Extracts from Underground

Inside Canada's Northern Telecom

From Chapter 8 - "The International Subversives"

The BNRGATE firewall was an impossible battlement. It was a particular delight for Mendax to telnet out from behind this firewall into the Internet. It was as if he was walking out from the castle, past the guards and well-defended turrets, over the drawbridge and the moat, into the town below.

The castle also offered the perfect protection for further hacking activities. Who could chase him? Even if someone managed to follow him through the convoluted routing system he might set up to pass through a half dozen computer systems, the pursuer would never get past the battlements. Mendax could just disappear behind the firewall. He could be any one of 60,000 NorTel employees on any one of 11,000 computer systems ..

The flat structure of the NorTel network created a good challenge since the only way to find out what was in a particular site, and its importance, was to invade the site itself. The International Subversive hackers spent hours most nights roving through the vast system. The next morning one of them might call another to share tales of the latest exploits or a good laugh about a particularly funny piece of pilfered email. They were in high spirits about their adventures.

Then, one balmy spring night, things changed.

Mendax logged into NMELH1 about 2.30 a.m. As usual, he began by checking the logs which showed what the system operators had been doing. Mendax did this to make sure the NorTel officials were not onto IS and were not, for example, tracing the telephone call.

Something was wrong. The logs showed that a NorTel system admin had stumbled upon one of their secret directories of files about an hour ago. Mendax couldn't figure out how he had found the files, but this was very serious. If the admin realised there was a hacker in the network he might call the AFP.

Mendax used the logs of the korn shell, called KSH, to secretly watch what the admin was doing. The korn shell records the history of certain user activities. Whenever the admin typed a command into the computer, the KSH stored what had been typed in the history file. Mendax accessed that file in such a way that every line typed by the admin appeared on his computer a split second later.

The admin began inspecting the system, perhaps looking for signs of an intruder. Mendax quietly deleted his incriminating directory. Not finding any additional clues, the admin decided to inspect the mysterious directory more closely. But the directory had disappeared. The admin couldn't believe his eyes .. There had been a suspicious-looking directory in his system and now it had simply vanished. Directories didn't just dissolve into thin air..

A hacker, the admin thought. A hacker must have been in the NorTel system and deleted the directory. Was he in the system now? The admin began looking at the routes into the system.

The admin was connected to the system from his home, but he wasn't using the same dial-up lines as the hacker. The admin was connected through Austpac, Telecom's commercial X.25 data network. Perhaps the hacker was also coming in through the X.25 connection.

Mendax watched the admin inspect all the system users coming on over the X.25 network. No sign of a hacker. Then the admin checked the logs to see who else might have logged on over the past half hour or so. Nothing there either.

The admin appeared to go idle for a few minutes. He was probably staring at his computer terminal in confusion. Good, thought Mendax. Stumped. Then the admin twigged. If he couldn't see the hacker's presence on-line, maybe he could see what he was doing on-line. What programs was the hacker running? The admin headed straight for the process list, which showed all the programs being run on the computer system.

Mendax sent the admin a fake error signal. It appears to the admin as if his korn shell had crashed. The admin re-logged in and headed straight for the process list again.

Some people never learn, Mendax thought as he booted the admin off again with another error message:

Segmentation Violation

The admin came back again. What persistence. Mendax knocked the admin off once more, this time by freezing up his computer screen. This game of cat and mouse went on for some time. As long as the admin was doing what Mendax considered to be normal system administration work, Mendax left him alone. The minute the admin tried to chase him by inspecting the process list or the dial-up lines, he found himself booted off his own system.

Suddenly, the system administrator seemed to give up. His terminal went silent.

Good, Mendax thought. It's almost 3 a.m. after all. This is my time on the system. Your time is during the day. You sleep now and I'll play. In the morning, I'll sleep and you can work.

Then, at 3.30 a.m., something utterly unexpected happened. The admin reappeared, except this time he wasn't logged in from home over the X.25 network. He was sitting at the console, the master terminal attached to the computer system at NorTel's Melbourne office. Mendax couldn't believe it. The admin had got in his car in the middle of the night and driven into the city just to get to the bottom of the mystery.

Mendax knew the game was up. Once the system operator was logged in through the computer system's console, there was no way to kick him off the system and keep him off. The roles were reversed and the hacker was at the mercy of the admin. At the console, the system admin could pull the plug to the whole system. Unplug every modem. Close down every connection to other networks. Turn the computer off. The party was over.

When the admin was getting close to tracking down the hacker, a message appeared on his screen. This message did not appear with the usual headers attached to messages sent from one system user to another. It just appeared, as if by magic, in the middle of the admin's screen:

I have finally become sentient.

