A number of the NASA SPAN team members had developed contacts within different parts of DEC through the company's users' society, DECUS. These contacts were to prove very helpful. It was easy to get lost in the bureaucracy of DEC, which employed more than 125000 people, posted a billion-dollar profit and declared revenues in excess of $12 billion in 1989.10 Such an enormous and prestigious company would not want to face a crisis such as the WANK worm, particularly in such a publicly visible organisation like NASA. Whether or not the worm's successful expedition could be blamed on DEC's software was a moot point. Such a crisis was, well, undesirable. It just didn't look good. And it mightn't look so good either if DEC just jumped into the fray. It might look like the company was in some way at fault.
Things were different, however, if someone already had a relationship with a technical expert inside the company. It wasn't like NASA manager cold-calling a DEC guy who sold a million dollars worth of machines to someone else in the agency six months ago. It was the NASA guy calling the DEC guy he sat next to at the conference last month. It was a colleague the NASA manager chatted with now and again.
John McMahon's analysis suggested there were three versions of the WANK worm. These versions, isolated from worm samples collected from the network, were very similar, but each contained a few subtle differences. In McMahon's view, these differences could not be explained by the way the worm recreated itself at each site in order to spread. But why would the creator of the worm release different versions? Why not just write one version properly and fire it off? The worm wasn't just one incoming missile; it was a frenzied attack. It was coming from all directions, at all sorts of different levels within NASA's computers.
McMahon guessed that the worm's designer had released the different versions at slightly different times. Maybe the creator released the worm, and then discovered a bug. He fiddled with the worm a bit to correct the problem and then released it again. Maybe he didn't like the way he had fixed the bug the first time, so he changed it a little more and released it a third time.
In northern California, Kevin Oberman came to a different conclusion. He believed there was in fact only one real version of the worm spiralling through HEPNET and SPAN. The small variations in the different copies he dissected seemed to stem from the worm's ability to learn and change as it moved from computer to computer.
McMahon and Oberman weren't the only detectives trying to decipher the various manifestations of the worm. DEC was also examining the worm, and with good reason. The WANK worm had invaded the corporation's own network. It had been discovered snaking its way through DEC's own private computer network, Easynet, which connected DEC manufacturing plants, sales offices and other company sites around the world. DEC was circumspect about discussing the matter publicly, but the Easynet version of the WANK worm was definitely distinct. It had a strange line of code in it, a line missing from any other versions. The worm was under instructions to invade as many sites as it could, with one exception. Under no circumstances was it to attack computers inside DEC's area 48. The NASA team mulled over this information. One of them looked up area 48. It was New Zealand.
New Zealand?
The NASA team were left scratching their heads. This attack was getting stranger by the minute. Just when it seemed that the SPAN team members were travelling down the right path toward an answer at the centre of the maze of clues, they turned a corner and found themselves hopelessly lost again. Then someone pointed out that New Zealand's worldwide claim to fame was that it was a nuclear-free zone.
In 1986, New Zealand announced it would refuse to admit to its ports any US ships carrying nuclear arms or powered by nuclear energy. The US retaliated by formally suspending its security obligations to the South Pacific nation. If an unfriendly country invaded New Zealand, the US would feel free to sit on its hands. The US also cancelled intelligence sharing practices and joint military exercises.
Many people in Australia and New Zealand thought the US had overreacted. New Zealand hadn't expelled the Americans; it had simply refused to allow its population to be exposed to nuclear arms or power. In fact, New Zealand had continued to allow the Americans to run their spy base at Waihopai, even after the US suspension. The country wasn't anti-US, just anti-nuclear.
And New Zealand had very good reason to be anti-nuclear. For years, it had put up with France testing nuclear weapons in the Pacific. Then in July 1985 the French blew up the Greenpeace anti-nuclear protest ship as it sat in Auckland harbour. The Rainbow Warrior was due to sail for Mururoa Atoll, the test site, when French secret agents bombed the ship, killing Greenpeace activist Fernando Pereira.
For weeks, France denied everything. When the truth came out—thatPresident Mitterand himself had known about the bombing plan—theFrench were red-faced. Heads rolled. French Defence Minister CharlesHernu was forced to resign. Admiral Pierre Lacoste, director ofFrance's intelligence and covert action bureau, was sacked. Franceapologised and paid $NZ13 million compensation in exchange for NewZealand handing back the two saboteurs, who had each been sentenced toten years' prison in Auckland.
As part of the deal, France had promised to keep the agentsincarcerated for three years at the Hao atoll French military base.Both agents walked free by May 1988 after serving less than two years.After her return to France, one of the agents, Captain DominiquePrieur, was promoted to the rank of commandant.
Finally, McMahon thought. Something that made sense. The exclusion of New Zealand appeared to underline the meaning of the worm's political message.
When the WANK worm invaded a computer system, it had instructions to copy itself and send that copy out to other machines. It would slip through the network and when it came upon a computer attached to the network, it would poke around looking for a way in. What it really wanted was to score a computer account with privileges, but it would settle for a basic-level, user-level account.
VMS systems have accounts with varying levels of privilege. A high-privilege account holder might, for example, be able to read the electronic mail of another computer user or delete files from that user's directory. He or she might also be allowed to create new computer accounts on the system, or reactivate disabled accounts. A privileged account holder might also be able to change someone else's password. The people who ran computer systems or networks needed accounts with the highest level of privilege in order to keep the system running smoothly. The worm specifically sought out these sorts of accounts because its creator knew that was where the power lay.
The worm was smart, and it learned as it went along. As it traversed the network, it created a masterlist of commonly used account names. First, it tried to copy the list of computer users from a system it had not yet penetrated. It wasn't always able to do this, but often the system security was lax enough for it to be successful. The worm then compared that list to the list of users on its current host. When it found a match—an account name common to both lists—the worm added that name to the masterlist it carried around inside it, making a note to try that account when breaking into a new system in future.
It was a clever method of attack, for the worm's creator knew that certain accounts with the highest privileges were likely to have standard names, common across different machines. Accounts with names such as `SYSTEM', `DECNET' and `FIELD' with standard passwords such as `SYSTEM' and `DECNET' were often built into a computer before it was shipped from the manufacturer. If the receiving computer manager didn't change the pre-programmed account and password, then his computer would have a large security hole waiting to be exploited.
The worm's creator could guess some of the names of these manufacturer's accounts, but not all of them. By endowing the worm with an ability to learn, he gave it far more power. As the worm spread, it became more and more intelligent. As it reproduced, its offspring evolved into ever more advanced creatures, increasingly successful at breaking into new systems.
