010 1 0001 101 0 111 000 100001 01 101 001 00 111 00 00 1111 000 01 111 1 10 000 0000 1001 000 11 0000 0 111 0 0 0101 010 110 111 111 0 1111 1 101 111 1101 110 01 00 010 111 000 0100 111 01 100 00
With my new identity credentials in order, it was time to get clear of Las Vegas before my luck ran out. The 1994 Christmas/New Year’s holiday time was just ahead, and I couldn’t resist the idea of a return visit to Denver, a city I had grown so fond of. Packing up, I took along an old ski jacket of mine, thinking I might be able to get in a little more time on the slopes over the holidays.
But once I arrived in Denver and settled into an attractive, medium-priced hotel, two people I had never met—that arrogant Japanese-American security expert whose server I had hacked into a year earlier, the other an extraordinarily skilled computer hacker in Israel—would become actors in a drama that would change the entire rest of my life.
I had come across an Israeli who went by his initials, “JSZ”; we met over Internet Relay Chat, an online service for finding and chatting with strangers who shared similar interests. In our case, the interest was hacking.
Eventually he told me that he had hacked most if not all of the major software manufacturers that developed operating systems—Sun, Silicon Graphics, IBM, SCO, and so on. He had copied source code from their internal development systems and planted backdoors to get back in anytime he wanted. That was quite a feat—very impressive.
We started sharing our hacking conquests with each other and information on new exploits, backdooring systems, cell phone cloning, acquiring source code, and compromising the systems of vulnerability researchers.
During one call he asked if I had read “the Morris paper on IP spoofing,” which revealed a major vulnerability in the core protocol of the Internet.
Robert T. Morris, a computer prodigy, had found a clever security flaw that could be exploited using a technique called “IP spoofing” to bypass authentication that relied on the remote user’s IP address. Ten years after Morris published his paper, a group of hackers, including JSZ in Israel, had created a tool for it. Since it was only theoretical up to that time, nobody had thought to protect against it.
I told JSZ I had read the article. “But it’s theoretical. Hasn’t been done yet.”
“Well, my friend, methinks it has. We’ve already developed the tool, and it works—amazingly well!” he said, referring to a piece of software that he and some associates spread throughout Europe had been working on.
“No way! You’re kidding me!”
“I’m not.”
I asked him if I could have a copy.
“Maybe later,” he said. “But I’ll run it for you anytime you want. Just give me a target.”
I shared with JSZ the details of my hack into Mark Lottor’s server and his interesting connection with Tsutomu Shimomura, using his nickname. I explained how I’d hacked into UCSD and sniffed the network until someone named “david” connected to Shimomura’s server, “ariel,” after which I was finally able to get in. “Shimmy somehow realized that one of the people who had access to his computer had been hacked, and he booted me off after several days,” I said.
I had seen some of the security bugs Shimmy had reported to Sun and DEC and been impressed with his bug-finding skills. In time I would learn that he had shoulder-length straight black hair, a preference for showing up at work wearing sandals and “raggedy-ass jeans,” and a passion for cross-country skiing. He sounded every bit like the kind of Californian conjured by the term “dude”—as in, “Hey, dude, howz it hangin’?”
I told JSZ that Shimmy might have the OKI source code or the details of his and Lottor’s reverse engineering efforts, not to mention any new security bugs he might have discovered.
On Christmas Day 1994, walking out of a movie at the Tivoli Center in downtown Denver, I powered up my cloned cell phone and called JSZ to jokingly wish him a Jewish Merry Christmas.
“Glad you called,” he said. In a cool, collected voice, he told me, “I have a Christmas present for you. My friend, I got into ariel tonight.” And he gave me the port number where he’d set up the backdoor. “Once you connect, there is no prompt. You just type ‘.shimmy.’ and you get a root shell.”
“No fucking way!”
To me it was a great Christmas present. I had been wanting to get back into Shimmy’s computer to find out more about what he and Mark Lottor were up to with the OKI cell phone project, and I wanted to know if either of them had access to the source code. Either way I was going to grab whatever information I could find on his server related to the OKI 900 and 1150 cell phones.
It was known in the hacker community that Shimmy had a very arrogant demeanor—he thought he was smarter than everyone else around him. We decided to bring his ego down a few notches toward reality—just because we could.
The drive back to the hotel in my rental car felt like just about the longest twenty minutes of my life. But I didn’t dare drive faster than the flow of traffic. If I got pulled over and the cop came up with something suspicious about my driver’s license, it might be a hell of a lot longer than twenty minutes before I could get online again. Patience, patience.
As soon as I walked into my hotel room, I powered up my laptop and dialed up to Colorado Supernet, masking the call as usual by using my cell phone cloned to some random Denverite.
I fired up a network talk program that would make a direct connection to JSZ’s computer in Israel so we could communicate in one window as we hacked Shimmy in another. I connected to Shimmy’s computer using the backdoor that JSZ had set up. Bingo!—I was in with root privileges.
