better than you ever were and, to prove it, we are going to beat you at your own game.'
Believing that the best way to keep a hacker out of your system is to secure it properly in the first place, the two British hackers rejected security gurus who refused to tell the world about new security holes. Their 8lgm advisories began marginalising the traditional industry security reports, and helped to push the industry toward its current, more open attitude.
Pad and Gandalf now both work, doing computer programming jobs on contract, sometimes for financial institutions. Their clients like them and value their work. Both have steady girlfriends.
Pad doesn't hack any more. The reason isn't the risk of getting caught or the threat of prison. He has stopped hacking because he has realised what a headache it is for a system administrator to clean up his or her computer after an attack. Searching through logs. Looking for backdoors the hacker might have left behind. The hours, the hassle, the pressure--he thinks it is wrong to put anyone through that. Pad understands far better now how much strain a hacker intrusion can cause another human being.
There is another reason Pad has given up hacking: he has simply outgrown the desire. He says that he has better things to do with his time. Computers are a way for him to earn a living, not a way to spend his leisure time. After a trip overseas he decided that real travel--not its electronic cousin--was more interesting than hacking. He has also learned to play the guitar, something he believes he would have done years ago if he hadn't spent so much time hacking.
Gandalf shares Pad's interest in travelling. One reason they like contract work is because it lets them work hard for six months, save some money, and then take a few months off. The aim of both ex-hackers for now is simply to sling backpacks over their shoulders and bounce around the globe.
Pad still thinks that Britain takes hacking far too seriously and he is considering moving overseas permanently. The 8lgm court case made him wonder about the people in power in Britain--the politicians, the judges, the law enforcement officers. He often thinks: what kind of people are running this show?
In 1993, the Victorian Ombudsman1 and the Victoria Police2 both investigated the leaking of confidential police information in association with Operation Iceberg--a police investigation into allegations of corruption against Assistant Commissioner of Police Frank Green. Stuart Gill figured prominently in both reports.
The Victoria Police report concluded that `Gill was able to infiltrate the policing environment by skilfully manipulating himself and information to the unsuspecting'. The Ombudsman concluded that a `large quantity of confidential police information, mainly from the ISU database, was given to ... Gill by [Victoria Police officer] Cosgriff'.
The police report stated that Inspector Chris Cosgriff had deliberately leaked confidential police information to Gill, and reported that he was `besotted with Gill'. Superintendent Tony Warren, ex-Deputy Commissioner John Frame and ex-Assistant Commissioner Bernice Masterston were also criticised in the report.
The Ombudsman concluded that Warren and Cosgriff's relationship with Gill was `primarily responsible for the release of confidential information'. Interestingly, however, the Ombudsman also stated, `Whilst Mr Gill may have had his own agenda and taken advantage of his relationship with police, police have equally used and in some cases misused Mr Gill for their own purposes'.
The Ombudsman's report further concluded that there was no evidence of criminal conduct by Frank Green, and that the `allegations made over the years against Mr Green should have been properly and fully investigated at the time they were made'.
As his court case played in the media, Phoenix was speeding on his motorcycle through an inner-city Melbourne street one rainy night when he hit a car. The car's driver leapt from the front seat and found a disturbing scene. Phoenix was sprawled across the road. His helmet had a huge crack on the side, where his head had hit the car's petrol tank, and petrol had spilled over the motorcycle and its rider.
Miraculously, Phoenix was unhurt, though very dazed. Some bystanders helped him and the distraught driver to a nearby halfway house. They called an ambulance, and then made the two traumatised young men some tea in the kitchen. Phoenix's mother arrived, called by a bystander at Phoenix's request. The ambulance workers confirmed that Phoenix had not broken any bones but they recommended he go to hospital to check for possible concussion.
Still both badly shaken, Phoenix and the driver exchanged names and phone numbers. Phoenix told the driver he did technical work for a 0055 telephone service, then said, `You might recognise me. I'm Phoenix. There's this big computer hacking case going on in court--that's my case'.