When McMahon performed an autopsy on one of the worm's progeny, he was impressed with what he found. Slicing the worm open and inspecting its entrails, he discovered an extensive collection of generic privileged accounts across the SPAN network. In fact, the worm wasn't only picking up the standard VMS privileged accounts; it had learned accounts common to NASA but not necessarily to other VMS computers. For example, a lot of NASA sites which ran a type of TCP/IP mailer that needed either a POSTMASTER or a MAILER account. John saw those names turn up inside the worm's progeny.
Even if it only managed to break into an unprivileged account, the worm would use the account as an incubator. The worm replicated and then attacked other computers in the network. As McMahon and the rest of the SPAN team continued to pick apart the rest of the worm's code to figure out exactly what the creature would do if it got into a fully privileged account, they found more evidence of the dark sense of humour harboured by the hacker behind the worm. Part of the worm, a subroutine, was named `find fucked'.
The SPAN team tried to give NASA managers calling in as much information as they could about the worm. It was the best way to help computer managers, isolated in their offices around the country, to regain a sense of control over the crisis.
Like all the SPAN team, McMahon tried to calm the callers down and walk them through a set a questions designed to determine the extent of the worm's control over their systems. First, he asked them what symptoms their systems were showing. In a crisis situation, when you're holding a hammer, everything looks like a nail. McMahon wanted to make sure that the problems on the system were in fact caused by the worm and not something else entirely.
If the only problem seemed to be mysterious comments flashing across the screen, McMahon concluded that the worm was probably harassing the staff on that computer from a neighbouring system which it had successfully invaded. The messages suggested that the recipients' accounts had not been hijacked by the worm. Yet.
VAX/VMS machines have a feature called Phone, which is useful for on-line communications. For example, a NASA scientist could `ring up' one of his colleagues on a different computer and have a friendly chat on-line. The chat session is live, but it is conducted by typing on the computer screen, not `voice'. The VMS Phone facility enabled the worm to send messages to users. It would simply call them using the phone protocol. But instead of starting a chat session, it sent them statements from what was later determined to be the aptly named Fortune Cookie file—a collection of 60 or so pre-programmed comments.
In some cases, where the worm was really bugging staff, McMahon told the manager at the other end of the phone to turn the computer's Phone feature off. A few managers complained and McMahon gave them the obvious ultimatum: choose Phone or peace. Most chose peace.
When McMahon finished his preliminary analysis, he had good news and bad news. The good news was that, contrary to what the worm was telling computer users all over NASA, it was not actually deleting their files. It was just pretending to delete their data. One big practical joke. To the creator of the worm anyway. To the NASA scientists, just a headache and heartache. And occasionally a heart attack.
The bad news was that, when the worm got control over a privileged account, it would help someone—presumably its creator—perpetrate an even more serious break-in at NASA. The worm sought out the FIELD account created by the manufacturer and, if it had been turned off, tried to reactivate the account and install the password FIELD. The worm was also programmed to change the password for the standard account named DECNET to a random string of at least twelve characters. In short, the worm tried to pry open a backdoor to the system.
The worm sent information about accounts it had successfully broken into back to a type of electronic mailbox—an account called GEMPAK on SPAN node 6.59. Presumably, the hacker who created the worm would check the worm's mailbox for information which he could use to break into the NASA account at a later date. Not surprisingly, the mailboxes had been surreptitiously `borrowed' by the hacker, much to the surprise of the legitimate owners.
A computer hacker created a whole new set of problems. Although the worm was able to break into new accounts with greater speed and reach than a single hacker, it was more predictable. Once the SPAN and DOE teams picked the worm apart, they would know exactly what it could be expected to do. However, a hacker was utterly unpredictable.
McMahon realised that killing off the worm was not going to solve the problem. All the system managers across the NASA and DOE networks would have to change all the passwords of the accounts used by the worm. They would also have to check every system the worm had invaded to see if it had built a backdoor for the hacker. The system admin had to shut and lock all the backdoors, no small feat.
What really scared the SPAN team about the worm, however, was that it was rampaging through NASA simply by using the simplest of attack strategies: username equals password. It was getting complete control over NASA computers simply by trying a password which was identical to the name of the computer user's account.
The SPAN team didn't want to believe it, but the evidence was overwhelming.
Todd Butler answered a call from one NASA site. It was a gloomy call.He hung up.
`That node just got hit,' he told the team.
`How bad?' McMahon asked.
`A privileged account.'
`Oh boy.' McMahon jumped onto one of the terminals and did a SET HOST, logging into the remote NASA site's machine. Bang. Up it came. `Your system has officially been WANKED.'
McMahon turned to Butler. `What account did it get into?'
`They think it was SYSTEM.'
The tension quietly rolled into black humour. The team couldn't help it. The head-slapping stupidity of the situation could only be viewed as black comedy.
The NASA site had a password of SYSTEM for their fully privileged SYSTEM account. It was so unforgivable. NASA, potentially the greatest single collection of technical minds on Earth, had such lax computer security that a computer-literate teenager could have cracked it wide open. The tall poppy was being cut down to size by a computer program resembling a bowl of spaghetti.
The first thing any computer system manager learns in Computer Security 101 is never to use the same password as the username. It was bad enough that naive users might fall into this trap … but a computer system manager with a fully privileged account.
Was the hacker behind the worm malevolent? Probably not. If its creator had wanted to, he could have programmed the WANK worm to obliterate NASA's files. It could have razed everything in sight.
In fact, the worm was less infectious than its author appeared to desire. The WANK worm had been instructed to perform several tasks which it didn't execute. Important parts of the worm simply didn't work. McMahon believed this failure to be accidental. For example, his analysis showed the worm was programmed to break into accounts by trying no password, if the account holder had left the password blank. When he disassembled the worm, however, he found that part of the program didn't work properly.
Nonetheless, the fragmented and partly dysfunctional WANK worm was causing a major crisis inside several US government agencies. The thing which really worried John was thinking about what a seasoned DCL programmer with years of VMS experience could do with such a worm. Someone like that could do a lot of malicious damage. And what if the WANK worm was just a dry run for something more serious down the track? It was scary to contemplate.
Even though the WANK worm did not seem to be intentionally evil, the SPAN team faced some tough times. McMahon's analysis turned up yet more alarming aspects to the worm. If it managed to break into the SYSTEM account, a privileged account, it would block all electronic mail deliveries to the system administrator. The SPAN office would not be able to send electronic warnings or advice on how to deal with the worm to systems which had already been seized. This problem was exacerbated by the lack of good information available to the project office on which systems were connected to SPAN. The only way to help people fighting this bushfire was to telephone them, but in many instances the main SPAN office didn't know who to call. The SPAN team could only hope that those administrators who had the phone number of SPAN headquarters pinned up near their computers would call when their computers came under attack.
McMahon's preliminary report outlined how much damage the worm could do in its own right. But it was impossible to measure how much damage human managers would do to their own systems because of the worm.