Incredible! What a high! That must be what a kid feels on reaching the top level of a video game that he’s struggled with for months. Or like reaching the summit of Mount Everest. Thrilled, I congratulated JSZ on a job well done.
For openers, JSZ and I probed Shimmy’s system looking for the most valuable information—anything to do with security bugs, his email, and any files that had “oki” in their name. He had tons of files. As I was archiving and compressing everything that matched my criteria, JSZ was also probing around for anything that would be useful. Both of us were very concerned that Shimmy might decide to log in to check his email for Christmas greetings and find out he was being hacked. We wanted to get his stuff before he figured it out. I was worried he might pull the network connection, just as Lottor had done several months earlier.
We were working fast to get the information off Shimmy’s machine. My endorphins were on major overload.
After searching, archiving, and compressing, I needed a place to store the code for safekeeping. No problem: I already had root access to every server at the Whole Earth ’Lectronic Link, commonly known as “the Well.” Started by Stewart Brand and a partner, the Well had as its users a who’s who of the Internet, but the celebrity status of the site didn’t matter to me at all. My only concern was whether there was enough disk space and whether I could hide the files well enough that the system admins wouldn’t notice them. In fact, I had been spending lots of time on the site. A few days after John Markoff’s front-page New York Times story appeared, I discovered he had an account on the Well. An easy target: I had been reading his emails ever since, searching for anything related to me.
After I finished moving the targeted stuff, we decided to just grab everything in Shimmy’s home directory. JSZ archived and compressed his entire home directory into a single file that amounted to more than 140 megabytes.
We held our breath until the file was successfully transferred, then gave each other electronic high-fives over chat.
JSZ moved a copy of the file to a system in Europe in case some Well system admin happened to find the huge file and delete it. I also copied the file to a couple of other locations.
JSZ kept telling me that finding the simple backdoor he had set up for my access would be easy for Shimmy. I agreed: it was too easy to find. I suggested that we consider placing a more sophisticated backdoor in the operating system itself, where it would be much harder to detect.
“He’ll find it,” JSZ countered.
“Yeah, we could always get back in later the same way,” I said.
I logged off the system, and JSZ cleaned up, removing the simple backdoor and deleting all logs of our activity.
It was a very exciting moment. We had gotten into the security expert’s server—in my case, for the second time in little over a year. JSZ and I decided we would each examine Shimmy’s files independently and then report back to the other on what we found.
But no matter how careful we were to erase our tracks, I figured it was almost certain that Shimmy would stumble onto some telltale sign we had overlooked.
Sifting through Shimmy’s old emails, I came across messages back and forth between him and my nemesis, New York Times technology scribe John Markoff. The two of them had been exchanging emails going back to early 1991 about me—trading bits of information on what I was up to, as in an exchange in early ’92 that showed Shimmy had gone to the trouble of researching online for my ham radio license, call sign N6NHG. He also emailed Markoff asking whether the FCC had a rule against issuing ham radio licenses to a person convicted of a felony.
Why the two of them had such an interest in me was still a mystery. I had never met Shimmy, never interacted with him in any way except for the recent hacks into his system.
So why would the two of them be so interested in what I was doing?
I was right about one thing: Shimmy very quickly learned of our break-in. Because JSZ and I were both so focused on getting a copy of his files, we didn’t notice that he was running “tcpdump”—a network monitoring tool to capture all network traffic. We also didn’t notice that a program called “cron” was periodically emailing his system logs to Andrew Gross, Shimmy’s assistant. Gross realized the logs were getting smaller and tipped off Shimmy that something suspicious was going on. As soon as Shimmy looked through the logs, he realized he had been hacked.
It didn’t matter much. We had his files, and we would spend the days and weeks ahead carefully examining them.
Why would Shimmy be running a network monitoring tool to capture everything going through his server? Paranoia? Or was it a bait machine? Because he was so high-profile in the computer security world, he knew it was just a matter of time before someone would nail his butt with a clever new attack. I thought maybe it was a bait machine, left accessible so he could monitor all the incoming attacks and profile the methods being used. But in that case, why would he leave all his files on this machine, and even a network wiretapping tool called “bpf”—for Berkeley Packet Filter—that he had created for the United States Air Force, which could insert itself directly into an operating system without requiring a reboot?
Maybe he just underestimated his opponents and assumed no one would ever get in. It’s still a mystery.
Many people credit me with being the guy who developed the program that was used to hack into Shimmy’s servers using the IP spoofing attack. I’d be proud if I really had been the one who managed that rather astounding feat, and I’d be glad to take credit for it. But the credit’s not mine. Instead, that honor belongs to the wickedly clever JSZ, the guy who actually participated in developing the tool and used it for our Christmas Day break-in to Shimmy’s server.
I had enjoyed my time back in Denver for the holidays, especially because we were able to get into Shimmy’s system. But time was up: I needed to put that grand city behind me and push off for my next destination.
I was still elated about the success of the Shimmy hack. But I would live to regret it. Those few hours would eventually lead to my undoing. I had unleashed a hacker vigilante who would stop at nothing to get even with me.