White Knight vs Otto Sync
|On September 2, 1992, 25-year
old Otto Sync (ficticious name) was arrested and charged with unauthorized
use of the Datapak computer network. The infractions had taken place during
November 1992, at the expense of Televerket. At the time, Televerket was
a state-owned company with a monopoly on telecommunications in Sweden. The
person who traced and ordered the arrest of Otto was Televerket's own "white
knight" Pege Gustafsson, a zealous 38-year old security expert climbing
the career ladder.
From December 1991 to February 1993, Otto was doing non-combat service in the French army, "Volontaire Service National en Enterprises", as an engineer working with PLC (computerized process controllers) at a French telecommunications company in Flen, Sweden. After having passed rigorous military tests, and with the help of a master's degree in engineering with credits in applied mathematics and computer science, he was offered the opportunity to perform his civil service in the French company's Swedish branch.
Being a lonely young Frenchman in Flen wasn't much fun; Otto tells us that the town was full of political refugees and the public mood wasn't the best -- the Swedish youths in Flen kept to themselves and saw him as yet another immigrant, and none of the other immigrants were French, but rather Iraquis, Kurds, Somalians and so forth. Additionally, Otto was unfamiliar with a small-town environment, as he had come straight from Lyon -- "Imagine my surprise when I arrived there alone mid December 1991... I've only lived in big cities before, and there is this place, without any bars, pubs or computer shops"(1) . As a result Otto spent most of his time alone in his apartment or in company office. "Flen is so boring I practically lived in the office building -- what else can you do there apart from hacking really?", as he says.
For the above reasons, Otto spent his time engaging in his favorite hobby: hacking. Otto was already a skilled hacker when he arrived in Flen, and as time passed he became even better. He became a regular at Swedens best hacker-BBS at the time: Synchron City. He explored every system he could reach: Televerket's public phone network, AT&T, Internet, and so on. However, none of this is very exciting to an experienced hacker in the long run: the phone network is very easy to trick, and the Internet was mostly full of regular people. Real hackers went for BBS:es on the X.25 network. As Otto wished to stay in touch with his hacker friends, he wanted to access the biggest hacker conference system at the time - QSD . QSD was only accessible through the international X.25 network. In trying to access QSD, he made a fatal mistake: exploring Televerket's Datapak network.
X.25 and Datapak
Datapak is a network which is structurally reminiscent of the Internet -- a packet-switched network, where the users share a few dedicated lines, and pay charges based on the amount of data transmitted on those lines (i.e., per packet). In general, it works in such a way that, using a modem, you call up Datapak through a so-called PAD connected to a 020-number (Swedish 800-number), then dial a number to a computer permanently connected to Datapak. All computers on the Datapak network have datapak numbers in the same way that phones in the public network have phone numbers.
Of course you can also connect straight through Datapak in case you can afford a permanent connection for your computer, a method primarily used by large companies to connect their computer systems. That way, two computers can be permanently connected through Datapak (which would have been very expensive using regular modems) and thus you only have to pay charges for the information actually transmitted. Of course you can also connect through the computer network Datex, which is used by (among other things) ATMs, and it works like any other phone network, except that it's designed for computers.
Datapak is built around the X.25 standard , which describes how computers in the network are to "talk" to each other. Besides X.25, there are many other standards on the network, such as X.28 and X.75 , but as X.25 is the most common standard, the kind of network that Datapak belongs to is generally called an "X.25 network". The international X.25 network is thus made up of a number of interconnected computer networks, e g Datapak, Tymnet (which also manufactured the equipment used in the Swedish Datapak network), SPRINTnet, and so forth. Almost every big phone company in the industrialized world has their own X.25 network.
The international X.25 network has been running since the mid- and late 80's, but the Swedish Datpak network has never been very big. The reason for this is that X.25 was not targeted by the consumer market; X.25 is, as opposed to the common telephone networks, not designed for individuals. X.25 was from the beginning a network for corporations. The large consumer market that was conquered by the academic Internet system, which is based on multiple service providers and competition (as opposed to the X.25 market, which consists of oligopolies and only a few providers), is so fundamentally different that X.25 does not have a chance in this respect. X.25 is today mainly used for establishing logical links between private networks. X.25 is even used for some Internet links.
