As both hackers chatted amiably on-line one night, on a Melbourne University computer, Prime Suspect worked quietly in another screen to penetrate ns.nic.ddn.mil, a US Department of Defense system closely linked to NIC. He believed the sister system and NIC might `trust' each other—a trust he could exploit to get into NIC. And NIC did everything.
NIC assigned domain names—the `.com' or `.net' at the end of an email address—for the entire Internet. NIC also controlled the US military's own internal defence data network, known as MILNET.
NIC also published the communication protocol standards for all of the Internet. Called RFCs (Request for Comments), these technical specifications allowed one computer on the Internet to talk to another. The Defense Data Network Security Bulletins, the US Department of Defense's equivalent of CERT advisories, came from the NIC machine.
Perhaps most importantly, NIC controlled the reverse look-up service on the Internet. Whenever someone connects to another site across the Internet, he or she typically types in the site name—say, ariel.unimelb.edu.au at the University of Melbourne. The computer then translates the alphabetical name into a numerical address—the IP address—in this case 128.250.20.3. All the computers on the Internet need this IP address to relay the packets of data onto the final destination computer. NIC decided how Internet computers would translate the alphabetical name into an IP address, and vice versa.
If you controlled NIC, you had phenomenal power on the Internet. You could, for example, simply make Australia disappear. Or you could turn it into Brazil. By pointing all Internet addresses ending in `.au'—the designation for sites in Australia—to Brazil, you could cut Australia's part of the Internet off from the rest of the world and send all Australian Internet traffic to Brazil. In fact, by changing the delegation of all the domain names, you could virtually stop the flow of information between all the countries on the Internet.
The only way someone could circumvent this power was by typing in the full numerical IP address instead of a proper alphabetical address. But few people knew the up-to-twelve-digit IP equivalent of their alphabetical addresses, and fewer still actually used them.
Controlling NIC offered other benefits as well. Control NIC, and you owned a virtual pass-key into any computer on the Internet which `trusted' another. And most machines trust at least one other system.
Whenever one computer connects to another across the Net, both machines go through a special meet-and-greet process. The receiving computer looks over the first machine and asks itself a few questions. What's the name of the incoming machine? Is that name allowed to connect to me? In what ways am I programmed to `trust' that machine—to wave my normal security for connections from that system?
The receiving computer answers these questions based in large part on information provided by NIC. All of which means that, by controlling NIC, you could make any computer on the Net `pose' as a machine trusted by a computer you might want to hack. Security often depended on a computer's name, and NIC effectively controlled that name.
When Prime Suspect managed to get inside NIC's sister system, he told Mendax and gave him access to the computer. Each hacker then began his own attack on NIC. When Mendax finally got root on NIC, the power was intoxicating. Prime Suspect got root at the same time but using a different method. They were both in.
Inside NIC, Mendax began by inserting a backdoor—a method of getting back into the computer at a later date in case an admin repaired the security flaws the hackers had used to get into the machine. From now on, if he telnetted into the system's Data Defense Network (DDN) information server and typed `login 0' he would have instant, invisible root access to NIC.
That step completed, he looked around for interesting things to read. One file held what appeared to be a list of satellite and microwave dish coordinates—longitude, latitudes, transponder frequencies. Such coordinates might in theory allow someone to build a complete map of communications devices which were used to move the DOD's computer data around the world.
Mendax also penetrated MILNET's Security Coordination Center, which collected reports on every possible security incident on a MILNET computer. Those computers—largely TOPS-20s made by DEC—contained good automatic security programs. Any number of out-of-the-ordinary events would trigger an automatic security report. Someone logging into a machine for too long. A large number of failed login attempts, suggesting password guessing. Two people logging into the same account at the same time. Alarm bells would go off and the local computer would immediately send a security violation report to the MILNET security centre, where it would be added to the `hot list'.
Mendax flipped through page after page of MILNET's security reports on his screen. Most looked like nothing—MILNET users accidentally stumbling over a security tripwire—but one notice from a US military site in Germany stood out. It was not computer generated. This was from a real human being. The system admin reported that someone had been repeatedly trying to break into his or her machine, and had eventually managed to get in. The admin was trying, without much luck, to trace back the intruder's connection to its point of origin. Oddly, it appeared to originate in another MILNET system.
Riffling through other files, Mendax found mail confirming that the attack had indeed come from inside MILNET. His eyes grew wide as he read on. US military hackers had broken into MILNET systems, using them for target practice, and no-one had bothered to tell the system admin at the target site.
Mendax couldn't believe it. The US military was hacking its own computers. This discovery led to another, more disturbing, thought. If the US military was hacking its own computers for practice, what was it doing to other countries' computers?
As he quietly backed out of the system, wiping away his footprints as he tip-toed away, Mendax thought about what he had seen. He was deeply disturbed that any hacker would work for the US military.
Hackers, he thought, should be anarchists, not hawks.
In early October 1991, Mendax rang Trax and gave him the dial-up and account details for NMELH1.
