Electron had moved onto bigger and better things than school. He quickly became a regular user of underground BBSes and began hacking. He was enthralled by an article he discovered describing how several hackers claimed to have moved a satellite around in space simply by hacking computers. From that moment on, Electron decided he wanted to hack—to find out if the article was true.
Before he graduated from school in 1987, Electron had hacked NASA, an achievement which saw him dancing around the dining room table in the middle of the night chanting, `I got into NASA! I got into NASA!' He hadn't moved any satellites, but getting into the space agency was as thrilling as flying to the moon.
By 1989, he had been hacking regularly for years, much to the chagrin of his sister, who claimed her social life suffered because the family's sole phone line was always tied up by the modem.
For Phoenix, Electron was a partner in hacking, and to a lesser degree a mentor. Electron had a lot to offer, by that time even more than The Realm.
`Cactus, Cad, Cadaver, Caddis, Cadence, Cadet, Caesura. What the fuck is a Caesura?' Phoenix kept ploughing through the Cs.
`Dunno. Kill that,' Electron answered, distracted.
`Caesura. Well, fuck. I know I'd wanna use that as a password.'
Phoenix laughed. `What the hell kind of word is Caduceus?'
`A dead one. Kill all those. Who makes up these dictionaries?'
Electron said.
`Yeah.'
`Caisson, Calabash. Kill those. Kill, kill, kill,' Electron said gleefully.
`Hang on. How come I don't have Calabash in my list?' Phoenix feigned indignation.
Electron laughed.
`Hey,' Phoenix said, `we should put in words like "Qwerty" and
"ABCDEF" and "ASDFGH".'
`Did that already.' Electron had already put together a list of other common passwords, such as the `words' made when a user typed the six letters in the first alphabet row on a keyboard.
Phoenix started on the list again. `OK the COs. Commend, Comment, Commerce, Commercial, Commercialism, Commercially. Kill those last three.'
`Huh? Why kill Commercial?'
`Let's just kill all the words with more than eight characters,'
Phoenix said.
`No. That's not a good idea.'
`How come? The computer's only going to read the first eight characters and encrypt those. So we should kill all the rest.'
Sometimes Phoenix just didn't get it. But Electron didn't rub it in. He kept it low-key, so as not to bruise Phoenix's ego. Often Electron sensed Phoenix sought approval from the older hacker, but it was a subtle, perhaps even unconscious search.
`Nah,' Electron began, `See, someone might use the whole word, Commerce or Commercial. The first eight letters of these words are not the same. The eighth character in Commerce is "e", but in Commercial it's "i".'
There was a short silence.
`Yeah,' Electron went on, `but you could kill all the words like Commercially, and Commercialism, that come after Commercial. See?'
`Yeah. OK. I see,' Phoenix said.
`But don't just kill every word longer than eight characters,'
Electron added.
`Hmm. OK. Yeah, all right.' Phoenix seemed a bit out of sorts. `Hey,' he brightened a bit, `it's been a whole ten minutes since my machine crashed.'
`Yeah?' Electron tried to sound interested.
`Yeah. You know,' Phoenix changed the subject to his favourite topic, `what we really need is Deszip. Gotta get that.' Deszip was a computer program which could be used for password cracking.
`And Zardoz. We need Zardoz,' Electron added. Zardoz was a restricted electronic publication detailing computer security holes.
`Yeah. Gotta try to get into Spaf's machine. Spaf'll have it for sure.' Eugene Spafford, Associate Professor of Computer Science at Purdue University in the US, was one of the best known computer security experts on the Internet in 1990.
`Yeah.'
And so began their hunt for the holy grail.
Deszip and Zardoz glittered side by side as the most coveted prizes in the world of the international Unix hacker.
Cracking passwords took time and computer resources. Even a moderately powerful university machine would grunt and groan under the weight of the calculations if it was asked to do. But the Deszip program could change that, lifting the load until it was, by comparison, feather-light. It worked at breathtaking speed and a hacker using Deszip could crack encrypted passwords up to 25 times faster.