So, what Otto Sync didn't know, or didn't think of, when he ordered his Datapak subscription, was that Datapak was a small system in a small country, and that a person who tried to manipulate it would immediately be detected by the monitoring systems. The public phone network is quite safe to explore because of all the odd and random calls people make to strange places. A few cases of manipulation instantly disappear in the vast amount of calls, but Datapak was the backyard of a few subscribers. To enter the system was equal to walking around wearing emergency flashers on your head -- your presence was not very discreet. When Otto began scanning Datapak numbers, he finally drew Televerket's attention.
It is worth mentioning that Televerket had increased the monitoring of the Datapak network due to an enormous attack by the British hacker group 8LGM (8-Legged Groovin' Machine, a name taken from an 80's pop group) who had scanned 22,000 datapak number entries and accessed 380 computers all over the country about two years earlier.(2) Otto describes them as "a group of top-notch hackers who released 'exploits' advisories between 1991 and 1994". (Exploits are ready-to-use scripts that were used to get higher privileges, usually root-access, on Unix systems.) A consequence of 8LGM's scans was that all activity on Datapak was now logged and analyzed.
Otto didn't subscribe to Datapak in order to use it -- as a matter of fact, he only subscribed in order to access the technical documentation given to every subscriber, so he could find out how the system worked. That way he learned that you connected to Datapak by dialing 020-910037 and submit your network user identity (NUI). After this you could call as much as you pleased using Datapak, and be charged per sent/recieved information packet at the end of the month . In the Datapak network the NUI is used for customer identification, as opposed to the common phone network where you are identified by your own wall socket and phone number.
But the Datapak manual from Televerket also contained some other interesting things, e. g. this example from page 4:
To connect with a user number, call 020-910037 using a modem. When the modem has answered, you write three dots followed by carriage return: ...<CR> (CR = carriage return, enter). Then write: N123456XYZ123-024037131270<CR>. N tells the computer that user identity and password follow, 123456 is the user number you got when you signed up for the subscription, XYZ123 is your secret password, and the figures after the dash is the host computer adress. (i. e., the computer you want to connect to.)
Further on in the manual, it illustrates how user 123456 changes password from BERTIL to CAESAR. User identity (NUI) 123456 is clearly used as an example.
When Otto considered different ways of accessing Datapak, he came up with the idea of writing a so-called "scanner", which would test different combinations of usernames and passwords.
Scanning is a technique originally developed for the public phone network, and works by systematically calling every possible number in some order, e g 111111, 111112, 111113 and so forth until you get an answer. When a computer answers the call, you make a note of the number and move on to the next. Afterwards you can pick systems from this list of accessible computers and see if you can hack them. Of course you don't do scanning by hand. Just like in the movie War Games, you write a program to test all numbers one by one. Scanning in itself is not illegal -- part of the point of having a telephone is that you have the right to place as many calls as you like, to whomever you like.
Otto's scanner was a bit different. It was not supposed to call any numbers, just scan for user identities and passwords that granted access to the Datapak PAD. Usually a X.25-PAD will only allow you three tries to enter username and password before the line is disconnected, but Otto found out that by connecting to the Datapak password-database you could try three passwords at a time without having the line disconnected. Otto's scanner was a computer program that could test three passwords at a time, get thrown out of the database (without being disconnected from the PAD), reconnect to the database, test three more passwords and so forth. To disconnect / reconnect the phone line would take a lot of time and result in a slow scan, but with the scanner using the password database it was lightning-fast!
When Otto wrote his scanner he needed some number to test the program. By pure chance he entered the obviously stupid combination of user identity 123456 and password 654321, and it worked! (Does anybody besides me come to think of the movie "Spaceballs"? -- only an idiot would use that code on his suitcase.)
User identity 123456 was one of Televerkets own lines, a test line which purpose is yet unknown. It is perfectly possible that user 123456 was simply "left over" by mistake by Televerket.
Otto began using identity 123456 for regular calls to the conference system QSD, which functionally resembles the now very popular IRC, Internet Relay Chat. Apart from the conferences there are also mailboxes for the users. Among the most frequent participants were, for example, SCSI, who has hacked into every X.25 network in the entire world (no overstatement), Sentinel from ex-Yugoslavia, the female hacker Venix from Greece, Seven Up, the sysop at SECTEC (Sector Tectonics, another X.25-bulletin board), and Raol from Italy -- the master of VAX-hacking who was recently arrested for computer intrusion at the Bank of Italia.
