Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (51 page)

Why the two of them had such an interest in me was still a mystery.
I had never met Shimmy, never interacted with him in any way except for the recent hacks into his system.

So why would the two of them be so interested in what I was doing?

I was right about one thing: Shimmy very quickly learned of our break-in. Because JSZ and I were both so focused on getting a copy of his files, we didn’t notice that he was running “tcpdump”—a network monitoring tool to capture all network traffic. We also didn’t notice that a program called “cron” was periodically emailing his system logs to Andrew Gross, Shimmy’s assistant. Gross realized the logs were getting smaller and tipped off Shimmy that something suspicious was going on. As soon as Shimmy looked through the logs, he realized he had been hacked.

It didn’t matter much. We had his files, and we would spend the days and weeks ahead carefully examining them.

Why would Shimmy be running a network monitoring tool to capture everything going through his server? Paranoia? Or was it a bait machine? Because he was so high-profile in the computer security world, he knew it was just a matter of time before someone would nail his butt with a clever new attack. I thought maybe it was a bait machine, left accessible so he could monitor all the incoming attacks and profile the methods being used. But in that case, why would he leave all his files on this machine, and even a network wiretapping tool called “bpf”—for Berkeley Packet Filter—that he had created for the United States Air Force, which could insert itself directly into an operating system without requiring a reboot?

Maybe he just underestimated his opponents and assumed no one would ever get in. It’s still a mystery.

Many people credit me with being the guy who developed the program that was used to hack into Shimmy’s servers using the IP spoofing attack. I’d be proud if I really had been the one who managed that rather astounding feat, and I’d be glad to take credit for it. But the credit’s not mine. Instead, that honor belongs to the wickedly clever JSZ, the guy who actually participated in developing the tool and used it for our Christmas Day break-in to Shimmy’s server.

I had enjoyed my time back in Denver for the holidays, especially because we were able to get into Shimmy’s system. But time was up: I needed to put that grand city behind me and push off for my next destination.

I was still elated about the success of the Shimmy hack. But I would live to regret it. Those few hours would eventually lead to my undoing. I had unleashed a hacker vigilante who would stop at nothing to get even with me.

I
magine yourself in a strange city where you have no close, trusted friends. You avoid the other people in your apartment building because your photo has been prominently displayed in supermarket tabloids, and in weekly newsmagazines. You’re being hunted by the FBI, the U.S. Marshals, and the Secret Service, so you’re afraid of getting too friendly with anyone. And your biggest form of entertainment is the very thing you’re being hunted for.

Although I hadn’t counted on needing to leave Seattle in a hurry, I had been giving some thought to where I would go next if I ever had to pull up stakes. I had considered Austin because it was known for its technology. And Manhattan because it was… well,
Manhattan
. But just as I had done when I chose Denver, I again relied on
Money
magazine’s annual assessment of the Ten Best Cities in America. That year, Raleigh, North Carolina, was listed as number one. The description sounded tempting: the people were supposed to be pleasant and laid-back, the surrounding area rural, with mountains in the distance.

Flying had always stressed me out, so once again I had decided to take the train. And it would be cool to see what the rest of the country looked like. After my Christmas stopover in Denver and the raid on Shimmy’s servers I boarded another Amtrak on New Year’s Eve for the three-day trip to Raleigh, as Michael Stanfill. The sleeper car was more
expensive than flying, but what an eye-opening experience it turned out to be, watching the American landscape roll past.

The people I met on the train gave me a perfect opportunity to practice my cover story, providing details of my life and background as Stanfill. By the time I arrived in North Carolina, I had to have my identity down pat.

The train pulled into the Raleigh station after dark. I had heard so much about the South, how its culture and people were different, how it moved at a slower pace. Maybe its reputation was a remnant of the South of a long time ago. I was curious to find out for myself.

That evening I walked around the northern section of Raleigh, getting a feeling for the city. I had imagined the South would have a warm and cozy climate; instead it felt as cold as Denver. The winter temperatures in Raleigh, I would discover, were about the same as those in the Mile-High City.

But as I walked around, getting a sense of the place, I spotted a restaurant familiar to me, one of the Boston Market chain. Not exactly Southern, but I went in for dinner anyway.

My waitress was a cute twentysomething girl with long, dark hair, a heartwarming smile, and one of those luscious Southern drawls I hadn’t known really existed anymore. She greeted me with a friendly, “Hi, how’re you?”

Reading her name tag, I said, “Hey, Cheryl, I’m doing great. I just arrived in town—my first time in North Carolina.” After she took my order, I said, “I’m going to be looking for an apartment. Maybe you can tell me a good part of town to settle in.” She smiled and said she’d be right back.

When she served my food, she and a couple of the other waitresses sat down to talk with me while I ate. I couldn’t imagine that happening in Los Angeles. Or Seattle. Or even in outgoing Denver. The ladies told me, “We just want to keep you company.” I was blown away by my first taste of Southern hospitality, friendliness sweeter than anything I had ever encountered. The girls talked up life in Raleigh. They told me about the different areas of town, where to live, what to do. It was tobacco-growing country still, but had also gone high-tech with the technology companies of nearby Research Triangle Park. They were boosters for their city, and for some reason I interpreted that as a good sign that this was where I needed to be.