One frantic computer manager who phoned the SPAN office refused to believe John's analysis that the worm only pretended to erase data. He claimed that the worm had not only attacked his system, it had destroyed it. `He just didn't believe us when we told him that the worm was mostly a set of practical jokes,' McMahon said. `He reinitialised his system.' `Reinitialised' as in started up his system with a clean slate. As in deleted everything on the infected computer—all the NASA staff's data gone. He actually did what the worm only pretended to do.
The sad irony was that the SPAN team never even got a copy of the data from the manager's system. They were never able to confirm that his machine had even been infected.
All afternoon McMahon moved back and forth between answering the ever-ringing SPAN phone and writing up NASA's analysis of the worm. He had posted a cryptic electronic message about the attack across the network, and Kevin Oberman had read it. The message had to be circumspect since no-one knew if the creator of the WANK worm was in fact on the network, watching, waiting. A short time later, McMahon and Oberman were on the phone together—voice—sharing their ideas and cross-checking their analysis.
The situation was discouraging. Even if McMahon and Oberman managed to develop a successful program to kill off the worm, the NASA SPAN team faced another daunting task. Getting the worm-killer out to all the NASA sites was going to be much harder than expected because there was no clear, updated map of the SPAN network. Much of NASA didn't like the idea of a centralised map of the SPAN system. McMahon recalled that, some time before the WANK worm attack, a manager had tried to map the system. His efforts had accidentally tripped so many system alarms that he was quietly taken aside and told not to do it again.
The result was that in instances where the team had phone contact details for managers, the information was often outdated.
`No, he used to work here, but he left over a year ago.'
`No, we don't have a telephone tree of people to ring if something goes wrong with our computers. There are a whole bunch of people in different places here who handle the computers.'
This is what John often heard at the other end of the phone.
The network had grown into a rambling hodgepodge for which there was little central coordination. Worse, a number of computers at different NASA centres across the US had just been tacked onto SPAN without telling the main office at Goddard. People were calling up the ad-hoc crisis centre from computer nodes on the network which didn't even have names. These people had been practising a philosophy known in computer security circles as `security through obscurity'. They figured that if no-one knew their computer system existed—if it didn't have a name, if it wasn't on any list or map of the SPAN network—then it would be protected from hackers and other computer enemies.
McMahon handled a number of phone calls from system managers saying, `There is something strange happening in my system here'. John's most basic question was, `Where is "here"?' And of course if the SPAN office didn't know those computer systems existed, it was a lot harder to warn their managers about the worm. Or tell them how to protect themselves. Or give them a worm-killing program once it was developed. Or help them seal up breached accounts which the worm was feeding back to its creator.
It was such a mess. At times, McMahon sat back and considered who might have created this worm. The thing almost looked as though it had been released before it was finished. Its author or authors seemed to have a good collection of interesting ideas about how to solve problems, but they were never properly completed. The worm included a routine for modifying its attack strategy, but the thing was never fully developed. The worm's code didn't have enough error handling in it to ensure the creature's survival for long periods of time. And the worm didn't send the addresses of the accounts it had successfully breached back to the mailbox along with the password and account name. That was really weird. What use was a password and account name without knowing what computer system to use it on?
On the other hand, maybe the creator had done this deliberately. Maybe he had wanted to show the world just how many computers the worm could successfully penetrate. The worm's mail-back program would do this. However, including the address of each infected site would have made the admins' jobs easier. They could simply have used the GEMPAK collection as a hitlist of infected sites which needed to be de-wormed. The possible theories were endless.
There were some points of brilliance in the worm, some things that McMahon had never considered, which was impressive since he knew a lot about how to break into VMS computers. There was also considerable creativity, but there wasn't any consistency. After the worm incident, various computer security experts would hypothesise that the WANK worm had in fact been written by more than one person. But McMahon maintained his view that it was the work of a single hacker.
It was as if the creator of the worm started to pursue an idea and then got sidetracked or interrupted. Suddenly he just stopped writing code to implement that idea and started down another path, never again to reach the end. The thing had a schizophrenic structure. It was all over the place.
McMahon wondered if the author had done this on purpose, to make it harder to figure out exactly what the worm was capable of doing. Perhaps, he thought, the code had once been nice and linear and it all made sense. Then the author chopped it to pieces, moved the middle to the top, the top to the bottom, scrambled up the chunks and strung them all together with a bunch of `GO TO' commands. Maybe the hacker who wrote the worm was in fact a very elegant DCL programmer who wanted the worm to be chaotic in order to protect it. Security through obscurity.
Oberman maintained a different view. He believed the programming style varied so much in different parts that it had to be the product of a number of people. He knew that when computer programmers write code they don't make lots of odd little changes in style for no particular reason.
Kevin Oberman and John McMahon bounced ideas off one another. Both had developed their own analyses. Oberman also brought Mark Kaletka, who managed internal networking at Fermilab, one of HEPNET's largest sites, into the cross-checking process. The worm had a number of serious vulnerabilities, but the problem was finding one, and quickly, which could be used to wipe it out with minimum impact on the besieged computers.
Whenever a VMS machine starts up an activity, the computer gives it a unique process name. When the worm burrowed into a computer site, one of the first things it did was check that another copy of itself was not already running on that computer. It did this by checking for its own process names. The worm's processes were all called NETW_ followed by a random, four-digit number. If the incoming worm found this process name, it assumed another copy of itself was already running on the computer, so it destroyed itself.
The answer seemed to be a decoy duck. Write a program which pretended to be the worm and install it across all of NASA's vulnerable computers. The first anti-WANK program did just that. It quietly sat on the SPAN computers all day long, posing as a NETW_ process, faking out any real version of the WANK worm which should come along.
Oberman completed an anti-WANK program first and ran it by McMahon. It worked well, but McMahon noticed one large flaw. Oberman's program checked for the NETW_ process name, but it assumed that the worm was running under the SYSTEM group. In most cases, this was true, but it didn't have to be. If the worm was running in another group, Oberman's program would be useless. When McMahon pointed out the flaw, Oberman thought, God, how did I miss that?
McMahon worked up his own version of an anti-WANK program, based on Oberman's program, in preparation for releasing it to NASA.
At the same time, Oberman revised his anti-WANK program for DOE. By Monday night US Eastern Standard Time, Oberman was able to send out an early copy of a vaccine designed to protect computers which hadn't been infected yet, along with an electronic warning about the worm. His first electronic warning, distributed by CIAC, said in part:
The W.COM Worm affecting VAX VMS Systems
October 16, 1989 18:37 PSTNumber A-2
This is a mean bug to kill and could have done a lot of damage.
Since it notifies (by mail) someone of each successful penetration and leaves a trapdoor (the FIELD account), just killing the bug is not adequate. You must go in and make sure all accounts have passwords and that the passwords are not the same as the account name.