This chatting kept going until he, on the night of the 7th of November, was called (on the chat system QSD) by another hacker from Sweden.
The "White Knight "
The hacker that called Otto named himself White Night. The duality of the name is a conscious misspelling of the kind that hackers love. The first conversation between Otto Sync and White Night went thus:(3)
White Night : Hi! Hej! [Hej is Swedish for Hi]
Otto Sync : Hi! Hej! Sorry I'm not Swedish I'm French. Calling from Flen, a #$&% city 120 km from Stockholm.
WN : I see. What are you doing there?
OS : Working as an automation engineer at a French company. And you?
WN : I'm working at Volvo.
OS : Where? I worked at their factory in Olofström some months ago.
WN : DA-verken in Göteborg. [Gothenburg]
Then they began talking tecnicalities, as all hackers do. Otto asks White Night how he manages to handle Swedish characters and they discuss the pros and cons of different terminal programs. White Night then turns the discussion to how he has managed to call QSD -- "Do you know how much it costs?". Otto suggests that they should swap "outdials" -- access codes to computers on public access networks such as Internet, with connected modems allowing you to dial out for free from that computer by accessing it's modem. He also tells the stranger that he often calls Synchron City, and that a lot of "H/P/A" (Hacking, Phreaking, Anarchy -- perfectly legal textfiles describing hacking techniques) can be found there. Strangely, White Night has never heard of Synchron City, and is immediately curious.
For some weeks Otto calls QSD on a regular basis. So on the night of November 29th, the white knight appears again, but he doesn't recognize Otto, as Otto is using another alias this time. Otto has already forgotten about White Night and doesn't recognize him either when he is called. However he can see that White Night is also using identity 123456, and gets a bit suspicious, as he has revealed that identity only to a single other hacker, which we will call Phred. A bit hesitatingly, he starts chatting with the stranger:
WN : Hi.
OS : Phred?
WN : No, but I know him!
OS : I guess so... I know you?
WN : Fun, do I know U?
OS : Maybe, I'm usually Otto Sync here...
WN : Hi Otto, hm hm hm.
OS : Hey, could you tell me who you are... cool!
WN : U speak Swedish?
OS : Very badly. But can't you tell me who u are??? As for me, I'm the one who found the NUI you're using.
WN : Why do U think I use the NUI "you" found?
OS : You can ask Phred if you don't believe me.
WN : Why should I ask Phred?
OS : Because he was the first one to whom I gave the NUI. We talk voice sometimes.
WN : What NUI?
OS : The very obvious one with the very obvious password. And the second one that I see on QSD.
WN : Wow, I haven't spoken to Phred 4 a long time!
The misunderstandings between Otto Sync and White Night is of course due to the fact that White Night is not a hacker. As a matter of fact, he is using Televerket's test line, 123456, from inside Televerket. When Otto claims that he found it, White Night first gets a bit sulky, but then realizes he has to play the game:
OS : The previous [NUI I used] was 159800. Are you from Sweden by the way?
WN : Sweden what.
OS : Just wondering... If you don't want to chat, then why go on QSD?
WN : Of course I want 2 chat. I'm Swede! R U?
OS : Nope I'm French. But I like Televerket, except when they send me bills :)
WN : Do they? Why?
OS : I asked for a NUI some weeks ago to get the technical doc about the PAD... But I won't pay!
When Otto has made these statements, White Night disconnects the line and picks up the papers with the print-out of the conversation from the printer. These papers, most of which contents are cited above, are then used as part of the evidence in the trial against Otto Sync at the Katrineholm Court of Law.
What Otto didn't know when this conversation took place, was that Televerket was busy tracing him. From November 28th to December 1st, the day before the arrest, Televerket registered all telephone traffic from Ottos office at the French telecom company. In order to do this, they had taken some extraordinary measures.
Flen's telephone station was at that time not equipped with the new electronic switching system AXE (Automatic Cross-connection Equipment). Istead, an old electro-mechanical exchange was in use. (It has now been replaced.) If the telephone station had been equipped with AXE, the monitoring would have been a lot easier, since it would simply have been a matter of requesting information from Televerket's information system (IS), which can monitor a number automatically for unlimited time. Present-day Telia (a private corporation which has replaced Televerket after deregulation) even investigated the possibility of having computers examine all calls automatically in order to classify which subscribers that showed "fraudulent patterns" -- but these investigations didn't bear fruit .