Trax wasn't much of a hacker, but Mendax admired his phreaking talents. Trax was the father of phreaking in Australia and Trax's Toolbox, his guide to the art of phreaking, was legendary. Mendax thought Trax might find some interesting detailed information inside the NorTel network on how to control telephone switches.
Trax invented multi-frequency code phreaking. By sending special tones—generated by his computer program—down the phone line, he could control certain functions in the telephone exchange. Many hackers had learned how to make free phone calls by charging the cost to someone else or to calling cards, but Trax discovered how to make phone calls which weren't charged to anyone. The calls weren't just free; they were untraceable.
Trax wrote 48 pages on his discovery and called it The Australian Phreakers Manual Volumes 1-7. But as he added more and more to the manual, he became worried what would happen if he released it in the underground, so he decided he would only show it to the other two International Subversive hackers.
He went on to publish The Advanced Phreaker's Manual,2 a second edition of the manual, in The International Subversive, the underground magazine edited by Mendax:
An electronic magazine, The International Subversive had a simple editorial policy. You could only have a copy of the magazine if you wrote an `article'. The policy was a good way of protecting against nappies—sloppy or inexperienced hackers who might accidentally draw police attention. Nappies also tended to abuse good phreaking and hacking techniques, which might cause Telecom to close up security holes. The result was that IS had a circulation of just three people.
To a non-hacker, IS looked like gobbledygook—the phone book made more interesting reading. But to a member of the computer underground, IS was a treasure map. A good hacker could follow the trail of modem phone numbers and passwords, then use the directions in IS to disappear through secret entrances into the labyrinth of forbidden computer networks. Armed with the magazine, he could slither out of tight spots, outwit system admins and find the treasure secreted in each computer system.
For Prime Suspect and Mendax, who were increasingly paranoid about line traces from the university modems they used as launchpads, Trax's phreaking skills were a gift from heaven.
Trax made his great discovery by accident. He was using a phone sprinter, a simple computer program which automatically dialled a range of phone numbers looking for modems. If he turned the volume up on his modem when his computer dialled what seemed to be a dead or non-existent number, he sometimes heard a soft clicking noise after the disconnection message. The noise sounded like faint heartbeats.
Curious, he experimented with these strange numbers and soon discovered they were disconnected lines which had not yet been reassigned. He wondered how he could use these odd numbers. After reading a document Mendax had found in Britain and uploaded to The Devil's Playground, another BBS, Trax had an idea. The posting provided information about CCITT #5 signalling tones, CCITT being the international standard—the language spoken by telephone exchanges between countries.
When you make an international phone call from Australia to the US, the call passes from the local telephone exchange to an international gateway exchange within Australia. From there, it travels to an exchange in the US. The CCITT signalling tones were the special tones the two international gateway exchanges used to communicate with each other.
Telecom Australia adapted a later version of this standard, called R2, for use on its own domestic exchanges. Telecom called this new standard MFC, or multi-frequency code. When, say, Trax rang Mendax, his exchange asked Mendax's to `talk' to Mendax's phone by using these tones. Mendax's exchange `answered', perhaps saying Mendax's phone was busy or disconnected. The Telecom-adapted tones—pairs of audio frequencies—did not exist in normal telephone keypads and you couldn't make them simply by punching keys on your household telephone.
Trax wrote a program which allowed his Amstrad computer to generate the special tones and send them down the phone line. In an act many in the underground later considered to be a stroke of genius, he began to map out exactly what each tone did. It was a difficult task, since one tone could mean several different things at each stage of the `conversation' between two exchanges.
Passionate about his new calling, Trax went trashing in Telecom garbage bins, where he found an MFC register list—an invaluable piece of his puzzle. Using the list, along with pieces of overseas phreaking files and a great deal of painstaking hands-on effort, Trax slowly learned the language of the Australian telephone exchanges. Then he taught the language to his computer.
Trax tried calling one of the `heartbeat' phone numbers again. He began playing his special, computer-generated tones through an amplifier. In simple terms, he was able to fool other exchanges into thinking he was his local Telecom exchange. More accurately, Trax had made his exchange drop him into the outgoing signalling trunk that had been used to route to the disconnected phone number.
Trax could now call out—anywhere—as if he was calling from a point halfway between his own phone and the disconnected number. If he called a modem at Melbourne University, for instance, and the line was being traced, his home phone number would not show up on the trace records. No-one would be charged for the call because Trax's calls were ghosts in the phone system.
Trax continued to refine his ability to manipulate both the telephone and the exchange. He took his own telephone apart, piece by piece, countless times, fiddling with the parts until he understood exactly how it worked. Within months, he was able to do far more than just make free phone calls. He could, for instance, make a line trace think that he had come from a specific telephone number.
He and Mendax joked that if they called a `hot' site they would use
Trax's technique to send the line trace—and the bill—back to one
very special number. The one belonging to the AFP's Computer Crime
Unit in Melbourne.
All three IS hackers suspected the AFP was close on their heels. Roving through the Canberra-based computer system belonging to the man who essentially ran the Internet in Australia, Geoff Huston, they watched the combined efforts of police and the Australian Academic and Research Network (AARNET) to trace them.