Only a week after my arrival, I found a lovely apartment in northwestern Raleigh, in an elaborate complex called “The Lakes,” a suitable name since its eighty-plus acres included shorelines on two separate lakes. The place featured not just an Olympic-sized pool, tennis courts, and racquetball courts but two volleyball courts: the management had trucked in loads of sand to create a beachlike setting. The Lakes also featured parties every weekend for all the residents, described to me as lively, noisy affairs crowded with lots of smiling Southern beauties. My apartment was small, but who cared? I felt as if I were living a dream.

I stopped by U-Save Auto Rental, a one-man operation, the kind of place where the owner takes a hard look at the people who come in, as if he were thinking that they might not be planning on bringing his car back. He cast a doubtful expression at me, too, but I responded with friendly, unhurried chat, and he warmed up.

“I’ve just been through a hideous divorce,” I told him. “I came to Raleigh because it’s a long way from Vegas, you know what I mean?” This was my attempt to explain why I would be paying in cash. As part of the act, I handed him my business card for the company I had supposedly worked for in Vegas—the same phony company I’d created to get the law firm job in Denver.

By the time I was ready to climb into my temporary rattletrap, he let me drive away without even checking my references.

I kept thinking about the last remaining step of the Motorola hack: getting hold of a compiler that would translate the source code into a form the cell-phone chip could understand. Having the compiler would allow me to make changes to the source code and compile a new version of the firmware that would shrink my visibility—for example, letting me toggle on and off how my cell phone communicated with the mobile provider to disable tracking, and adding functions that would make it easy to change the ESN from the cell phone’s keypad, so I could easily clone my phone to any other subscriber’s number.

Once I was back in the saddle for this effort, a little research showed me that Motorola used a compiler from a company called Intermetrics, which quickly made it to the top of my list of hacking targets. I identified a computer called “blackhole.inmet.com” that was on Intermetrics’ internal network, directly accessible from the Internet.

When I realized that the company’s systems were patched against all the latest security vulnerabilities, I quickly changed tactics. Conveniently, “blackhole” turned out to be vulnerable to the same IP spoofing attack that JSZ and I had used against Shimmy.

When I got into the system, I saw that two system administrators were logged in and apparently busy at work. Rather than risk being discovered in case one of them checked the currently established network connections, I looked for alternate ways to access the company remotely that would not be easily detected. Maybe I could find a dial-up number and connect over my modem.

In the files of one of the system administrators, Annie Oryell, I found a file with a promising name: “modem.” Yes! The file held the text of an email she had sent to other employees, informing them of the dial-up numbers. It read, in part:

We currently have two dial-in hunt groups. The 661-1940 group consists of 8 9600bps Telebit modems which connect directly into the Annex terminal server. The 661-4611 hunt group has 8 2400bps Zoom modems which currently connect to the terminal server.

Bingo: “661-1940” and “661-4611”were the dial-in numbers I was looking for. I changed the password on what appeared to be a few dormant accounts on the Annex terminal server and dialed in to avoid the risk of being detected on any of the Internet-facing systems.

System administrator Oryell appeared to use the host blackhole as her personal workstation. I figured she would eventually want root privileges to perform an administrative task and would use the Unix switch user command, “su,” so I set up a way of capturing the root password when she did. (For the technical reader: using the source code I had obtained from Sun Microsystems, I added some additional code to the “su” program and recompiled it so when she su’ed to root, it would secretly log her password to a file hidden on her workstation.)

It worked just as I had expected. The root password was “OMGna!” Oh my God—no dictionary words, and with the exclamation mark thrown in to make guessing it that much more difficult.

The same root password worked on every other server I tried it on.
Having that password was like having the keys to the kingdom, at least for Intermetrics’ internal network.

At this point, I logged in to “inmet.com,” which was the company’s domain used for receiving email from the outside world. I downloaded a copy of the master password file (which also contained the password hashes) so I could attempt to crack all the passwords offline.

Now I was in position to search emails looking for people who had been in contact with Motorola. My first lead was an email to an Intermetrics engineer named Marty Stolz, who had received a message from someone at Motorola explaining a problem they were having with the compiler. I hacked into Stolz’s workstation and examined his “shell history,” which showed a list of commands he had previously typed. He had run a particular program, a “shell script” called “makeprod,” which he had used to build compiler products that the company developed. In this case, I wanted the 68HC11 compiler so I could compile the Motorola source code for the MicroTAC Ultra Lite.

The engineer who wrote the script had also included detailed comments in his source code that led me to the location where the software developers kept the production releases of the Motorola chip compiler for various operating system platforms.

Along the way, I found that Intermetrics was producing this compiler in versions for several different OS platforms, including Apollo, SunOS, VMS, and Unix. Yet when I examined the server where all these compiler versions were supposed to be, not one of them was there. I spent hours searching other file servers and developer workstations, but the compilers weren’t there, either—not the source code, nor the binaries. Strange.

I checked the “aliases” file, which listed where incoming emails for particular individuals and workgroups were to be forwarded. By examining that file, I was able to identify which employees were associated with which departments, and found
the name of a company employee in Washington, David Burton.

Time for a little social engineering. I called Marty Stolz, introduced myself with David’s name, and said, “I have a major customer demo tomorrow morning, and I can’t find the compiler for the 68HC11 on the server that stores product releases. I’ve got an old version, but I need the latest version.”

He asked me a few questions—what department I was in, my location, the name of my manager, and so on. Then he said, “Listen, I’m going to tell you something, but you have to keep it a secret.”

What could he be talking about?

“I won’t tell anybody,”