When Televerket, under the command of Pege Gustafsson, had traced the "fraudulent" calls to the Datapak number 020-910037, they found that they came from a group number belonging to the company Otto worked for. A group number works by letting a company with an internal exchange connecting some number of telephones, say 500, share a suitably large number of outgoing lines (perhaps 10--20 of them) so that they can minimize the subscription charges. By tracing the group number, nothing was proven, as anyone at the company could have called using the group number. The calls could not be tied to a physical person, which is the kind of evidence required for this type of case.
To make further tracing possible, Telverket installed a reader on the exchange of the company Otto worked for(4) . With the reader, every outgoing call from any extension at the company was registered and printed. This list could then be compared by corresponding list for connections to the Datapak PAD at 020-910037. In this manner, Televerket's technicians found that Otto had called for 41 hours and 20 minutes through Datapak during the week the tracing was carried out, and during that time transmitted information packets for about 4000 Swedish crowns' worth [roughly $570]. (You can call this the total "postage fee" for the information packets.) The low cost thus depended upon the fact that you only pay for the data actually transmitted, not for online time, as in the case of common telephone calls.
All of this tracing was supervised by Pege Gustafsson.
A Night at the Hotel
Otto himself tells us what happened on the morning of December 2:
"They came to arrest me at work. Imagine the embarrassement. First I see these guys coming in my room and think 'oh shit, some more customers who want a demo on some product', but then they showed me their police ID and my heart stopped. They searched my office, took all notes and computer stuff. Then they took me out and had me open my apartment, and did a search there as well."
He was then brought to Katrineholm police station (the police authority closest to Flen) for interrogation. On his way there all sorts of thoughts ran through his head: "What to tell? I thought it was a BBS? I thought it was a free line? Reverse-charging?"
The interrogation begins without the representatives of Televerket as well as Otto's counsel present, but as Otto doesn't understand all the Swedish words (though he knew some, as the company sent him to evening Swedish language classes), the interrogation is postponed until a French interpreter arrives.
When the interpreter arrives, Otto asks for a counsel but agrees to continue the interrogation without the defense present. Neither does he find it necessary to talk to the French embassy. He tells the interrogators that he is in non-combat military service duty at the company in Flen, and that he has considered working for them even after the service is finished. The police and Otto simply get to know each other.
At 14.25 Otto experiences the luckiest moment of his life so far. That is when his counsel arrives, and who by a remarkable coincidence happens to be an extremely professional lawyer with his own firm, who thought the hacker case looked interesting at first glance, and thus took upon himself to defend Otto. This lawyer primarily deals in industrial corporate disputes. Otto tells us about his lawyer that "he was a real pro (I know, as this was the third time I went to court), a very nice man, well educated, and interested in French wines".
The remainder of the interrogation session mostly consists of technical discussions between Pege and Otto Sync. The other people present soon have trouble understanding what is being said. Otto claims that he has been searching for a "reverse charge" number (the X.25 counterpart to a 800-number which are actually quite common) and that he thought NUI 123456 that he got from Televerket's manual to be a "test line" of some kind. He says he is very curious and that is his reason for exploring Televerket's systems. Pege Gustafsson produces his printouts from the chat sessions where he acts as White Night, and confronts Otto with parts of these printouts (the same that are partly reproduced above). Otto, who for the first time gets to know who White Night actually is, reminds the others that anyone can have used his alias on QSD. Pege asks if he has passed around the NUI 123456 to others. "No", he answers.
Today Otto tells us that "Pege tried to have me say that I knew what I was doing and that I hacked the NUI etc. All the way I denied it and said I thought it was public line to be used in reverse-charging mode, and kept that line all the way. Of course Pege could see it was bullshit, he knew pretty well what I was up to. And he was right."
When the interrogation ended at 6 p.m. he was brought to a cell, as it was too late to go to court that day. Otto was instantly impressed by the Swedish custody standard: "In France it's dirty, you get to sleep with drunkards, no food, rough treatment etc. In Katrineholm it was like being at a hotel, I had my own little bed in a neat room. In the morning I was given a breakfast as good as the ones you get on planes -- fantastic! Slept really well there."