The driver looked at him blankly.
Phoenix said, `You might have seen me on the TV news.'
No, the driver said, somewhat amazed at the strange things which go through the dazed mind of a young man who has so narrowly escaped death.
Some time after Phoenix's close brush with death, the former hacker left his info-line technician's job and began working in the information technology division of a large Melbourne-based corporation. Well paid in his new job, Phoenix is seen, once again, as the golden-haired boy. He helped to write a software program which reduces waste in one of the production lines and reportedly saved the company thousands of dollars. Now he travels abroad regularly, to Japan and elsewhere.
He had a steady girlfriend for a time, but eventually she broke the relationship off to see other people. Heartbroken, he avoided dating for months. Instead, he filled his time with his ever-increasing corporate responsibilities.
His new interest is music. He plays electric guitar in an amateur band.
A few weeks after his sentencing, Electron had another psychotic episode, triggered by a dose of speed. He was admitted to hospital again, this time at Larundel. After a short stay, he was released and underwent further psychiatric care.
Some months later, he did speed again, and suffered another bout of psychosis. He kept reading medical papers on the Internet about his condition and his psychiatrists worried that his detailed research might interfere with their ability to treat him.
He moved into special accommodation for people recovering from mental instabilities. Slowly, he struggled to overcome his illness. When people came up to him and said things like, `What a nice day it is!' Electron willed himself to take their words at face value, to accept that they really were just commenting on the weather, nothing more. During this time, he quit drugs, alcohol and his much-hated accounting course. Eventually he was able to come off his psychiatric medicines completely. He hasn't taken drugs or had alcohol since December 1994. His only chemical vice in 1996 was cigarettes. By the beginning of 1997 he had also given up tobacco.
Electron hasn't talked to either Phoenix or Nom since 1992.
In early 1996, Electron moved into his own flat with his steady girlfriend, who studies dance and who also successfully overcame mental illness after a long, hard struggle. Electron began another university course in a philosophy-related field. This time university life agreed with him, and his first semester transcript showed honours grades in every class. He is considering moving to Sydney for further studies.
Electron worked off his 300 hours of community service by painting walls and doing minor handyman work at a local primary school. Among the small projects the school asked him to complete was the construction of a retaining wall. He designed and dug, measured and fortified. As he finished off the last of his court-ordered community service hours on the wall, he discovered that he was rather proud of his creation. Even now, once in a while, he drives past the school and looks at the wall.
It is still standing.
There are still hacking cases in Australia. About the same time as Mendax's case was being heard in Victoria, The Crawler pleaded guilty to 23 indictable offences and thirteen summary offences--all hacking related charges--in Brisbane District Court. On 20 December 1996, the 21-year-old Queenslander was given a three-year suspended prison sentence, ordered to pay $5000 in reparations to various organisations, and made to forfeit his modem and two computers. The first few waves of hackers may have come and gone, but hacking is far from dead. It is merely less visible.
Law enforcement agencies and the judiciaries of several countries have tried to send a message to the next generation of would-be hackers. The message is this: Don't hack.
But the next generation of elite hackers and phreakers have heard a very different message, a message which says: Don't get caught.
The principle of deterrence has not worked with hackers at this level. I'm not talking here about the codes-kids--the teeny-bopper, carding, wanna-be nappies who hang out on IRC (Internet relay chat). I'm talking about the elite hackers. If anything, law enforcement crackdowns have not only pushed them further underground, they have encouraged hackers to become more sophisticated than ever before in the way they protect themselves. Adversity is the mother of invention.
When police officers march through the front door of a hacker's home today, they may be better prepared than their predecessors, but they will also be facing bigger hurdles. Today, top hackers encrypt everything sensitive. The data on their hard drives, their live data connections, even their voice conversations.
So, if hackers are still hacking, who are their targets?
It is a broad field. Any type of network provider--X.25, cellular phone or large Internet provider. Computer vendors--the manufacturers of software and hardware, routers, gateways, firewalls or phone switches. Military institutions, governments and banks seem to be a little less fashionable these days, though there are still plenty of attacks on these sorts of sites.
