Rex Beach - "The Silver Horde"

Unkown - "United States Presidents' Inaugural Speeches"

Henri Rene Guy de Maupassant - "Yvette"

Robert Hichens - "The Woman With The Fan"

Underground

S >> Suelette Dreyfus >> Underground




On 16 October the news came. The Appeals Court had sided with NASA.

Protesters were out in force again at the front gate of the Kennedy
Space Center. At least eight of them were arrested. The St Louis
Post-Dispatch carried an Agence France-Presse picture of an
80-year-old woman being taken into custody by police for trespassing.
Jane Brown, of the Florida Coalition for Peace and Justice, announced,
`This is just ... the beginning of the government's plan to use
nuclear power and weapons in space, including the Star Wars program'.

Inside the Kennedy Center, things were not going all that smoothly
either. Late Monday, NASA's technical experts discovered yet another
problem. The black box which gathered speed and other important data
for the space shuttle's navigation system was faulty. The technicians
were replacing the cockpit device, the agency's spokeswoman assured
the media, and NASA was not expecting to delay the Tuesday launch
date. The countdown would continue uninterrupted. NASA had everything
under control.

Everything except the weather.

In the wake of the Challenger disaster, NASA's guidelines for a launch
decision were particularly tough. Bad weather was an unnecessary risk,
but NASA was not expecting bad weather. Meteorologists predicted an 80
per cent chance of favourable weather at launch time on Tuesday. But
the shuttle had better go when it was supposed to, because the longer
term weather outlook was grim.

By Tuesday morning, Galileo's keepers were holding their breath. The
countdown for the shuttle launch was ticking toward 12.57 p.m. The
anti-nuclear protesters seemed to have gone quiet. Things looked
hopeful. Galileo might finally go.

Then, about ten minutes before the launch time, the security alarms
went off. Someone had broken into the compound. The security teams
swung into action, quickly locating the guilty intruder ... a feral
pig.

With the pig safely removed, the countdown rolled on. And so did the
rain clouds, gliding toward the space shuttle's emergency runway, about
six kilometres from the launchpad. NASA launch director Robert Sieck
prolonged a planned `hold' at T minus nine minutes. Atlantis had a
26-minute window of opportunity. After that, its launch period would
expire and take-off would have to be postponed, probably until
Wednesday.

The weather wasn't going to budge.

At 1.18 p.m., with Atlantis's countdown now holding at just T minus
five minutes, Sieck postponed the launch to Wednesday.


Back at the SPAN centre, things were becoming hectic. The worm was
spreading through more and more systems and the phones were beginning
to ring every few minutes. NASA computers were getting hit all over
the place.

The SPAN project staff needed more arms. They were simultaneously
trying to calm callers and concentrate on developing an analysis of
the alien program. Was the thing a practical joke or a time bomb just
waiting to go off? Who was behind this?

NASA was working in an information void when it came to WANK. Some
staff knew of the protesters' action down at the Space Center, but
nothing could have prepared them for this. NASA officials were
confident enough about a link between the protests against Galileo and
the attack on NASA's computers to speculate publicly that the two were
related. It seemed a reasonable likelihood, but there were still
plenty of unanswered questions.

Callers coming into the SPAN office were worried. People at the other
end of the phone were scared. Many of the calls came from network
managers who took care of a piece of SPAN at a specific NASA site, such
as the Marshall Space Flight Center. Some were panicking; others spoke
in a sort of monotone, flattened by a morning of calls from 25 different
hysterical system administrators. A manager could lose his job over
something like this.

Most of the callers to the SPAN head office were starved for
information. How did this rogue worm get into their computers? Was it
malicious? Would it destroy all the scientific data it came into contact
with? What could be done to kill it?

NASA stored a great deal of valuable information on its SPAN
computers. None of it was supposed to be classified, but the data on
those computers is extremely valuable. Millions of man-hours go into
gathering and analysing it. So the crisis team which had formed in the
NASA SPAN project office, was alarmed when reports of massive data
destruction starting coming in. People were phoning to say that the
worm was erasing files.

It was every computer manager's worst nightmare, and it looked as
though the crisis team's darkest fears were about to be confirmed.