The next day he was brought to Katrineholm court, which decided not to keep him in custody. Instead he was given a travel ban, which meant he had to leave his passport and had to report to the Flen police office before noon every day until the start of the trial.
"Dangerous International Terrorist"
What initiated the chain of events that culminated in Televerket finding Otto Sync was the scanning of the Datapak PAD. When Pege found out that someone was scanning the Datapak PAD for user identities, he must have been shocked. This was exactly the thing that had happened two years earlier, and that time they had suspected that this was an act of international terrorism. In reality it proved to be the brothers Pad and Gandalf from 8LGM, two perfectly normal, curious hackers without any connection to international terrorists whatsoever.
As all other computer security officials in Sweden, Pege Gustafsson had read the book The Cuckoo's Egg by Clifford Stoll. In the book Stoll describes how he, using imagination and endless nights of unpaid work, managed to trace a hacker that had entered his system at Berkeley and started searching for military secrets throughout the American part of Internet. The hacker doing this was on mission from the KGB, receiving instructions through the circle around hackers like Pengo and Hagbard in West Berlin -- a bunch of freaked-out, coke-snorting, fuzzy leftist hackers who probably never caused any serious harm. Those last facts are never mentioned in the book, but it is closer to the truth than the image of international computer spies that Stoll conjures up.
So as Otto started scanning the Swedish Datapak network, Pege hit the sirens. The incident was probably associated with other, similar incidents, and was therefore interpreted not as the sum total of some small hacking adventures using simple scanners, but as a systematic pattern of intrusion attempts by some foreign power. Simply pure paranoia.
After closing a ring round Otto in Flen and after conducting a series of tracings, there was also "confirmation" of the suspicions: Otto made several calls to Thailand -- which were interpreted as communications with his mission providers, which could be anyone ranging from the KGB to the IRA. Actually, these calls were made to a long-time friend, and he had the company's permission in calling Thailand every now and then. Every hacker gets to know lots of people around the planet, as the "global village" is their home district.
So what the police and Televerket expected to find, as they turned up at Otto's office on the 2nd of December 1992, was a dangerous international terrorist. They found a 25-year-old socially maladjusted, and bored engineer, who had been amusing himself by exploring the Swedish Datapak network for the lack of anything better to do. Otto describes the situation as \"Pege thought he was the good guy trying to catch the bad guy. He told me himself that he was a fan of Clifford Stoll and that he met him at some security conference some years ago." During the interrogation with Otto, Pege drew maps showing which countries Otto's X.25-connections had accessed -- maps that according to Otto himself looked like "maps from your average international terrorist handbook".
Even though this was clearly stated in the following investigation -- which didn't even mention the suspicion of espionage -- these suspicions about Otto stuck to him long after he left Sweden. When the computer programs that were to control starting lists, time measures and result lists during the Olympic Games in Lillehammer 1994 were stolen from a military storage in the autumn of 1993, the Norweigan police (for some reason) believed that Otto was involved. Expressen (a major Swedish evening paper) called him "the hacker leader", and took the opportunity to draw suspicions to Otto as well as to the company he had worked for in Flen. In between the lines, they hinted that this was a way in which the French military sent spies to Sweden(5) . Personally, he tells us that "I was in Thailand, and at that time didn't have job nor a computer." Thailand is quite far away from Lillehammer.
He is also backed up by SÄPO (Swedish counter-espionage) who through director Jörgen Almblad said that the French volunteer workers in Sweden in general, and Otto Sync in particular, did not pose a security risk. "If they are Frenchmen or Russians doesn't matter, as far as being security risks" he told Expressen. SÄPO are ultimately responsible for the national security and should be well-informed. If they publicly deny any suspicions, you can be certain that they are telling the truth. If they had even the slightest suspicions, they would rather not comment. So much for that terrorist.
Even Pege himself realized that Otto was not what he first thought him to be. In private he told Otto, that if he had known what a small-timer he actually was, he wouldn't have carried the case this far. He even "said he'd like to have a beer with me when all this was over." Today, Otto is doubtful about Pege's competence as a security officer: "I remember he told me he was involved in concerts security as well (rock concerts). Although he was the security officer there, he didn't know too much about Unix security or hacking techniques. In fact he seemed to be ignorant of some basic things about Datapak such as reverse-charging".