R. Kevin Oberman
Advisory Notice
A worm is attacking NASA's SPAN network via VAX/VMS systems connectedto DECnet. It is unclear if the spread of the worm has been checked.It may spread to other systems such as DOE's HEPNET within a few days.VMS system managers should prepare now.
The worm targets VMS machines, and can only be propagated via DECnet. The worm exploits two features of DECnet/VMS in order to propagate itself. The first is the default DECnet account, which is a facility for users who don't have a specific login ID for a machine to have some degree of anonymous access. It uses the default DECnet account to copy itself to a machine, and then uses the `TASK 0' feature of DECnet to invoke the remote copy. It has several other features including a brute force attack.
Once the worm has successfully penetrated your system it will infect .COM files and create new security vulnerabilities. It then seems to broadcast these vulnerabilities to the outside world. It may also damage files as well, either unintentionally or otherwise.
An analysis of the worm appears below and is provided by R. Kevin Oberman of Lawrence Livermore National Laboratory. Included with the analysis is a DCL program that will block the current version of the worm. At least two versions of this worm exist and more may be created. This program should give you enough time to close up obvious security holes. A more thorough DCL program is being written.
If your site could be affected please call CIAC for more details…
Report on the W.COM worm.
R. Kevin Oberman
Engineering Department
Lawrence Livermore National Laboratory
October 16, 1989
The following describes the action of the W.COM worm (currently based on the examination of the first two incarnations). The replication technique causes the code to be modified slightly which indicates the source of the attack and learned information.
All analysis was done with more haste than I care for, but I believe I have all of the basic facts correct. First a description of the program:
1. The program assures that it is working in a directory to which the owner (itself) has full access (Read, Write, Execute, and Delete).
2. The program checks to see if another copy is still running. It looks for a process with the first 5 characters of `NETW_'. If such is found, it deletes itself (the file) and stops its process.
A quick check for infection is to look for a process name starting with `NETW_'. This may be done with a SHOW PROCESS command.
3. The program then changes the default DECNET account password to a random string of at least 12 characters.
4. Information on the password used to access the system is mailed to the user GEMTOP on SPAN node 6.59. Some versions may have a different address.11
5. The process changes its name to `NETW_' followed by a random number.
6. It then checks to see if it has SYSNAM priv. If so, it defines the system announcement message to be the banner in the program:
Worms Against Nuclear Killers!
Your System Has Been Officically Wanked.
You talk of times of peace for all, and then prepare for war.
7. If it has SYSPRV, it disables mail to the SYSTEM account.
8. If it has SYSPRV, it modifies the system login command procedure to APPEAR to delete all of a user's file. (It really does nothing.)
9. The program then scans the account's logical name table for command procedures and tries to modify the FIELD account to a known password with login from any source and all privs. This is a primitive virus, but very effective IF it should get into a privileged account.
10. It proceeds to attempt to access other systems by picking node numbers at random. It then uses PHONE to get a list of active users on the remote system. It proceeds to irritate them by using PHONE to ring them.
11. The program then tries to access the RIGHTSLIST file and attempts to access some remote system using the users found and a list of `standard' users included within the worm. It looks for passwords which are the same as that of the account or are blank. It records all such accounts.
12. It looks for an account that has access to SYSUAF.DAT.
13. If a priv. account is found, the program is copied to that account and started. If no priv. account was found, it is copied to other accounts found on the random system.
14. As soon as it finishes with a system, it picks another random system and repeats (forever).
Response:
1. The following program will block the worm. Extract the following code and execute it. It will use minimal resources. It creates a process named NETW_BLOCK which will prevent the worm from running.
Editors note: This fix will work only with this version of the worm.
Mutated worms will require modification of this code; however, this program should prevent the worm from running long enough to secure your system from the worms attacks.13
—-
McMahon's version of an anti-WANK program was also ready to go by late Monday, but he would face delays getting it out to NASA. Working inside NASA was a balancing act, a delicate ballet demanding exquisite choreography between getting the job done, following official procedures and avoiding steps which might tread on senior bureaucrats' toes. It was several days before NASA's anti-WANK program was officially released.
DOE was not without its share of problems in launching the anti-WANK program and advisory across HEPNET. At 5.04 p.m. Pacific Coast Time on 17 October, as Oberman put the final touches on the last paragraph of his final report on the worm, the floor beneath his feet began to shake. The building was trembling. Kevin Oberman was in the middle of the 1989 San Francisco earthquake.
Measuring 7.1 on the Richter scale, the Loma Prieta earthquake ripped through the greater San Francisco area with savage speed. Inside the computer lab, Oberman braced himself for the worst. Once the shaking stopped and he ascertained the computer centre was still standing, he sat back down at his terminal. With the PA blaring warnings for all non-essential personnel to leave the building immediately, Oberman rushed off the last sentence of the report. He paused and then added a postscript saying that if the paragraph didn't make sense, it was because he was a little rattled by the large earthquake which had just hit Lawrence Livermore Labs. He pressed the key, sent out his final anti-WANK report and fled the building.
Back on the east coast, the SPAN office continued to help people calling from NASA sites which had been hit. The list of sites which had reported worm-related problems grew steadily during the week. Official estimates on the scope of the WANK worm attack were vague, but trade journals such as Network World and Computerworld quoted the space agency as suffering only a small number of successful worm invasions, perhaps 60 VMS-based computers. SPAN security manager Ron Tencati estimated only 20 successful worm penetrations in the NASA part of SPAN's network, but another internal estimate put the figure much higher: 250 to 300 machines. Each of those computers might have had 100 or more users. Figures were sketchy, but virtually everyone on the network—all 270000 computer accounts—had been affected by the worm, either because their part of the network had been pulled off-line or because their machines had been harassed by the WANK worm as it tried again and again to login from an infected machine. By the end of the worm attack, the SPAN office had accumulated a list of affected sites which ran over two columns on several computer screens. Each of them had lodged some form of complaint about the worm.
Also by the end of the crisis, NASA and DOE computer network managers had their choice of vaccines, antidotes and blood tests for the WANK worm. McMahon had released ANTIWANK.COM, a program which killed the worm and vaccinated a system against further attacks, and WORM-INFO.TEXT, which provided a list of worm-infestation symptoms. Oberman's program, called [.SECURITY]CHECK_SYSTEM.COM, checked for all the security flaws used by the worm to sneak into a computer system. DEC also had a patch to cover the security hole in the DECNET account.
Whatever the real number of infected machines, the worm had certainlycircumnavigated the globe. It had reach into European sites, such asCERN—formerly known as the European Centre for Nuclear Research—inSwitzerland, through to Goddard's computers in Maryland, on toFermilab in Chicago and propelled itself across the Pacific into theRiken Accelerator Facility in Japan.14
NASA officials told the media they believed the worm had been launched about 4.30 a.m. on Monday, 16 October.15 They also believed it had originated in Europe, possibly in France.