Attacks on security experts are still common, but a new trend is the increase in attacks on other hackers' systems. One Australian hacker joked, `What are the other hackers going to do? Call the Feds? Tell the AFP, "Yes, officer, that's right, some computer criminal broke into my machine and stole 20000 passwords and all my exploitation code for bypassing firewalls".'
For the most part, elite hackers seem to work alone, because of the well-advertised risks of getting caught. There are still some underground hacking communities frequented by top hackers, most notably UPT in Canada and a few groups like the l0pht in the US, but such groups are far less common, and more fragmented than they used to be.
These hackers have reached a new level of sophistication, not just in the technical nature of their attacks, but in their strategies and objectives. Once, top hackers such as Electron and Phoenix were happy to get copies of Zardoz, which listed security holes found by industry experts. Now top hackers find those holes themselves--by reading line by line through the proprietary source code from places like DEC, HP, CISCO, Sun and Microsoft.
Industrial espionage does not seem to be on the agenda, at least with anyone I interviewed. I have yet to meet a hacker who has given proprietary source code to a vendor's competitor. I have, however, met a hacker who found one company's proprietary source code inside the computer of its competitor. Was that a legal copy of the source code? Who knows? The hacker didn't think so, but he kept his mouth shut about it, for obvious reasons.
Most of the time, these hackers want to keep their original bugs as quiet as possible, so vendors won't release patches.
The second popular target is source code development machines. The top hackers have a clear objective in this area: to install their own backdoors before the product is released. They call it `backdooring' a program or an operating system. The word `backdoor' is now used as both a noun and a verb in the underground. Hackers are very nervous discussing this subject, in part because they don't want to see a computer company's stock dive and people lose their jobs.
What kind of programs do these hackers want to backdoor? Targets mentioned include at least one major Internet browser, a popular game, an Internet packet filter and a database product used by law enforcement agencies.
A good backdoor is a very powerful device, creating a covert channel through even the most sturdy of firewalls into the heart of an otherwise secure network. In a net browser, a backdoor would in theory allow a hacker to connect directly into someone's home computer every time he or she wandered around the World Wide Web. However, don't expect hackers to invade your suburban home just yet. Most elite hackers couldn't care less about the average person's home computer.
Perhaps you are wondering who might be behind this sort of attack. What sort of person would do this? There are no easy answers to that question. Some hackers are good people, some are bad, just like any group of people. The next generation of elite hackers are a diverse bunch, and relaying their stories would take another book entirely. However, I would like to introduce you to just one, to give you a window into the future.
Meet SKiMo.
A European living outside Australia, SKiMo has been hacking for at least four years, although he probably only joined the ranks of world-class hackers in 1995 or 1996. Never busted. Young--between the age of 18 and 25--and male. From a less than picture-perfect family. Fluent in English as a second language. Left-leaning in his politics--heading toward environmentally green parties and anarchy rather than traditional labour parties. Smokes a little dope and drinks alcohol, but doesn't touch the hard stuff.
His musical tastes include early Pink Floyd, Sullen, Dog Eat Dog, Biohazard, old Ice-T, Therapy, Alanis Morissette, Rage Against the Machine, Fear Factory, Life of Agony and Napalm Death. He reads Stephen King, Stephen Hawking, Tom Clancy and Aldous Huxley. And any good books about physics, chemistry or mathematics.
Shy in person, he doesn't like organised team sports and is not very confident around girls. He has only had one serious girlfriend, but the relationship finished. Now that he hacks and codes about four to five hours per day on average, but sometimes up to 36 hours straight, he doesn't have time for girls.
`Besides,' he says, `I am rather picky when it comes to girls. Maybe if the girl shared the same interests ... but those ones are hard to find.' He adds, by way of further explanation, `Girls are different from hacking. You can't just brute force them if all else fails.'
