Underground by Suelette Dreyfus (books to get back into reading txt) đź“–
- Author: Suelette Dreyfus
- Performer: 1863305955
Book online «Underground by Suelette Dreyfus (books to get back into reading txt) 📖». Author Suelette Dreyfus
Meet SKiMo.
A European living outside Australia, SKiMo has been hacking for at least four years, although he probably only joined the ranks of world-class hackers in 1995 or 1996. Never busted. Young—between the age of 18 and 25—and male. From a less than picture-perfect family. Fluent in English as a second language. Left-leaning in his politics—heading toward environmentally green parties and anarchy rather than traditional labour parties. Smokes a little dope and drinks alcohol, but doesn’t touch the hard stuff.
His musical tastes include early Pink Floyd, Sullen, Dog Eat Dog, Biohazard, old Ice-T, Therapy, Alanis Morissette, Rage Against the Machine, Fear Factory, Life of Agony and Napalm Death. He reads Stephen King, Stephen Hawking, Tom Clancy and Aldous Huxley. And any good books about physics, chemistry or mathematics.
Shy in person, he doesn’t like organised team sports and is not very confident around girls. He has only had one serious girlfriend, but the relationship finished. Now that he hacks and codes about four to five hours per day on average, but sometimes up to 36 hours straight, he doesn’t have time for girls.
`Besides,’ he says, `I am rather picky when it comes to girls. Maybe if the girl shared the same interests … but those ones are hard to find.’ He adds, by way of further explanation, `Girls are different from hacking. You can’t just brute force them if all else fails.’
SKiMo has never intentionally damaged a computer system, nor would he. Indeed, when I asked him, he was almost offended by the question. However, he has accidentally done damage on a few occasions. In at least one case, he returned to the system and fixed the problem himself.
Bored out of his mind for most of his school career, SKiMo spent a great deal of time reading books in class—openly. He wanted to send the teacher a message without actually jacking up in class.
He got into hacking after reading a magazine article about people who hacked answering machines and VMBs. At that time, he had no idea what a VMB was, but he learned fast. One Sunday evening, he sat down with his phone and began scanning. Soon he was into phreaking, and visiting English-speaking party lines. Somehow, he always felt more comfortable speaking in English, to native English-speakers, perhaps because he felt a little like an outsider in his own culture.
`I have always had the thought to leave my country as soon as I can,’ he said.
From the phreaking, it was a short jump into hacking.
What made him want to hack or phreak in the first place? Maybe it was the desire to screw over the universally hated phone company, or `possibly the sheer lust for power’ or then again, maybe he was simply answering his desire `to explore an intricate piece of technology’. Today, however, he is a little clearer on why he continues to hack. `My first and foremost motivation is to learn,’ he said.
When asked why he doesn’t visit his local university or library to satisfy that desire, he answered, `in books, you only learn theory. It is not that I dislike the theory but computer security in real life is much different from theory’. Libraries also have trouble keeping pace with the rate of technological change, SKiMo said. `Possibly, it is also just the satisfaction of knowing that what I learn is proprietary—is “inside knowledge”,’ he added. There could, he said, be some truth in the statement that he likes learning in an adrenalin-inducing environment.
Is he addicted to computers? SKiMo says no, but the indications are there. By his own estimate, he has hacked between 3000 and 10000 computers in total. His parents—who have no idea what their son was up to day and night on his computer—worry about his behaviour. They pulled the plug on his machine many times. In SKiMo’s own words, `they tried everything to keep me away from it’.
Not surprisingly, they failed. SKiMo became a master at hiding his equipment so they couldn’t sneak in and take it away. Finally, when he got sick of battling them over it and he was old enough, he put his foot down. `I basically told them, “Diz is ma fuckin’ life and none o’ yer business, Nemo”—but not in those words.’
SKiMo says he hasn’t suffered from any mental illnesses or instabilities—except perhaps paranoia. But he says that paranoia is justified in his case. In two separate incidents in 1996, he believed he was being followed. Try as he might, he couldn’t shake the tails for quite some time. Perhaps it was just a coincidence, but he can never really be sure.
He described one hacking attack to me to illustrate his current interests. He managed to get inside the internal network of a German mobile phone network provider, DeTeMobil (Deutsche Telekom). A former state-owned enterprise which was transformed into a publicly listed corporation in January 1995, Deutsche Telekom is the largest telecommunications company in Europe and ranks number three in the world as a network operator. It employs almost a quarter of a million people. By revenue, which totalled about $A37 billion in 1995, it is one of the five largest companies in Germany.
After carefully researching and probing a site, SKiMo unearthed a method of capturing the encryption keys generated for DeTeMobil’s mobile phone conversations.
He explained: `The keys are not fixed, in the sense that they are generated once and then stored in some database. Rather, a key is generated for each phone conversation by the company’s AUC [authentication centre], using the “Ki” and a random value generated by the AUC. The Ki is the secret key that is securely stored on the smart card [inside the cellphone], and a copy is also stored in the AUC. When the AUC “tells” the cellphone the key for that particular conversation, the information passes through the company’s MSC [mobile switching centre].
`It is possible to eavesdrop on a certain cellphone if one actively monitors either the handovers or the connection set-up messages from the OMC [operations and maintenance centre] or if one knows the Ki in the smart card.
