Read Underground: Tales of Hacking, Madness and Obsession from the Electronic Frontier for Free Online Page B

Unix rather than VMS-based computer systems and networks. ‘Because there had been very few security problems over the years with VMS,’ Oberman concluded, ‘they had never brought in anybody who knew about VMS and it wasn’t something they were terribly concerned with at the time.’

    The worm shattered that peaceful confidence in VMS computers. Even as the WANK worm coursed through NASA, it was launching an aggressive attack on DOE’s Fermi National Accelerator Laboratory, near Chicago. It had broken into a number of computer systems there and the Fermilab people were not happy. They called in CIAC, who contacted Oberman with an early morning phone call on 16 October. They wanted him to analyse the WANK worm. They wanted to know how dangerous it was. Most of all, they wanted to know what to do about it.

    The DOE people traced their first contact with the worm back to 14
    October. Further, they hypothesised, the worm had actually been launched the day before, on Friday the 13th. Such an inauspicious day would, in Oberman’s opinion, have been in keeping with the type of humour exhibited by the creator or creators of the worm.

    Oberman began his own analysis of the worm, oblivious to the fact that 3200 kilometres away, on the other side of the continent, his colleague and acquaintance John McMahon was doing exactly the same thing.

    Every time McMahon answered a phone call from an irate NASA system or network manager, he tried to get a copy of the worm from the infected machine. He also asked for the logs from their computer systems. Which computer had the worm come from? Which systems was it attacking from the infected site? In theory, the logs would allow the NASA team to map the worm’s trail. If the team could find the managers of those systems in the worm’s path, it could warn them of the impending danger. It could also alert the people who ran recently infected systems which had become launchpads for new worm attacks.

    This wasn’t always possible. If the worm had taken over a computer and was still running on it, then the manager would only be able to trace the worm backward, not forward. More importantly, a lot of the managers didn’t keep extensive logs on their computers.

    McMahon had always felt it was important to gather lots of information about who was connecting to a computer. In his previous job, he had modified his machines so they collected as much security information as possible about their connections to other computers.

    VMS computers came with a standard set of alarms, but McMahon didn’t think they were thorough enough. The VMS alarms tended to send a message to the computer managers which amounted to, ‘Hi! You just got a network connection from here’. The modified alarm system said, ‘Hi!
    You just got a network connection from here. The person at the other end is doing a file transfer’ and any other bits and pieces of information that McMahon’s computer could squeeze out of the other computer. Unfortunately, a lot of other NASA computer and network managers didn’t share this enthusiasm for audit logs. Many did not keep extensive records of who had been accessing their machines and when, which made the job of chasing the worm much tougher.

    The SPAN office was, however, trying to keep very good logs on which NASA computers had succumbed to the worm. Every time a NASA manager called to report a worm disturbance, one of the team members wrote down the details with paper and pen. The list, outlining the addresses of the affected computers and detailed notations of the degree of infection, would also be recorded on a computer. But handwritten lists were a good safeguard. The worm couldn’t delete sheets of paper.

    When McMahon learned DOE was also under attack, he began checking in with them every three hours or so. The two groups swapped lists of infected computers by telephone because voice, like the handwritten word, was a worm-free medium. ‘It was a kind of archaic