SKiMo has never intentionally damaged a computer system, nor would he. Indeed, when I asked him, he was almost offended by the question. However, he has accidentally done damage on a few occasions. In at least one case, he returned to the system and fixed the problem himself.
Bored out of his mind for most of his school career, SKiMo spent a great deal of time reading books in class--openly. He wanted to send the teacher a message without actually jacking up in class.
He got into hacking after reading a magazine article about people who hacked answering machines and VMBs. At that time, he had no idea what a VMB was, but he learned fast. One Sunday evening, he sat down with his phone and began scanning. Soon he was into phreaking, and visiting English-speaking party lines. Somehow, he always felt more comfortable speaking in English, to native English-speakers, perhaps because he felt a little like an outsider in his own culture.
`I have always had the thought to leave my country as soon as I can,' he said.
From the phreaking, it was a short jump into hacking.
What made him want to hack or phreak in the first place? Maybe it was the desire to screw over the universally hated phone company, or `possibly the sheer lust for power' or then again, maybe he was simply answering his desire `to explore an intricate piece of technology'. Today, however, he is a little clearer on why he continues to hack. `My first and foremost motivation is to learn,' he said.
When asked why he doesn't visit his local university or library to satisfy that desire, he answered, `in books, you only learn theory. It is not that I dislike the theory but computer security in real life is much different from theory'. Libraries also have trouble keeping pace with the rate of technological change, SKiMo said. `Possibly, it is also just the satisfaction of knowing that what I learn is proprietary--is "inside knowledge",' he added. There could, he said, be some truth in the statement that he likes learning in an adrenalin-inducing environment.
Is he addicted to computers? SKiMo says no, but the indications are there. By his own estimate, he has hacked between 3000 and 10000 computers in total. His parents--who have no idea what their son was up to day and night on his computer--worry about his behaviour. They pulled the plug on his machine many times. In SKiMo's own words, `they tried everything to keep me away from it'.
Not surprisingly, they failed. SKiMo became a master at hiding his equipment so they couldn't sneak in and take it away. Finally, when he got sick of battling them over it and he was old enough, he put his foot down. `I basically told them, "Diz is ma fuckin' life and none o' yer business, Nemo"--but not in those words.'
SKiMo says he hasn't suffered from any mental illnesses or instabilities--except perhaps paranoia. But he says that paranoia is justified in his case. In two separate incidents in 1996, he believed he was being followed. Try as he might, he couldn't shake the tails for quite some time. Perhaps it was just a coincidence, but he can never really be sure.
He described one hacking attack to me to illustrate his current interests. He managed to get inside the internal network of a German mobile phone network provider, DeTeMobil (Deutsche Telekom). A former state-owned enterprise which was transformed into a publicly listed corporation in January 1995, Deutsche Telekom is the largest telecommunications company in Europe and ranks number three in the world as a network operator. It employs almost a quarter of a million people. By revenue, which totalled about $A37 billion in 1995, it is one of the five largest companies in Germany.
After carefully researching and probing a site, SKiMo unearthed a method of capturing the encryption keys generated for DeTeMobil's mobile phone conversations.
He explained: `The keys are not fixed, in the sense that they are generated once and then stored in some database. Rather, a key is generated for each phone conversation by the company's AUC [authentication centre], using the "Ki" and a random value generated by the AUC. The Ki is the secret key that is securely stored on the smart card [inside the cellphone], and a copy is also stored in the AUC. When the AUC "tells" the cellphone the key for that particular conversation, the information passes through the company's MSC [mobile switching centre].
`It is possible to eavesdrop on a certain cellphone if one actively monitors either the handovers or the connection set-up messages from the OMC [operations and maintenance centre] or if one knows the Ki in the smart card.
`Both options are entirely possible. The first option, which relies on knowing the A5 encryption key, requires the right equipment. The second option, using the Ki, means you have to know the A3/A8 algorithms as well or the Ki is useless. These algorithms can be obtained by hacking the switch manufacturer, i.e. Siemens, Alcatel, Motorola ...