Good versus Evil
It appears as though Pege was carried away by the idea of defending Sweden from imaginary terrorists. Just as American counter-espionage was completely disinterested in the practically harmless hacker hunted by Clifford Stoll, SÄPO was as disinterested in the equally harmless hacker hunted by Pege. Otto wasn't even looking for military secrets -- he was considered a threat just because he was so curious.
So, on the 18th of December the, "white knight" from Televerket drags the French dragon to a Swedish court with the help of district prosecutor Christer Pettersson. The trial itself is a farce -- soon it turns out that of all the people present, only Pege and Otto have the technical knowledge required to understand the summons from Televerket. Then the first thing Otto's counsel does as the trial begins, is to throw Pege out of the court room, as no reasons have been given for his presence. The only time that Pege is allowed in the room, is when he is cross-examined by the court. Suddenly Otto himself is the only one that understands what the prosecution is actually about. None of the members of the court have any kind of practical technical knowledge.
"The trial was real fun because no one really knew the subject. Some of the documents I produced during the trial were a bit dodgy, like this e-mail from some guy telling me how to use reverse-charge on Televerket. I also produced a valid list of all Swedish BBS:es, telling the judge that they were 'free access computer systems'. Of course no one had a clue about the difference between a BBS running on a 386SX in a 17-year-old teenager's room and a nationwide X.25 data network."
Otto doesn't think he is guilty of any crime, and is wise enough to use simple descriptions which the court can understand. He doesn't deny using Datapak exactly as much as Televerket claims, and is prepared to pay for it. But he think it's unreasonable that he shall pay the costs of tracing and investigation by Televerket.
Pege is called in only to describe how the tracing of Otto was performed. In all other questions they must refer to the preliminary investigation protocol, a horrible pile of papers containing almost exclusively technical desciptions and different lists of tracings carried out by Pege. Among the "evidence" is Ottos own notes, some of them completely harmless, with detailed technical information about phone numbers etc. to different computer systems all over the world. Without further explanation of what kind of information this is, these cryptic notes are called "hacker notes". There are also a bunch of print-outs of files found on Ottos hard disk.
This material has apparently only been included in the protcol in order to make Otto look "obscure". The print-outs could just as well have been xerox copies of "unsuitable books" from his bookshelf. The only purpose of including this material must have been to throw suspicions on Otto for belonging to a certain subculture.
At some point the court must have grown bored with the fact that Televerket had not been able to present an understandable prosecution. Regardless of whom had lied or told the truth, Ottos claim that he had believed that the calls were for free seemed probable to the court. As the prosecutor could not prove the opposite, the court found for the defendant. Televerket's claim for damages, and the claim that Otto should be forced to leave the country, was also dismissed. Televerket had to pay their own costs for the trial. In short, Televerket lost, and Otto Sync won. This decision was made December 18th 1992, but wasn't made public until January 8th.
Lookin back he says that "although I was guilty like hell and went to court, Televerket lost the case."
All's well that..
Televerket, now named Telia, appealed the sentence in the court of appeals on January 15. As Otto would only be present in Sweden until April 1st, they asked the court of appeals to review the case before then, which was of course a hopeless request.
In September, Otto was back in France, still hacking. Then, one night "White Night" turns up at QSD again. "I started chatting with Pege, who was expecting me show up at appeals court in October", Otto says. The court of appeals probably couldn't have him extradited to Sweden, and in any case he had already booked a ticket to Bangkok for October 4.
The court of appeals considered the case at a hearing October 25th. As Televerket hadn't added something new to their application of summons, and as Otto wasn't available, the court of appeals decided to dismiss the case. Televerket and Pege lost again.
Note: Otto Sync recently left his job as an engineer at a huge, multi-national enterprise in Bangkok. He is currently busy setting up his own Internet-service company. Pege Gustafsson still handles security issues at Telia.
1. All quotes are lifted from e-mail communication with Otto Sync.
2. Ledell, Göran (ed) Dataolyckor -- Har det verkligen hänt någon gång? INFOSEC, Lund 1992
3. Quotes from the conversation are drawn from the court documents.
4. To be technically precise: a DNR -- Dialled Number Recorder.
5. Expressen , Friday February 4th 1994, page 11.
Design and formatting by Daniel Arnrup/Voodoo Systems