`Both options are entirely possible. The first option, which relies on knowing the A5 encryption key, requires the right equipment. The second option, using the Ki, means you have to know the A3/A8 algorithms as well or the Ki is useless. These algorithms can be obtained by hacking the switch manufacturer, i.e. Siemens, Alcatel, Motorola …
`As a call is made from the target cellphone, you need to feed the A5 key into a cellphone which has been modified to let it eavesdrop on the channel used by the cellphone. Normally, this eavesdropping will only produce static—since the conversation is encrypted. However, with the keys and equipment, you can decode the conversation.’
This is one of the handover messages, logged with a CCITT7 link monitor, that he saw:
13:54:46”3 4Rx< SCCP 12-2-09-1 12-2-04-0 13 CR
BSSM HOREQ
BSSMAP GSM 08.08 Rev 3.9.2 (BSSM) HaNDover REQuest (HOREQ)
-------0 Discrimination bit D BSSMAP
0000000- Filler
00101011 Message Length 43
00010000 Message Type 0Ă—10
Channel Type
00001011 IE Name Channel type
00000011 IE Length 3
00000001 Speech/Data Indicator Speech
00001000 Channel Rate/Type Full rate TCH channel Bm
00000001 Speech Encoding Algorithm GSM speech algorithm Ver 1
Encryption Information
00001010 IE Name Encryption information
00001001 IE Length 9
00000010 Algorithm ID GSM user data encryption V. 1
Encryption Key C9 7F 45 7E 29 8E 08 00Classmark Information Type 2
00010010 IE Name Classmark information type 2
00000010 IE Length 2
-----001 RF power capability Class 2, portable
---00--- Encryption algorithm Algorithm A5
000----- Revision level
-----000 Frequency capability Band number 0
----1--- SM capability present
000--- Spare
0------- Extension
Cell Identifier
00000101 IE Name Cell identifier
00000101 IE Length 5
00000001 Cell ID discriminator LAC/CI used to ident cell
LAC 4611 CI 3000PRIority
00000110 IE Name Priority
00000001 IE Length 1
-------0 Preemption allowed ind not allowed
------0- Queueing allowed ind not allowed
—0011— Priority level 3
00------ Spare
Circuit Identity Code
00000001 IE Name Circuit identity code
00000000 PCM Multiplex a-h 0
---11110 Timeslot in use 30
101----- PCM Multiplex i-k 5
Downlink DTX flag
00011001 IE Name Downlink DTX flag
-------1 DTX in downlink direction disabled
0000000- Spare
Cell Identifier
00000101 IE Name Cell identifier
00000101 IE Length 5
00000001 Cell ID discriminator LAC/CI used to ident cell
LAC 4868 CI 3200The beauty of a digital mobile phone, as opposed to the analogue mobile phones still used by some people in Australia, is that a conversation is reasonably secure from eavesdroppers. If I call you on my digital mobile, our conversation will be encrypted with the A5 encryption algorithm between the mobile phone and the exchange. The carrier has copies of the Kis and, in some countries, the government can access these copies. They are, however, closely guarded secrets.
SKiMo had access to the database of the encrypted Kis and access to some of the unencrypted Kis themselves. At the time, he never went to the trouble of gathering enough information about the A3 and A8 algorithms to decrypt the full database, though it would have been easy to do so. However, he has now obtained that information.
To SKiMo, access to the keys generated for each of thousands of German mobile phone conversations was simply a curiosity—and a trophy. He didn’t have the expensive equipment required to eavesdrop. To an intelligence agency, however, access could be very valuable, particularly if some of those phones belonged to people such as politicians. Even more valuable would be ongoing access to the OMC, or better still, the MSC. SkiMo said he would not provide this to any intelligence agency.
While inside DeTeMobil, SKiMo also learned how to interpret some of the mapping and signal-strength data. The result? If one of the company’s customers has his mobile turned on, SKiMo says he can pinpoint the customer’s geographic location to within one kilometre. The customer doesn’t even have to be talking on the mobile. All he has to do is have the phone turned on, waiting to receive calls.
SKiMo tracked one customer for an afternoon, as the man travelled across Germany, then called the customer up. It turned out they spoke the same European language.
`Why are you driving from Hamburg to Bremen with your phone on stand-by mode?’ SKiMo asked.
The customer freaked out. How did this stranger at the end of the phone know where he had been travelling?
SKiMo said he was from Greenpeace. `Don’t drive around so much. It creates pollution,’ he told the bewildered mobile customer. Then he told the customer about the importance of conserving energy and how prolonged used of mobile phones affected certain parts of one’s brain.
Originally, SKiMo broke into the mobile phone carriers’ network because he wanted `to go completely cellular’—a transition which he hoped would make him both mobile and much harder to trace. Being able to eavesdrop on other people’s calls— including those of the police—was going to be a bonus.
However, as he pursued this project, he discovered that the code from a mobile phone manufacturer which he needed to study was `a multi-lingual project’. `I don’t know whether you have ever seen a multi-lingual project,’ SKiMo says, `where nobody defines a common language that all programmers must use for their comments and function names? They look horrible. They are no fun to read.’ Part of this one was in Finnish.
SKiMo says he has hacked a number of major vendors and, in several cases, has had access to their products’ source codes.
Has he had the access to install backdoors in primary source code for major vendors? Yes. Has he done it? He says no. On other hand, I asked him
Comments (0)