`As a call is made from the target cellphone, you need to feed the A5 key into a cellphone which has been modified to let it eavesdrop on the channel used by the cellphone. Normally, this eavesdropping will only produce static--since the conversation is encrypted. However, with the keys and equipment, you can decode the conversation.'
This is one of the handover messages, logged with a CCITT7 link monitor, that he saw:
13:54:46"3 4Rx< SCCP 12-2-09-1 12-2-04-0 13 CR BSSM HOREQ BSSMAP GSM 08.08 Rev 3.9.2 (BSSM) HaNDover REQuest (HOREQ) -------0 Discrimination bit D BSSMAP 0000000- Filler 00101011 Message Length 43 00010000 Message Type 0x10 Channel Type 00001011 IE Name Channel type 00000011 IE Length 3 00000001 Speech/Data Indicator Speech 00001000 Channel Rate/Type Full rate TCH channel Bm 00000001 Speech Encoding Algorithm GSM speech algorithm Ver 1 Encryption Information 00001010 IE Name Encryption information 00001001 IE Length 9 00000010 Algorithm ID GSM user data encryption V. 1 ******** Encryption Key C9 7F 45 7E 29 8E 08 00 Classmark Information Type 2 00010010 IE Name Classmark information type 2 00000010 IE Length 2 -----001 RF power capability Class 2, portable ---00--- Encryption algorithm Algorithm A5 000----- Revision level -----000 Frequency capability Band number 0 ----1--- SM capability present -000---- Spare 0------- Extension Cell Identifier 00000101 IE Name Cell identifier 00000101 IE Length 5 00000001 Cell ID discriminator LAC/CI used to ident cell ******** LAC 4611 ******** CI 3000 PRIority 00000110 IE Name Priority 00000001 IE Length 1 -------0 Preemption allowed ind not allowed ------0- Queueing allowed ind not allowed --0011-- Priority level 3 00------ Spare Circuit Identity Code 00000001 IE Name Circuit identity code 00000000 PCM Multiplex a-h 0 ---11110 Timeslot in use 30 101----- PCM Multiplex i-k 5 Downlink DTX flag 00011001 IE Name Downlink DTX flag -------1 DTX in downlink direction disabled 0000000- Spare Cell Identifier 00000101 IE Name Cell identifier 00000101 IE Length 5 00000001 Cell ID discriminator LAC/CI used to ident cell ******** LAC 4868 ******** CI 3200
The beauty of a digital mobile phone, as opposed to the analogue mobile phones still used by some people in Australia, is that a conversation is reasonably secure from eavesdroppers. If I call you on my digital mobile, our conversation will be encrypted with the A5 encryption algorithm between the mobile phone and the exchange. The carrier has copies of the Kis and, in some countries, the government can access these copies. They are, however, closely guarded secrets.
SKiMo had access to the database of the encrypted Kis and access to some of the unencrypted Kis themselves. At the time, he never went to the trouble of gathering enough information about the A3 and A8 algorithms to decrypt the full database, though it would have been easy to do so. However, he has now obtained that information.
To SKiMo, access to the keys generated for each of thousands of German mobile phone conversations was simply a curiosity--and a trophy. He didn't have the expensive equipment required to eavesdrop. To an intelligence agency, however, access could be very valuable, particularly if some of those phones belonged to people such as politicians. Even more valuable would be ongoing access to the OMC, or better still, the MSC. SkiMo said he would not provide this to any intelligence agency.
While inside DeTeMobil, SKiMo also learned how to interpret some of the mapping and signal-strength data. The result? If one of the company's customers has his mobile turned on, SKiMo says he can pinpoint the customer's geographic location to within one kilometre. The customer doesn't even have to be talking on the mobile. All he has to do is have the phone turned on, waiting to receive calls.
SKiMo tracked one customer for an afternoon, as the man travelled across Germany, then called the customer up. It turned out they spoke the same European language.
`Why are you driving from Hamburg to Bremen with your phone on stand-by mode?' SKiMo asked.