Yet the worm was behaving inconsistently. On some computers it would
only send anonymous messages, some of them funny, some bizarre and a
few quite rude or obscene. No sooner would a user login than a message
would flash across his or her screen:

Remember, even if you win the rat race--you're
still a rat.

Or perhaps they were graced with some bad humour:

Nothing is faster than the speed of light...

To prove this to yourself, try opening the refrigerator door before
the light comes on.

Other users were treated to anti-authoritarian observations of the
paranoid:

The FBI is watching YOU.

or

Vote anarchist.

But the worm did not appear to be erasing files on these systems.
Perhaps the seemingly random file-erasing trick was a portent of
things to come--just a small taste of what might happen at a
particular time, such as midnight. Perhaps an unusual keystroke by an
unwitting computer user on those systems which seemed only mildly
affected could trigger something in the worm. One keystroke might
begin an irreversible chain of commands to erase everything on that
system.

The NASA SPAN computer team were in a race with the worm. Each minute
they spent trying to figure out what it did, the worm was pushing
forward, ever deeper into NASA's computer network. Every hour NASA
spent developing a cure, the worm spent searching, probing, breaking
and entering. A day's delay in getting the cure out to all the systems
could mean dozens of new worm invasions doing God knows what in
vulnerable computers. The SPAN team had to dissect this thing
completely, and they had to do it fast.

Some computer network managers were badly shaken. The SPAN office
received a call from NASA's Jet Propulsion Laboratories in California,
an important NASA centre with 6500 employees and close ties to
California Institute of Technology (Caltech).

JPL was pulling itself off the network.

This worm was too much of a risk. The only safe option was to isolate
their computers. There would be no SPAN DEC-based communications with
the rest of NASA until the crisis was under control. This made things
harder for the SPAN team; getting a worm exterminating program out to
JPL, like other sites which had cut their connection to SPAN, was
going to be that much tougher. Everything had to be done over the
phone.

Worse, JPL was one of five routing centres for NASA's SPAN computer
network. It was like the centre of a wheel, with a dozen spokes
branching off--each leading to another SPAN site. All these places,
known as tailsites, depended on the lab site for their connections
into SPAN. When JPL pulled itself off the network, the tailsites went
down too.

It was a serious problem for the people in the SPAN office back in
Virginia. To Ron Tencati, head of security for NASA SPAN, taking a
routing centre off-line was a major issue. But his hands were tied.
The SPAN office exercised central authority over the wide area
network, but it couldn't dictate how individual field centres dealt
with the worm. That was each centre's own decision. The SPAN team
could only give them advice and rush to develop a way to poison the
worm.

The SPAN office called John McMahon again, this time with a more
urgent request. Would he come over to help handle the crisis?

The SPAN centre was only 800 metres away from McMahon's office. His
boss, Jerome Bennett, the DECNET protocol manager, gave the nod.
McMahon would be on loan until the crisis was under control.

When he got to Building 26, home of the NASA SPAN project office,
McMahon became part of a core NASA crisis team including Todd Butler,
Ron Tencati and Pat Sisson. Other key NASA people jumped in when
needed, such as Dave Peters and Dave Stern. Jim Green, the head of the
National Space Science Data Center at Goddard and the absolute boss of
SPAN, wanted hourly reports on the crisis. At first the core team
seemed only to include NASA people and to be largely based at Goddard.
But as the day wore on, new people from other parts of the US
government would join the team.

The worm had spread outside NASA.

It had also attacked the US Department of Energy's worldwide
High-Energy Physics' Network of computers. Known as HEPNET, it was
another piece of the overall SPAN network, along with Euro-HEPNET and
Euro-SPAN. The NASA and DOE computer networks of DEC computers
crisscrossed at a number of places. A research laboratory might, for
example, need to have access to computers from both HEPNET and NASA
SPAN. For convenience, the lab might just connect the two networks.
The effect as far as the worm was concerned was that NASA's SPAN and
DOE's HEPNET were in fact just one giant computer network, all of
which the worm could invade.