Wednesday, 18 October 1989Kennedy Space Center, Florida
The five-member Atlantis had some bad news on Wednesday morning. The weather forecasters gave the launch site a 40 per cent chance of launch guideline-violating rain and cloud. And then there was the earthquake in California.
The Kennedy Space Center wasn't the only place which had to be in tip-top working order for a launch to go ahead. The launch depended on many sites far away from Florida. These included Edwards Air Force Base in California, where the shuttle was due to land on Monday. They also included other sites, often military bases, which were essential for shuttle tracking and other mission support. One of these sites was a tracking station at Onizuka Air Force Base at Sunnyvale, California. The earthquake which ripped through the Bay area had damaged the tracking station and senior NASA decision-makers planned to meet on Wednesday morning to consider the Sunnyvale situation. Still, the space agency maintained a calm, cool exterior. Regardless of the technical problems, the court challenges and the protesters, the whimsical weather, the natural disasters, and the WANK worm, NASA was still in control of the situation.
`There's been some damage, but we don't know how much. The sense I get is it's fairly positive,' a NASA spokesman told UPI. `But there are some problems.'16 In Washington, Pentagon spokesman Rick Oborn reassured the public again, `They are going to be able to handle shuttle tracking and support for the mission … They will be able to do their job'.17
Atlantis waited, ready to go, at launchpad 39B. The technicians had filled the shuttle up with rocket fuel and it looked as if the weather might hold. It was partly cloudy, but conditions at Kennedy passed muster.
The astronauts boarded the shuttle. Everything was in place.
But while the weather was acceptable in Florida, it was causing some problems in Africa, the site of an emergency landing location. If it wasn't one thing, it was another. NASA ordered a four-minute delay.
Finally at 12.54 p.m., Atlantis boomed from its launchpad. Rising up from the Kennedy Center, streaking a trail of twin flames from its huge solid-fuel boosters, the shuttle reached above the atmosphere and into space.
At 7.15 p.m., exactly 6 hours and 21 minutes after lift-off, Galileo began its solo journey into space. And at 8.15 p.m., Galileo's booster ignited.
Inside shuttle mission control, NASA spokesman Brian Welch announced,`The spacecraft Galileo … has achieved Earth escape velocity'.18
Monday, 30 October 1989NASA's Goddard Space Flight Center, Greenbelt, Maryland
The week starting 16 October had been a long one for the SPAN team. They were keeping twelve-hour days and dealing with hysterical people all day long. Still, they managed to get copies of anti-WANK out, despite the limitations of the dated SPAN records and the paucity of good logs allowing them to retrace the worm's path. `What we learned that week was just how much data is not collected,' McMahon observed.
By Friday, 20 October, there were no new reports of worm attacks. It looked as though the crisis had passed. Things could be tidied up by the rest of the SPAN team and McMahon returned to his own work.
A week passed. All the while, though, McMahon was on edge. He doubted that someone who had gone to all that trouble of creating the WANK worm would let his baby be exterminated so quickly. The decoy-duck strategy only worked as long as the worm kept the same process name, and as long as it was programmed not to activate itself on systems which were already infected. Change the process name, or teach the worm to not to suicide, and the SPAN team would face another, larger problem. John McMahon had an instinct about the worm; it might just be back.
His instinct was right.
The following Monday, McMahon received another phone call from theSPAN project office. When he poked his head in his boss's office,Jerome Bennett looked up from his desk.
`The thing is back,' McMahon told him. There was no need to explain what `the thing' was. `I'm going over to the SPAN office.'
Ron Tencati and Todd Butler had a copy of the new WANK worm ready for McMahon. This version of the worm was far more virulent. It copied itself more effectively and therefore moved through the network much faster. The revised worm's penetration rate was much higher—more than four times greater than the version of WANK released in the first attack. The phone was ringing off the hook again. John took a call from one irate manager who launched into a tirade. `I ran your anti-WANK program, followed your instructions to the letter, and look what happened!'
The worm had changed its process name. It was also designed to hunt down and kill the decoy-duck program. In fact, the SPAN network was going to turn into a rather bloody battlefield. This worm didn't just kill the decoy, it also killed any other copy of the WANK worm. Even if McMahon changed the process name used by his program, the decoy-duck strategy was not going to work any longer.
There were other disturbing improvements to the new version of the WANK worm. Preliminary information suggested it changed the password on any account it got into. This was a problem. But not nearly as big a problem as if the passwords it changed were for the only privileged accounts on the system. The new worm was capable of locking a system manager out of his or her own system.
Prevented from getting into his own account, the computer manager might try borrowing the account of an average user, call him Edwin. Unfortunately, Edwin's account probably only had low-level privileges. Even in the hands of a skilful computer manager, the powers granted to Edwin's account were likely too limited to eradicate the worm from its newly elevated status as computer manager. The manager might spend his whole morning matching wits with the worm from the disadvantaged position of a normal user's account. At some point he would have to make the tough decision of last resort: turn the entire computer system off.
The manager would have to conduct a forced reboot of the machine. Take it down, then bring it back up on minimum configuration. Break back into it. Fix the password which the worm had changed. Logout. Reset some variables. Reboot the machine again. Close up any underlying security holes left behind by the worm. Change any passwords which matched users' names. A cold start of a large VMS machine took time. All the while, the astronomers, physicists and engineers who worked in this NASA office wouldn't be able to work on their computers.
At least the SPAN team was better prepared for the worm this time. They had braced themselves psychologically for a possible return attack. Contact information for the network had been updated. And the general DECNET internet community was aware of the worm and was lending a hand wherever possible.
Help came from a system manager in France, a country which seemed to be of special interest to the worm's author. The manager, Bernard Perrot of Institut de Physique Nucleaire in Orsay, had obtained a copy of the worm, inspected it and took special notice of the creature's poor error checking ability. This was the worm's true Achilles' heel.
The worm was trained to go after the RIGHTSLIST database, the list of all the people who have accounts on the computer. What if someone moved the database by renaming it and put a dummy database in its place? The worm would, in theory, go after the dummy, which could be designed with a hidden bomb. When the worm sniffed out the dummy, and latched onto it, the creature would explode and die. If it worked, the SPAN team would not have to depend on the worm killing itself, as they had during the first invasion. They would have the satisfaction of destroying the thing themselves.
Ron Tencati procured a copy of the French manager's worm-killing program and gave it to McMahon, who set up a sort of mini-laboratory experiment. He cut the worm into pieces and extracted the relevant bits. This allowed him to test the French worm-killing program with little risk of the worm escaping and doing damage. The French program worked wonderfully. Out it went. The second version of the worm was so much more virulent, getting it out of SPAN was going to take considerably longer than the first time around. Finally, almost two weeks after the second onslaught, the WANK worm had been eradicated from SPAN.