The customer freaked out. How did this stranger at the end of the phone know where he had been travelling?
SKiMo said he was from Greenpeace. `Don't drive around so much. It creates pollution,' he told the bewildered mobile customer. Then he told the customer about the importance of conserving energy and how prolonged used of mobile phones affected certain parts of one's brain.
Originally, SKiMo broke into the mobile phone carriers' network because he wanted `to go completely cellular'--a transition which he hoped would make him both mobile and much harder to trace. Being able to eavesdrop on other people's calls-- including those of the police--was going to be a bonus.
However, as he pursued this project, he discovered that the code from a mobile phone manufacturer which he needed to study was `a multi-lingual project'. `I don't know whether you have ever seen a multi-lingual project,' SKiMo says, `where nobody defines a common language that all programmers must use for their comments and function names? They look horrible. They are no fun to read.' Part of this one was in Finnish.
SKiMo says he has hacked a number of major vendors and, in several cases, has had access to their products' source codes.
Has he had the access to install backdoors in primary source code for major vendors? Yes. Has he done it? He says no. On other hand, I asked him who he would tell if he did do it. `No-one,' he said, `because there is more risk if two people know than if one does.'
SKiMo is mostly a loner these days. He shares a limited amount of information about hacking exploits with two people, but the conversations are usually carefully worded or vague. He substitutes a different vendor's names for the real one, or he discusses technical computer security issues in an in-depth but theoretical manner, so he doesn't have to name any particular system.
He doesn't talk about anything to do with hacking on the telephone. Mostly, when he manages to capture a particularly juicy prize, he keeps news of his latest conquest to himself.
It wasn't always that way. `When I started hacking and phreaking, I had the need to learn very much and to establish contacts which I could ask for certain things--such as technical advice,' SKiMo said. `Now I find it much easier to get that info myself than asking anyone for it. I look at the source code, then experiment and discover new bugs myself.'
Asked if the ever-increasing complexity of computer technology hasn't forced hackers to work in groups of specialists instead of going solo, he said in some cases yes, but in most cases, no. `That is only true for people who don't want to learn everything.'
SKiMo can't see himself giving up hacking any time in the near future.
Who is on the other side these days?
In Australia, it is still the Australian Federal Police, although the agency has come a long way since the early days of the Computer Crimes Unit. When AFP officers burst in on Phoenix, Nom and Electron, they were like the Keystone Cops. The police were no match for the Australian hackers in the subsequent interviews. The hackers were so far out in front in technical knowledge it was laughable.
The AFP has been closing that gap with considerable alacrity. Under the guidance of officers like Ken Day, they now run a more technically skilled group of law enforcement officers. In 1995-96, the AFP had about 2800 employees, although some 800 of these worked in `community policing'--serving as the local police in places like the ACT and Norfolk Island. The AFP's annual expenditure was about $270 million in that year.
As an institution, the AFP has recently gone through a major reorganisation, designed to make it less of a command-and-control military structure and more of an innovative, service oriented organisation.
Some of these changes are cosmetic. AFP officers are now no longer called `constable' or `detective sergeant'--they are all just `federal agents'. The AFP now has a `vision' which is `to fight crime and win'.3 Its organisational chart had been transformed from a traditional, hierarchical pyramid of square boxes into a collection of little circles linked to bigger circles--all in a circle shape. No phallo-centric structures here. You can tell the politically correct management consultants have been visiting the AFP.
The AFP has, however, also changed in more substantive ways. There are now `teams' with different expertise, and AFP investigators can draw on them on an as-needed basis. In terms of increased efficiency, this fluidity is probably a good thing.
There are about five permanent officers in the Melbourne computer crimes area. Although the AFP doesn't release detailed budget breakdowns, my back-of-the-envelope analysis suggested that the AFP spends less than $1 million per year on the Melbourne computer crimes area in total. Sydney also has a Computer Crimes Unit.
Catching hackers and phreakers is only one part of the unit's job. Another important task is to provide technical computer expertise for other investigations.