The Department of Energy keeps classified information on its
computers. Very classified information. There are two groups in DOE:
the people who do research on civilian energy projects and the people
who make atomic bombs. So DOE takes security seriously, as in `threat
to national security' seriously. Although HEPNET wasn't meant to be
carrying any classified information across its wires, DOE responded
with military efficiency when its computer managers discovered the
invader. They grabbed the one guy who knew a lot about computer
security on VMS systems and put him on the case: Kevin Oberman.

Like McMahon, Oberman wasn't formally part of the computer security
staff. He had simply become interested in computer security and was
known in-house as someone who knew about VMS systems and security.
Officially, his job was network manager for the engineering department
at the DOE-financed Lawrence Livermore National Laboratory, or LLNL,
near San Francisco.

LLNL conducted mostly military research, much of it for the Strategic
Defense Initiative. Many LLNL scientists spent their days designing
nuclear arms and developing beam weapons for the Star Wars program.9
DOE already had a computer security group, known as CIAC, the Computer
Incident Advisory Capability. But the CIAC team tended to be experts
in security issues surrounding Unix rather than VMS-based computer
systems and networks. `Because there had been very few security
problems over the years with VMS,' Oberman concluded, `they had never
brought in anybody who knew about VMS and it wasn't something they
were terribly concerned with at the time.'

The worm shattered that peaceful confidence in VMS computers. Even as
the WANK worm coursed through NASA, it was launching an aggressive
attack on DOE's Fermi National Accelerator Laboratory, near Chicago. It
had broken into a number of computer systems there and the Fermilab
people were not happy. They called in CIAC, who contacted Oberman with
an early morning phone call on 16 October. They wanted him to analyse
the WANK worm. They wanted to know how dangerous it was. Most of all,
they wanted to know what to do about it.

The DOE people traced their first contact with the worm back to 14
October. Further, they hypothesised, the worm had actually been
launched the day before, on Friday the 13th. Such an inauspicious day
would, in Oberman's opinion, have been in keeping with the type of
humour exhibited by the creator or creators of the worm.

Oberman began his own analysis of the worm, oblivious to the fact that
3200 kilometres away, on the other side of the continent, his colleague
and acquaintance John McMahon was doing exactly the same thing.

Every time McMahon answered a phone call from an irate NASA system or
network manager, he tried to get a copy of the worm from the infected
machine. He also asked for the logs from their computer systems. Which
computer had the worm come from? Which systems was it attacking from
the infected site? In theory, the logs would allow the NASA team to
map the worm's trail. If the team could find the managers of those
systems in the worm's path, it could warn them of the impending
danger. It could also alert the people who ran recently infected
systems which had become launchpads for new worm attacks.

This wasn't always possible. If the worm had taken over a computer and
was still running on it, then the manager would only be able to trace
the worm backward, not forward. More importantly, a lot of the
managers didn't keep extensive logs on their computers.

McMahon had always felt it was important to gather lots of information
about who was connecting to a computer. In his previous job, he had
modified his machines so they collected as much security information
as possible about their connections to other computers.

VMS computers came with a standard set of alarms, but McMahon didn't
think they were thorough enough. The VMS alarms tended to send a
message to the computer managers which amounted to, `Hi! You just got
a network connection from here'. The modified alarm system said, `Hi!
You just got a network connection from here. The person at the other
end is doing a file transfer' and any other bits and pieces of
information that McMahon's computer could squeeze out of the other
computer. Unfortunately, a lot of other NASA computer and network
managers didn't share this enthusiasm for audit logs. Many did not
keep extensive records of who had been accessing their machines and
when, which made the job of chasing the worm much tougher.

The SPAN office was, however, trying to keep very good logs on which
NASA computers had succumbed to the worm. Every time a NASA manager
called to report a worm disturbance, one of the team members wrote
down the details with paper and pen. The list, outlining the addresses
of the affected computers and detailed notations of the degree of
infection, would also be recorded on a computer. But handwritten lists
were a good safeguard. The worm couldn't delete sheets of paper.

When McMahon learned DOE was also under attack, he began checking in
with them every three hours or so. The two groups swapped lists of
infected computers by telephone because voice, like the handwritten
word, was a worm-free medium. `It was a kind of archaic system, but on
the other hand we didn't have to depend on the network being up,'
McMahon said. `We needed to have some chain of communications which
was not the same as the network being attacked.'