By McMahon's estimate, the WANK worm had incurred up to half a million dollars in costs. Most of these were through people wasting time and resources chasing the worm instead of doing their normal jobs. The worm was, in his view, a crime of theft. `People's time and resources had been wasted,' he said. `The theft was not the result of the accident. This was someone who deliberately went out to make a mess.
`In general, I support prosecuting people who think breaking into machines is fun. People like that don't seem to understand what kind of side effects that kind of fooling around has. They think that breaking into a machine and not touching anything doesn't do anything. That is not true. You end up wasting people's time. People are dragged into the office at strange hours. Reports have to be written. A lot of yelling and screaming occurs. You have to deal with law enforcement. These are all side effects of someone going for a joy ride in someone else's system, even if they don't do any damage. Someone has to pay the price.'
McMahon never found out who created the WANK worm. Nor did he ever discover what he intended to prove by releasing it. The creator's motives were never clear and, if it had been politically inspired, no-one took credit.
The WANK worm left a number of unanswered questions in its wake, a number of loose ends which still puzzle John McMahon. Was the hacker behind the worm really protesting against NASA's launch of the plutonium-powered Galileo space probe? Did the use of the word `WANK'—a most un-American word—mean the hacker wasn't American? Why had the creator recreated the worm and released it a second time? Why had no-one, no political or other group, claimed responsibility for the WANK worm?
One of the many details which remained an enigma was contained in the version of the worm used in the second attack. The worm's creator had replaced the original process name, NETW_, with a new one, presumably to thwart the anti-WANK program. McMahon figured the original process name stood for `netwank'—a reasonable guess at the hacker's intended meaning. The new process name, however, left everyone on the SPAN team scratching their heads: it didn't seem to stand for anything. The letters formed an unlikely set of initials for someone's name. No-one recognised it as an acronym for a saying or an organisation. And it certainly wasn't a proper word in the English language. It was a complete mystery why the creator of the WANK worm, the hacker who launched an invasion into hundreds of NASA and DOE computers, should choose this weird word.
The word was `OILZ'.
You talk of times of peace for all; and then prepare for war.
— from `Blossom of Blood', Species Deceases.
It is not surprising the SPAN security team would miss the mark. It is not surprising, for example, that these officials should to this day be pronouncing the `Oilz' version of the WANK worm as `oil zee'. It is also not surprising that they hypothesised the worm's creator chose the word `Oilz' because the modifications made to the last version made it slippery, perhaps even oily.
Likely as not, only an Australian would see the worm's link to the lyrics of Midnight Oil.
This was the world's first worm with a political message, and the second major worm in the history of the worldwide computer networks. It was also the trigger for the creation of FIRST, the Forum of Incident Response and Security Teams.2 FIRST was an international security alliance allowing governments, universities and commercial organisations to share information about computer network security incidents. Yet, NASA and the US Department of Energy were half a world away from finding the creator of the WANK worm. Even as investigators sniffed around electronic trails leading to France, it appears the perpetrator was hiding behind his computer and modem in Australia.
Geographically, Australia is a long way from anywhere. To Americans, it conjures up images of fuzzy marsupials, not computer hackers. American computer security officials, like those at NASA and the US Department of Energy, had other barriers as well. They function in a world of concretes, of appointments made and kept, of real names, business cards and official titles. The computer underground, by contrast, is a veiled world populated by characters slipping in and out of the half-darkness. It is not a place where people use their real names. It is not a place where people give out real personal details.
It is, in fact, not so much a place as a space. It is ephemeral, intangible—a foggy labyrinth of unmapped, winding streets through which one occasionally ascertains the contours of a fellow traveller.
When Ron Tencati, the manager in charge of NASA SPAN security, realised that NASA's computers were being attacked by an intruder, he rang the FBI. The US Federal Bureau of Investigation's Computer Crime Unit fired off a stream of questions. How many computers had been attacked? Where were they? Who was behind the attack? The FBI told Tencati, `keep us informed of the situation'. Like the CIAC team in the Department of Energy, it appears the FBI didn't have much knowledge of VMS, the primary computer operating system used in SPAN.
But the FBI knew enough to realise the worm attack was potentially very serious. The winding electronic trail pointed vaguely to a foreign computer system and, before long, the US Secret Service was involved. Then the French secret service, the Direction de la Surveillance du Territoire, or DST, jumped into the fray.
DST and the FBI began working together on the case. A casual observer with the benefit of hindsight might see different motivations driving the two government agencies. The FBI wanted to catch the perpetrator. The DST wanted to make it clear that the infamous WANK worm attack on the world's most prestigious space agency did not originate in France.
In the best tradition of cloak-and-dagger government agencies, the FBI and DST people established two communication channels—an official channel and an unofficial one. The official channel involved embassies, attachés, formal communiques and interminable delays in getting answers to the simplest questions. The unofficial channel involved a few phone calls and some fast answers.
Ron Tencati had a colleague named Chris on the SPAN network in France, which was the largest user of SPAN in Europe. Chris was involved in more than just science computer networks. He had certain contacts in the French government and seemed to be involved in their computer networks. So, when the FBI needed technical information for its investigation—the kind of information likely to be sanitised by some embassy bureaucrat—one of its agents rang up Ron Tencati. `Ron, ask your friend this,' the FBI would say. And Ron would.
`Chris, the FBI wants to know this,' Tencati would tell his colleague on SPAN France. Then Chris would get the necessary information. He would call Tencati back, saying, `Ron, here is the answer. Now, the DST wants to know that'. And off Ron would go in search of information requested by the DST.
The investigation proceeded in this way, with each helping the other through backdoor channels. But the Americans' investigation was headed toward the inescapable conclusion that the attack on NASA had originated from a French computer. The worm may have simply travelled through the French computer from yet another system, but the French machine appeared to be the sole point of infection for NASA.
The French did not like this outcome. Not one bit. There was no way that the worm had come from France. Ce n'est pas vrai.
Word came back from the French that they were sure the worm had come from the US. Why else would it have been programmed to mail details of all computer accounts it penetrated around the world back to a US machine, the computer known as GEMPAK? Because the author of the worm was an American, of course! Therefore it is not our problem, the French told the Americans. It is your problem.
Most computer security experts know it is standard practice among hackers to create the most tangled trail possible between the hacker and the hacked. It makes it very difficult for people like the FBI to trace who did it. So it would be difficult to draw definite conclusions about the nationality of the hacker from the location of a hacker's information drop-off point—a location the hacker no doubt figured would be investigated by the authorities almost immediately after the worm's release.