Day still runs the show in Melbourne. He doesn't think or act like a street cop. He is a psychological player, and therefore well suited to his opponents. According to a reliable source outside the underground, he is also a clean cop, a competent officer, and `a nice guy'.
However, being the head of the Computer Crimes Unit for so many years makes Day an easy target in the underground. In particular, hackers often make fun of how seriously he seems to take both himself and his job. When Day appeared on the former ABC show `Attitude', sternly warning the audience off hacking, he told the viewers, `It's not a game. It's a criminal act'.
To hackers watching the show, this was a matter of opinion. Not long after the episode went to air, a few members of Neuro-cactus, an Australian group of hackers and phreakers which had its roots in Western Australia, decided to take the mickey out of Day. Two members, Pick and Minnow, clipped Day's now famous soundbite. Before long, Day appeared to be saying, `It's not a criminal act. It's a game'--to the musical theme of `The Bill'. The Neuro-cactus crowd quickly spread their lampoon across the underground via an illicit VMB connected to its own toll-free 008 number.
Although Day does perhaps take himself somewhat seriously, it can't be much fun for him to deal with this monkey business week in and week out. More than one hacker has told me with great excitement, `I know someone who is working on getting Day's home number'. The word is that a few members of the underground already have the information and have used it. Some people think it would be hilarious to call up Day at home and prank him. Frankly, I feel a bit sorry for the guy. You can bet the folks in traffic operations don't have to put up with this stuff.
But that doesn't mean I think these pranksters should be locked up either.
If we, as a society, choose not to lock hackers up, then what should we do with them?
Perhaps a better question is, do we really need to do anything with them?
One answer is to simply ignore look-see hacking. Society could decide that it makes more sense to use valuable police resources to catch dangerous criminals--forgers, embezzlers, white-collar swindlers, corporate spies and malicious hackers--than to chase look-see hackers.
The law must still maintain the capacity to punish hard where someone has strayed into what society deems serious crime. However, almost any serious crime committed by a hacker could be committed by a non-hacker and prosecuted under other legislation. Fraud, wilful damage and dealing in stolen property are crimes regardless of the medium--and should be punished appropriately.
Does it make sense to view most look-see hackers--and by that I mean hackers who do not do malicious damage or commit fraud--as criminals? Probably not. They are primarily just a nuisance and should be treated as such. This would not be difficult to do. The law-makers could simply declare look-see hacking to be a minor legal infringement. In the worst-case scenario, a repeat offender might have to do a little community service. But such community service needs to be managed properly. In one Australian case, a corrections officer assigned a hacker to dig ditches with a convicted rapist and murderer.
Many hackers have never had a job--in part because of the high youth unemployment in some areas--and so their community service might be their first `position'. The right community service placement must involve hackers using their computer skills to give something back to society, preferably in some sort of autonomous, creative project. A hacker's enthusiasm, curiosity and willingness to experiment can be directed toward a positive outcome if managed properly.
In cases where hacking or phreaking has been an addiction, the problem should be treated, not criminalised. Most importantly, these hackers should not have convictions recorded against them, particularly if they're young. As Paul Galbally said to the court at Mendax's sentencing, `All the accused are intelligent--but their intelligence outstretched their maturity'. Chances are, most will be able to overcome or outgrow their addiction.
In practice, most Australia's judges have been reasonably fair in their sentencing, certainly compared to judges overseas. None of the Australian hackers detailed in this work received a prison sentence. Part of this is due to happenstance, but part is also due to the sound judgments of people like Judge Lewis and Judge Kimm. It must be very tempting, sitting on the bench every day, to shoot from the hip interpreting new laws.
As I sat in court listening to each judge, it quickly became clear that these judges had done their homework. With psychologist Tim Watson-Munro on the stand, Judge Lewis rapidly zeroed in on the subject of `free will'--as applied to addiction--regarding Prime Suspect. In Trax's case, Judge Kimm asked pointed questions which he could only have formulated after serious study of the extensive legal brief. Their well-informed judgments suggested a deeper understanding both of hacking as a crime, and of the intent of the largely untested computer crime legislation.