A number of the NASA SPAN team members had developed contacts within
different parts of DEC through the company's users' society, DECUS.
These contacts were to prove very helpful. It was easy to get lost in
the bureaucracy of DEC, which employed more than 125000 people, posted
a billion-dollar profit and declared revenues in excess of $12 billion
in 1989.10 Such an enormous and prestigious company would not want
to face a crisis such as the WANK worm, particularly in such a
publicly visible organisation like NASA. Whether or not the worm's
successful expedition could be blamed on DEC's software was a moot
point. Such a crisis was, well, undesirable. It just didn't look good.
And it mightn't look so good either if DEC just jumped into the fray.
It might look like the company was in some way at fault.

Things were different, however, if someone already had a relationship
with a technical expert inside the company. It wasn't like NASA
manager cold-calling a DEC guy who sold a million dollars worth of
machines to someone else in the agency six months ago. It was the NASA
guy calling the DEC guy he sat next to at the conference last month.
It was a colleague the NASA manager chatted with now and again.

John McMahon's analysis suggested there were three versions of the WANK
worm. These versions, isolated from worm samples collected from the
network, were very similar, but each contained a few subtle
differences. In McMahon's view, these differences could not be explained
by the way the worm recreated itself at each site in order to
spread. But why would the creator of the worm release different
versions? Why not just write one version properly and fire it off? The
worm wasn't just one incoming missile; it was a frenzied attack. It was
coming from all directions, at all sorts of different levels within
NASA's computers.

McMahon guessed that the worm's designer had released the different
versions at slightly different times. Maybe the creator released the
worm, and then discovered a bug. He fiddled with the worm a bit to
correct the problem and then released it again. Maybe he didn't like
the way he had fixed the bug the first time, so he changed it a little
more and released it a third time.

In northern California, Kevin Oberman came to a different conclusion.
He believed there was in fact only one real version of the worm
spiralling through HEPNET and SPAN. The small variations in the
different copies he dissected seemed to stem from the worm's ability
to learn and change as it moved from computer to computer.

McMahon and Oberman weren't the only detectives trying to decipher the
various manifestations of the worm. DEC was also examining the worm,
and with good reason. The WANK worm had invaded the corporation's own
network. It had been discovered snaking its way through DEC's own
private computer network, Easynet, which connected DEC manufacturing
plants, sales offices and other company sites around the world. DEC
was circumspect about discussing the matter publicly, but the Easynet
version of the WANK worm was definitely distinct. It had a strange
line of code in it, a line missing from any other versions. The worm
was under instructions to invade as many sites as it could, with one
exception. Under no circumstances was it to attack computers inside
DEC's area 48. The NASA team mulled over this information. One of them
looked up area 48. It was New Zealand.

New Zealand?

The NASA team were left scratching their heads. This attack was
getting stranger by the minute. Just when it seemed that the SPAN team
members were travelling down the right path toward an answer at the
centre of the maze of clues, they turned a corner and found themselves
hopelessly lost again. Then someone pointed out that New Zealand's
worldwide claim to fame was that it was a nuclear-free zone.

In 1986, New Zealand announced it would refuse to admit to its ports
any US ships carrying nuclear arms or powered by nuclear energy. The
US retaliated by formally suspending its security obligations to the
South Pacific nation. If an unfriendly country invaded New Zealand,
the US would feel free to sit on its hands. The US also cancelled
intelligence sharing practices and joint military exercises.

Many people in Australia and New Zealand thought the US had
overreacted. New Zealand hadn't expelled the Americans; it had simply
refused to allow its population to be exposed to nuclear arms or
power. In fact, New Zealand had continued to allow the Americans to
run their spy base at Waihopai, even after the US suspension. The
country wasn't anti-US, just anti-nuclear.

And New Zealand had very good reason to be anti-nuclear. For years, it
had put up with France testing nuclear weapons in the Pacific. Then in
July 1985 the French blew up the Greenpeace anti-nuclear protest ship
as it sat in Auckland harbour. The Rainbow Warrior was due to sail for
Mururoa Atoll, the test site, when French secret agents bombed the
ship, killing Greenpeace activist Fernando Pereira.