Tencati had established the French connection from some computer logs showing NASA under attack very early on Monday, 16 October. The logs were important because they were relatively clear. As the worm had procreated during that day, it had forced computers all over the network to attack each other in ever greater numbers. By 11 a.m. it was almost impossible to tell where any one attack began and the other ended.
Some time after the first attack, DST sent word that certain agents were going to be in Washington DC regarding other matters. They wanted a meeting with the FBI. A representative from the NASA Inspector General's Office would attend the meeting, as would someone from NASA SPAN security.
Tencati was sure he could show the WANK worm attack on NASA originated in France. But he also knew he had to document everything, to have exact answers to every question and counter-argument put forward by the French secret service agents at the FBI meeting. When he developed a timeline of attacks, he found that the GEMPAK machine showed X.25 network connection, via another system, from a French computer around the same time as the WANK worm attack. He followed the scent and contacted the manager of that system. Would he help Tencati? Mais oui. The machine is at your disposal, Monsieur Tencati.
Tencati had never used an X.25 network before; it had a unique set of commands unlike any other type of computer communications network. He wanted to retrace the steps of the worm, but he needed help. So he called his friend Bob Lyons at DEC to walk him through the process.
What Tencati found startled him. There were traces of the worm on the machine all right, the familiar pattern of login failures as the worm attempted to break into different accounts. But these remnants of the WANK worm were not dated 16 October or any time immediately around then. The logs showed worm-related activity up to two weeks before the attack on NASA. This computer was not just a pass-through machine the worm had used to launch its first attack on NASA. This was the development machine.
Ground zero.
Tencati went into the meeting with DST at the FBI offices prepared. He knew the accusations the French were going to put forward. When he presented the results of his sleuthwork, the French secret service couldn't refute it, but they dropped their own bombshell. Yes they told him, you might be able to point to a French system as ground zero for the attack, but our investigations reveal incoming X.25 connections from elsewhere which coincided with the timing of the development of the WANK worm.
The connections came from Australia.
The French had satisfied themselves that it wasn't a French hacker who had created the WANK worm. Ce n'est pas notre problem. At least, it's not our problem any more.
It is here that the trail begins to go cold. Law enforcement and computer security people in the US and Australia had ideas about just who had created the WANK worm. Fingers were pointed, accusations were made, but none stuck. At the end of the day, there was coincidence and innuendo, but not enough evidence to launch a case. Like many Australian hackers, the creator of the WANK worm had emerged from the shadows of the computer underground, stood momentarily in hazy silhouette, and then disappeared again.
The Australian computer underground in the late 1980s was an environment which spawned and shaped the author of the WANK worm. Affordable home computers, such as the Apple IIe and the Commodore 64, made their way into ordinary suburban families. While these computers were not widespread, they were at least in a price range which made them attainable by dedicated computer enthusiasts.
In 1988, the year before the WANK worm attack on NASA, Australia was on an upswing. The country was celebrating its bicentennial. The economy was booming. Trade barriers and old regulatory structures were coming down. Crocodile Dundee had already burst on the world movie scene and was making Australians the flavour of the month in cities like LA and New York. The mood was optimistic. People had a sense they were going places. Australia, a peaceful country of seventeen or so million people, poised on the edge of Asia but with the order of a Western European democracy, was on its way up. Perhaps for the first time, Australians had lost their cultural cringe, a unique type of insecurity alien to can-do cultures such as that found in the US. Exploration and experimentation require confidence and, in 1988, confidence was something Australia had finally attained.
Yet this new-found confidence and optimism did not subdue Australia's tradition of cynicism toward large institutions. The two coexisted, suspended in a strange paradox. Australian humour, deeply rooted in a scepticism of all things serious and sacred, continued to poke fun at upright institutions with a depth of irreverence surprising to many foreigners. This cynicism of large, respected institutions coursed through the newly formed Australian computer underground without dampening its excitement or optimism for the brave new world of computers in the least.
In 1988, the Australian computer underground thrived like a vibrant Asian street bazaar. In that year it was still a realm of place not space. Customers visited their regular stalls, haggled over goods with vendors, bumped into friends and waved across crowded paths to acquaintances. The market was as much a place to socialise as it was to shop. People ducked into tiny coffee houses or corner bars for intimate chats. The latest imported goods, laid out on tables like reams of bright Chinese silks, served as conversation starters. And, like every street market, many of the best items were tucked away, hidden in anticipation of the appearance of that one customer or friend most favoured by the trader. The currency of the underground was not money; it was information. People didn't share and exchange information to accumulate monetary wealth; they did it to win respect—and to buy a thrill.
The members of the Australian computer underground met on bulletin board systems, known as BBSes. Simple things by today's standards, BBSes were often composed of a souped-up Apple II computer, a single modem and a lone telephone line. But they drew people from all walks of life. Teenagers from working-class neighbourhoods and those from the exclusive private schools. University students. People in their twenties groping their way through first jobs. Even some professional people in their thirties and forties who spent weekends poring over computer manuals and building primitive computers in spare rooms. Most regular BBS users were male. Sometimes a user's sister would find her way into the BBS world, often in search of a boyfriend. Mission accomplished, she might disappear from the scene for weeks, perhaps months, presumably until she required another visit.
The BBS users had a few things in common. They were generally of above average intelligence—usually with a strong technical slant—and they were obsessed with their chosen hobby. They had to be. It often took 45 minutes of attack dialling a busy BBS's lone phone line just to visit the computer system for perhaps half an hour. Most serious BBS hobbyists went through this routine several times each day.
As the name suggests, a BBS had what amounted to an electronic version of a normal bulletin board. The owner of the BBS would have divided the board into different areas, as a school teacher crisscrosses coloured ribbon across the surface of a corkboard to divide it into sections. A single BBS might have 30 or more electronic discussion groups.
As a user to the board, you might visit the politics section, tacking up a `note' on your views of ALP or Liberal policies for anyone passing by to read. Alternatively, you might fancy yourself a bit of a poet and work up the courage to post an original piece of work in the Poet's Corner. The corner was often filled with dark, misanthropic works inspired by the miseries of adolescence. Perhaps you preferred to discuss music. On many BBSes you could find postings on virtually any type of music. The most popular groups included bands like Pink Floyd, Tangerine Dream and Midnight Oil. Midnight Oil's anti-establishment message struck a particular chord within the new BBS community.
Nineteen eighty-eight was the golden age of the BBS culture across Australia. It was an age of innocence and community, an open-air bazaar full of vitality and the sharing of ideas. For the most part, people trusted their peers within the community and the BBS operators, who were often revered as demigods. It was a happy place. And, in general, it was a safe place, which is perhaps one reason why its visitors felt secure in their explorations of new ideas. It was a place in which the creator of the WANK worm could sculpt and hone his creative computer skills.