However, a great deal of time and money has been wasted in the pursuit of look-see hackers, largely because this sort of hacking is treated as a major crime. Consider the following absurd situation created by Australia's federal computer criminal legislation.
A spy breaks into a computer at the Liberal Party's headquarters and reads the party's top-secret election strategy, which he may want to pass on to the Labor Party. He doesn't insert or delete any data in the process, or view any commercial information. The penalty under this legislation? A maximum of six months in prison.
That same spy decides he wants to get rich quick. Using the local telephone system, he hacks into a bank's computer with the intention of defrauding the financial institution. He doesn't view any commercial or personal information, or delete or insert any files. Yet the information he reviews--about the layout of a bank building, or how to set off its fire alarm or sprinkler system--proves vital in his plan to defraud the bank. His penalty: a maximum of two years prison.
Our spy now moves onto bigger and better things. He penetrates a Department of Defence computer with the intention of obtaining information about Australia's military strategies and passing it on to the Malaysians. Again, he doesn't delete or insert any data--he just reads every sensitive planning document he can find. Under the federal anti-hacking laws, the maximum penalty he would receive would also be two years prison.
Meanwhile, a look-see hacker breaks into a university computer without doing any damage. He doesn't delete any files. He FTPs a public-domain file from another system and quietly tucks it away in a hidden, unused corner of the university machine. Maybe he writes a message to someone else on-line. If caught, the law, as interpreted by the AFP and the DPP, says he faces up to ten years in prison. The reason? He has inserted or deleted data.
Although the spy hacker might also face other charges--such as treason--this exercise illustrates some of the problems with the current computer crime legislation.
The letter of the law says that our look-see hacker might face a prison term five times greater than the bank fraud criminal or the military spy, and twenty times greater than the anti-Liberal Party subversive, if he inserts or deletes any data. The law, as interpreted by the AFP, says that the look-see hacking described above should have the same maximum ten-year prison penalty as judicial corruption. It's a weird mental image--the corrupt judge and the look-see hacker sharing a prison cell.
Although the law-makers may not have fully understood the technological aspects of hacking when they introduced the computer crimes legislation, their intent seems clear. They were trying to differentiate between a malicious hacker and a look-see hacker, but they could have worded it better.
As it's worded, the legislation puts malicious, destructive hacking on a par with look-see hacking by saying that anyone who destroys, erases, alters or inserts data via a carrier faces a prison term, regardless of the person's intent. There is no gradation in the law between mere deletion of data and `aggravated deletion'--the maximum penalty is ten years for both. The AFP has taken advantage of this lack of distinction, and the result has been a steady stream of look-see hackers being charged with the most serious computer crime offences.
Parliament makes the laws. Government institutions such as the AFP, the DPP and the courts interpret and apply those laws. The AFP and to some extent the DPP have applied the strict letter of the law correctly in most of the hacking cases described in this book. They have, however, missed the intention of the law. Change the law and they may behave differently. Make look-see hacking a minor offence and the institutions will stop going after the soft targets and hopefully spend more time on the real criminals.
I have seen some of these hackers up close, studied them for two years and learned a bit about what makes them tick. In many ways, they are quintessentially Australian, always questioning authority and rebelling against `the establishment'. They're smart--in some cases very smart. A few might even be classified as technical geniuses. They're mischievous, but also very enterprising. They're rebels, public nuisances and dreamers.
Most of all, they know how to think outside the box.
This is not a flaw. Often, it is a very valuable trait--and one which pushes society forward into new frontiers. The question shouldn't be whether we want to crush it but how we should steer it in a different direction.
If you would like to comment on this book, please write to feedback@underground-book.com. All comments are passed onto Dreyfus & Assange.
Contents | Previous: Chapter 11 -- The Prisoner's Dilemma | Next: Underground -- Glossary and Abbreviations