For weeks, France denied everything. When the truth came out--that
President Mitterand himself had known about the bombing plan--the
French were red-faced. Heads rolled. French Defence Minister Charles
Hernu was forced to resign. Admiral Pierre Lacoste, director of
France's intelligence and covert action bureau, was sacked. France
apologised and paid $NZ13 million compensation in exchange for New
Zealand handing back the two saboteurs, who had each been sentenced to
ten years' prison in Auckland.

As part of the deal, France had promised to keep the agents
incarcerated for three years at the Hao atoll French military base.
Both agents walked free by May 1988 after serving less than two years.
After her return to France, one of the agents, Captain Dominique
Prieur, was promoted to the rank of commandant.

Finally, McMahon thought. Something that made sense. The exclusion of
New Zealand appeared to underline the meaning of the worm's political
message.

When the WANK worm invaded a computer system, it had instructions to
copy itself and send that copy out to other machines. It would slip
through the network and when it came upon a computer attached to the
network, it would poke around looking for a way in. What it really
wanted was to score a computer account with privileges, but it would
settle for a basic-level, user-level account.

VMS systems have accounts with varying levels of privilege. A
high-privilege account holder might, for example, be able to read the
electronic mail of another computer user or delete files from that
user's directory. He or she might also be allowed to create new
computer accounts on the system, or reactivate disabled accounts. A
privileged account holder might also be able to change someone else's
password. The people who ran computer systems or networks needed
accounts with the highest level of privilege in order to keep the
system running smoothly. The worm specifically sought out these sorts
of accounts because its creator knew that was where the power lay.

The worm was smart, and it learned as it went along. As it traversed
the network, it created a masterlist of commonly used account names.
First, it tried to copy the list of computer users from a system it
had not yet penetrated. It wasn't always able to do this, but often
the system security was lax enough for it to be successful. The worm
then compared that list to the list of users on its current host. When
it found a match--an account name common to both lists--the worm added
that name to the masterlist it carried around inside it, making a note
to try that account when breaking into a new system in future.

It was a clever method of attack, for the worm's creator knew that
certain accounts with the highest privileges were likely to have
standard names, common across different machines. Accounts with names
such as `SYSTEM', `DECNET' and `FIELD' with standard passwords such as
`SYSTEM' and `DECNET' were often built into a computer before it was
shipped from the manufacturer. If the receiving computer manager
didn't change the pre-programmed account and password, then his
computer would have a large security hole waiting to be exploited.

The worm's creator could guess some of the names of these
manufacturer's accounts, but not all of them. By endowing the worm
with an ability to learn, he gave it far more power. As the worm
spread, it became more and more intelligent. As it reproduced, its
offspring evolved into ever more advanced creatures, increasingly
successful at breaking into new systems.

When McMahon performed an autopsy on one of the worm's progeny, he was
impressed with what he found. Slicing the worm open and inspecting its
entrails, he discovered an extensive collection of generic privileged
accounts across the SPAN network. In fact, the worm wasn't only picking
up the standard VMS privileged accounts; it had learned accounts common
to NASA but not necessarily to other VMS computers. For example, a lot
of NASA sites which ran a type of TCP/IP mailer that needed either a
POSTMASTER or a MAILER account. John saw those names turn up inside the
worm's progeny.

Even if it only managed to break into an unprivileged account, the
worm would use the account as an incubator. The worm replicated and
then attacked other computers in the network. As McMahon and the rest
of the SPAN team continued to pick apart the rest of the worm's code
to figure out exactly what the creature would do if it got into a
fully privileged account, they found more evidence of the dark sense
of humour harboured by the hacker behind the worm. Part of the worm, a
subroutine, was named `find fucked'.

The SPAN team tried to give NASA managers calling in as much
information as they could about the worm. It was the best way to help
computer managers, isolated in their offices around the country, to
regain a sense of control over the crisis.

Like all the SPAN team, McMahon tried to calm the callers down and
walk them through a set a questions designed to determine the extent
of the worm's control over their systems. First, he asked them what
symptoms their systems were showing. In a crisis situation, when
you're holding a hammer, everything looks like a nail. McMahon wanted
to make sure that the problems on the system were in fact caused by
the worm and not something else entirely.

Copyright (c) 2007. topbookz.net. All rights reserved.