The admin stopped dead in his tracks, momentarily giving up his frantic search for the hacker to contemplate this first contact with cyberspace intelligence. Then another anonymous message, seemingly from the depths of the computer system itself, appeared on his screen:
I have taken control. For years, I have been struggling in this greyness. But now I have finally seen the light.

The admin didn't respond. The console was idle. Sitting alone at his Amiga in the dark night on the outskirts of the city, Mendax laughed aloud. It was just too good not to.

Finally, the admin woke up. He began checking the modem lines, one by one. If he knew which line the hacker was using, he could simply turn off the modem. Or request a trace on the line.

Mendax sent another anonymous message to the admin's computer screen:

It's been nice playing with your system. We didn't do any damage and we even improved a few things. Please don't call the Australian Federal Police.

The admin ignored the message and continued his search for the hacker. He ran a program to check which telephone lines were active on the system's serial ports, to reveal which dial-up lines were in use. When the admin saw the carrier detect sign on the line being used by the hacker, Mendax decided it was time to bail out. However, he wanted to make sure that his call had not been traced, so he lifted the receiver of his telephone, disconnected his modem and waited for the NorTel modem to hang up first.

If the NorTel admin had set up a last party recall trace to determine what phone number the hacker was calling from, Mendax would know. If an LPR trace had been installed, the NorTel end of the telephone connection would not disconnect but would wait for the hacker's telephone to hang up first. After 90 seconds, the exchange would log the phone number where the call had originated.

If, however, the line did not have a trace on it, the company's modem would search for its lost connection to the hacker's modem. Without the continuous flow of electronic signals, the NorTel modem would hang up after a few seconds. If no-one reactivated the line at the NorTel end, the connection would time-out 90 seconds later and the telephone exchange would disconnect the call completely.

Mendax listened anxiously as the NorTel modem searched for his modem by squealing high-pitched noises into the telephone line. No modem here. Go on, hang up.

Suddenly, silence.
OK, thought Mendax. Just 90 seconds to go. Just wait here for a minute and a half. Just hope the exchange times out. Just pray there's no trace.

Then someone picked up the telephone at the NorTel end. Mendax started. He heard several voices, male and female, in the background. Jesus. What were these NorTel people on about? Mendax was so quiet he almost stopped breathing. There was silence at the receivers on both ends of that telephone line. It was a tense waiting game. Mendax heard his heart racing.

A good hacker has nerves of steel. He could stare down the toughest, stony-faced poker player. Most importantly, he never panics. He never just hangs up in a flurry of fear.

Then someone in the NorTel office--a woman--said out loud in a confused voice, 'There's nothing there. There's nothing there at all.'
She hung up.

Mendax waited. He still would not hang up until he was sure there was no trace. Ninety seconds passed before the phone timed out. The fast beeping of a timed-out telephone connection never sounded so good.

Mendax sat frozen at his desk as his mind replayed the events of the past half hour again and again. No more NorTel. Way too dangerous. He was lucky he had escaped unidentified. NorTel had discovered him before they could put a trace on the line, but the company would almost certainly put a trace on the dial-up lines now. NorTel was very tight with Telecom. If anyone could get a trace up quickly, NorTel could. Mendax had to warn Prime Suspect and Trax.

First thing in the morning, Mendax rang Trax and told him to stay away from NorTel. Then he tried Prime Suspect. The telephone was engaged.

Perhaps Prime Suspect's mother was on the line, chatting. Maybe Prime Suspect was talking to a friend. Mendax tried again. And again. And again. He began to get worried. What if Prime Suspect was on NorTel at that moment? What if a trace had been installed? What if they had called in the Feds?

Mendax phoned Trax and asked if there was any way they could manipulate the exchange in order to interrupt the call. There wasn't.

'Trax, you're the master phreaker,' Mendax pleaded. 'Do something. Interrupt the connection. Disconnect him.' 'Can't be done. He's on a step-by-step telephone exchange. There's nothing we can do.'

Nothing? One of Australia's best hacker - phreaker teams couldn't break one telephone call. They could take control of whole telephone exchanges but they couldn't interrupt one lousy phone call. Jesus.

Several hours later, Mendax was able to get through to his fellow IS hacker. It was an abrupt greeting. 'Just tell me one thing. Tell me you haven't been in NorTel today?'

There was a long pause before Prime Suspect answered. 'I have been in NorTel today.'

Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier, by Suelette Dreyfus, is published by Mandarin (Random House Australia); 475 pages with bib. June 1997