Zardoz, a worldwide security mailing list, was also precious, but for a different reason. Although the mailing list's formal name was Security Digest, everyone in the underground simply called it Zardoz, after the computer from which the mailouts originated. Zardoz also happened to be the name of a science fiction cult film starring Sean Connery. Run by Neil Gorsuch, the Zardoz mailing list contained articles, or postings, from various members of the computer security industry. The postings discussed newly discovered bugs—problems with a computer system which could be exploited to break into or gain root access on a machine. The beauty of the bugs outlined in Zardoz was that they worked on any computer system using the programs or operating systems it described. Any university, any military system, any research institute which ran the software documented in Zardoz was vulnerable. Zardoz was a giant key ring, full of pass keys made to fit virtually every lock.
True, system administrators who read a particular Zardoz posting might take steps to close up that security hole. But as the hacking community knew well, it was a long time between a Zardoz posting and a shortage of systems with that hole. Often a bug worked on many computers for months—sometimes years—after being announced on Zardoz.
Why? Many admins had never heard of the bug when it was first announced. Zardoz was an exclusive club, and most admins simply weren't members. You couldn't just walk in off the street and sign up for Zardoz. You had to be vetted by peers in the computer security industry. You had to administer a legitimate computer system, preferably with a large institution such as a university or a research body such as CSIRO. Figuratively speaking, the established members of the Zardoz mailing list peered down their noses at you and determined if you were worthy of inclusion in Club Zardoz. Only they decided if you were trustworthy enough to share in the great security secrets of the world's computer systems.
In 1989, the white hats, as hackers called the professional security gurus, were highly paranoid about Zardoz getting into the wrong hands. So much so, in fact, that many postings to Zardoz were fine examples of the art of obliqueness. A computer security expert would hint at a new bug in his posting without actually coming out and explaining it in what is commonly referred to as a `cookbook' explanation.
This led to a raging debate within the comp-sec industry. In one corner, the cookbook purists said that bulletins such as Zardoz were only going to be helpful if people were frank with each other. They wanted people posting to Zardoz to provide detailed, step-by-step explanations on how to exploit a particular security hole. Hackers would always find out about bugs one way or another and the best way to keep them out of your system was to secure it properly in the first place. They wanted full disclosure.
In the other corner, the hard-line, command-and-control computer security types argued that posting an announcement to Zardoz posed the gravest of security risks. What if Zardoz fell into the wrong hands? Why, any sixteen-year-old hacker would have step-by-step directions showing how to break into thousands of individual computers! If you had to reveal a security flaw—and the jury was still out in their minds as to whether that was such a good idea—it should be done only in the most oblique terms.
What the hard-liners failed to understand was that world-class hackers like Electron could read the most oblique, carefully crafted Zardoz postings and, within a matter of days if not hours, work out exactly how to exploit the security hole hinted at in the text. After which they could just as easily have written a cookbook version of the security bug.
Most good hackers had come across one or two issues of Zardoz in their travels, often while rummaging though the system administrator's mail on a prestigious institution's computer. But no-one from the elite of the Altos underground had a full archive of all the back issues. The hacker who possessed that would have details of every major security hole discovered by the world's best computer security minds since at least 1988.
Like Zardoz, Deszip was well guarded. It was written by computer security expert Dr Matthew Bishop, who worked at NASA's Research Institute for Advanced Computer Science before taking up a teaching position at Dartmouth, an Ivy League college in New Hampshire. The United States government deemed Deszip's very fast encryption algorithms to be so important, they were classified as armaments. It was illegal to export them from the US.
Of course, few hackers in 1990 had the sophistication to use weapons such as Zardoz and Deszip properly. Indeed, few even knew they existed. But Electron and Phoenix knew, along with a tiny handful of others, including Pad and Gandalf from Britain. Congregating on Altos in Germany, they worked with a select group of others carefully targeting sites likely to contain parts of their holy grail. They were methodical and highly strategic, piecing information together with exquisite, almost forensic, skill. While the common rabble of other hackers were thumping their heads against walls in brute-force attacks on random machines, these hackers spent their time hunting for strategic pressure points—the Achilles' heels of the computer security community.
They had developed an informal hit list of machines, most of which belonged to high-level computer security gurus. Finding one or two early issues of Zardoz, Electron had combed through their postings looking not just on the surface—for the security bugs—but also paying careful attention to the names and addresses of the people writing articles. Authors who appeared frequently in Zardoz, or had something intelligent to say, went on the hit list. It was those people who were most likely to keep copies of Deszip or an archive of Zardoz on their machines.