The capital of this spirited new Australian electronic civilisation was Melbourne. It is difficult to say why this southern city became the cultural centre of the BBS world, and its darker side, the Australian computer underground. Maybe the city's history as Australia's intellectual centre created a breeding ground for the many young people who built their systems with little more than curiosity and salvaged computer bits discarded by others. Maybe Melbourne's personality as a city of suburban homebodies and backyard tinkerers produced a culture conducive to BBSes. Or maybe it was just Melbourne's dreary beaches and often miserable weather. As one Melbourne hacker explained it, `What else is there to do here all winter but hibernate inside with your computer and modem?'
In 1988, Melbourne had some 60 to 100 operating BBSes. The numbers are vague because it is difficult to count a collection of moving objects. The amateur nature of the systems, often a jumbled tangle of wires and second-hand electronics parts soldered together in someone's garage, meant that the life of any one system was frequently as short as a teenager's attention span. BBSes popped up, ran for two weeks, and then vanished again.
Some of them operated only during certain hours, say between 10 p.m. and 8 a.m. When the owner went to bed, he or she would plug the home phone line into the BBS and leave it there until morning. Others ran 24 hours a day, but the busiest times were always at night.
Of course it wasn't just intellectual stimulation some users were after. Visitors often sought identity as much as ideas. On an electronic bulletin board, you could create a personality, mould it into shape and make it your own. Age and appearance did not matter. Technical aptitude did. Any spotty, gawky teenage boy could instantly transform himself into a suave, graceful BBS character. The transformation began with the choice of name. In real life, you might be stuck with the name Elliot Dingle—an appellation chosen by your mother to honour a long-dead great uncle. But on a BBS, well, you could be Blade Runner, Ned Kelly or Mad Max. Small wonder that, given the choice, many teenage boys chose to spend their time in the world of the BBS.
Generally, once a user chose a handle, as the on-line names are known, he stuck with it. All his electronic mail came to an account with that name on it. Postings to bulletin boards were signed with it. Others dwelling in the system world knew him by that name and no other. A handle evolved into a name laden with innate meaning, though the personality reflected in it might well have been an alter ego. And so it was that characters like The Wizard, Conan and Iceman came to pass their time on BBSes like the Crystal Palace, Megaworks, The Real Connection and Electric Dreams.
What such visitors valued about the BBS varied greatly. Some wanted to participate in its social life. They wanted to meet people like themselves—bright but geeky or misanthropic people who shared an interest in the finer technical points of computers. Many lived as outcasts in real life, never quite making it into the `normal' groups of friends at school or uni. Though some had started their first jobs, they hadn't managed to shake the daggy awkwardness which pursued them throughout their teen years. On the surface, they were just not the sort of people one asked out to the pub for a cold one after the footy.
But that was all right. In general, they weren't much interested in footy anyway.
Each BBS had its own style. Some were completely legitimate, with their wares—all legal goods—laid out in the open. Others, like The Real Connection, had once housed Australia's earliest hackers but had gone straight. They closed up the hacking parts of the board before the first Commonwealth government hacking laws were enacted in June 1989. Perhaps ten or twelve of Melbourne's BBSes at the time had the secret, smoky flavour of the computer underground. A handful of these were invitation-only boards, places like Greyhawk and The Realm. You couldn't simply ring up the board, create a new account and login. You had to be invited by the board's owner. Members of the general modeming public need not apply.
The two most important hubs in the Australian underground between 1987 and 1989 were named Pacific Island and Zen. A 23-year-old who called himself Craig Bowen ran both systems from his bedroom.
Also known as Thunderbird1, Bowen started up Pacific Island in 1987 because he wanted a hub for hackers. The fledgling hacking community was dispersed after AHUBBS, possibly Melbourne's earliest hacking board, faded away. Bowen decided to create a home for it, a sort of dark, womb-like cafe bar amid the bustle of the BBS bazaar where Melbourne's hackers could gather and share information.
His bedroom was a simple, boyish place. Built-in cupboards, a bed, a wallpaper design of vintage cars running across one side of the room. A window overlooking the neighbours' leafy suburban yard. A collection of PC magazines with titles like Nibble and Byte. A few volumes on computer programming. VAX/VMS manuals. Not many books, but a handful of science fiction works by Arthur C. Clarke. The Hitchhiker's Guide to the Galaxy. A Chinese-language dictionary used during his high school Mandarin classes, and after, as he continued to study the language on his own while he held down his first job.
The Apple IIe, modem and telephone line rested on the drop-down drawing table and fold-up card table at the foot of his bed. Bowen put his TV next to the computer so he could sit in bed, watch TV and use Pacific Island all at the same time. Later, when he started Zen, it sat next to Pacific Island. It was the perfect set-up.
Pacific Island was hardly fancy by today's standards of Unix Internet machines, but in 1987 it was an impressive computer. PI, pronounced `pie' by the local users, had a 20 megabyte hard drive—gargantuan for a personal computer at the time. Bowen spent about $5000 setting up PI alone. He loved both systems and spent many hours each week nurturing them.
There was no charge for computer accounts on PI or ZEN, like most BBSes. This gentle-faced youth, a half-boy, half-man who would eventually play host on his humble BBS to many of Australia's cleverest computer and telephone hackers, could afford to pay for his computers for two reasons: he lived at home with his mum and dad, and he had a full-time job at Telecom—then the only domestic telephone carrier in Australia.
PI had about 800 computer users, up to 200 of whom were `core' users accessing the system regularly. PI had its own dedicated phone line, separate from the house phone so Bowen's parents wouldn't get upset the line was always tied up. Later, he put in four additional phone lines for Zen, which had about 2000 users. Using his Telecom training, he installed a number of non-standard, but legal, features to his house. Junction boxes, master switches. Bowen's house was a telecommunications hot-rod.
Bowen had decided early on that if he wanted to keep his job, he had better not do anything illegal when it came to Telecom. However, the Australian national telecommunications carrier was a handy source of technical information. For example, he had an account on a Telecom computer system—for work—from which he could learn about Telecom's exchanges. But he never used that account for hacking. Most respectable hackers followed a similar philosophy. Some had legitimate university computer accounts for their courses, but they kept those accounts clean. A basic rule of the underground, in the words of one hacker, was `Don't foul your own nest'.
PI contained a public section and a private one. The public area was like an old-time pub. Anyone could wander in, plop down at the bar and start up a conversation with a group of locals. Just ring up the system with your modem and type in your details—real name, your chosen handle, phone number and other basic information.
Many BBS users gave false information in order to hide their true identities, and many operators didn't really care. Bowen, however, did. Running a hacker's board carried some risk, even before the federal computer crime laws came into force. Pirated software was illegal. Storing data copied from hacking adventures in foreign computers might also be considered illegal. In an effort to exclude police and media spies, Bowen tried to verify the personal details of every user on PI by ringing them at home or work. Often he was successful. Sometimes he wasn't.