1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
|
<HTML>
<HEAD>
<TITLE>
White Knight vs Otto Sync
</TITLE>
</HEAD>
<BODY BGCOLOR="#c9e1fc" BACKGROUND="background.gif" LINK="#666666" ALINK="#ff0000" VLINK="#999999" LEFTMARGIN=24 TOPMARGIN=18>
<P ALIGN=CENTER><font size="2" face="Times New Roman"><b><a href="ch17web.htm"><img src="arrowleft.gif" width="45" height="54" align="absmiddle" name="ch1web.htm" border="0"></a></b><font color="#999999" face="Arial, Helvetica, sans-serif" size="+1"><a href="mainindex.htm">INDEX</a></font></font></P>
<CENTER>
<p><font size="+2" face="Times New Roman, Times, serif"><b>Appendix<br>
</b></font><font size="+2" face="Times New Roman, Times, serif"><b>White
Knight vs Otto Sync</b></font></p>
</CENTER>
<table width="620" border="0" align="center">
<tr>
<td><font face="Times New Roman, Times, serif"><b>On September 2, 1992, 25-year
old Otto Sync (ficticious name) was arrested and charged with unauthorized
use of the Datapak computer network. The infractions had taken place during
November 1992, at the expense of Televerket. At the time, Televerket was
a state-owned company with a monopoly on telecommunications in Sweden. The
person who traced and ordered the arrest of Otto was Televerket's own "white
knight" Pege Gustafsson, a zealous 38-year old security expert climbing
the career ladder.</b></font> <font face="Times New Roman, Times, serif"><br>
<br>
</font> <font face="Times New Roman, Times, serif">From December 1991 to
February 1993, Otto was doing non-combat service in the French army, "Volontaire
Service National en Enterprises", as an engineer working with PLC (computerized
process controllers) at a French telecommunications company in Flen, Sweden.
After having passed rigorous military tests, and with the help of a master's
degree in engineering with credits in applied mathematics and computer science,
he was offered the opportunity to perform his civil service in the French
company's Swedish branch.<br>
<br>
</font> <font face="Times New Roman, Times, serif">Being a lonely young
Frenchman in Flen wasn't much fun; Otto tells us that the town was full
of political refugees and the public mood wasn't the best -- the Swedish
youths in Flen kept to themselves and saw him as yet another immigrant,
and none of the other immigrants were French, but rather Iraquis, Kurds,
Somalians and so forth. Additionally, Otto was unfamiliar with a small-town
environment, as he had come straight from Lyon -- "Imagine my surprise
when I arrived there alone mid December 1991... I've only lived in big cities
before, and there is this place, without any bars, pubs or computer shops"<sup><a href="#FTNT1">(1)</a></sup></font>
<font face="Times New Roman, Times, serif">. As a result Otto spent most
of his time alone in his apartment or in company office. "Flen is so
boring I practically lived in the office building -- what else can you do
there apart from hacking really?", as he says.<br>
<br>
</font> <font face="Times New Roman, Times, serif">For the above reasons,
Otto spent his time engaging in his favorite hobby: hacking. Otto was already
a skilled hacker when he arrived in Flen, and as time passed he became even
better. He became a regular at Swedens best hacker-BBS at the time: Synchron
City. He explored every system he could reach: Televerket's public phone
network, AT&T, Internet, and so on. However, none of this is very exciting
to an experienced hacker in the long run: the phone network is very easy
to trick, and the Internet was mostly full of regular people. Real hackers
went for BBS:es on the X.25 network. As Otto wished to stay in touch with
his hacker friends, he wanted to access the biggest hacker conference system
at the time - </font> <font face="Times New Roman, Times, serif"><i>QSD</i></font>
<font face="Times New Roman, Times, serif">. QSD was only accessible through
the international X.25 network. In trying to access QSD, he made a fatal
mistake: exploring Televerket's Datapak network.<br>
</font> <font face="Times New Roman, Times, serif"><br>
</font> <font face="Times New Roman, Times, serif"><b>X.25 and Datapak</b></font>
<font face="Times New Roman, Times, serif"><br>
<br>
</font> <font face="Times New Roman, Times, serif">Datapak is a network
which is structurally reminiscent of the Internet -- a packet-switched network,
where the users share a few dedicated lines, and pay charges based on the
amount of data transmitted on those lines (i.e., per packet). In general,
it works in such a way that, using a modem, you call up Datapak through
a so-called </font> <font face="Times New Roman, Times, serif"><i>PAD</i></font>
<font face="Times New Roman, Times, serif"> connected to a 020-number (Swedish
800-number), then dial a number to a computer permanently connected to Datapak.
All computers on the Datapak network have datapak numbers in the same way
that phones in the public network have phone numbers.<br>
<br>
</font> <font face="Times New Roman, Times, serif">Of course you can also
connect straight through Datapak in case you can afford a permanent connection
for your computer, a method primarily used by large companies to connect
their computer systems. That way, two computers can be permanently connected
through Datapak (which would have been very expensive using regular modems)
and thus you only have to pay charges for the information actually transmitted.
Of course you can also connect through the computer network Datex, which
is used by (among other things) ATMs, and it works like any other phone
network, except that it's designed for computers.<br>
<br>
</font> <font face="Times New Roman, Times, serif">Datapak is built around
the X.25 standard , which describes how computers in the network are to
"talk" to each other. Besides X.25, there are many other standards
on the network, such as X.28 and X.75</font> <font face="Times New Roman, Times, serif">,
but as X.25 is the most common standard, the kind of network that Datapak
belongs to is generally called an "X.25 network". The international
X.25 network is thus made up of a number of interconnected computer networks,
e g Datapak, Tymnet (which also manufactured the equipment used in
the Swedish Datapak network), SPRINTnet, and so forth. Almost every big
phone company in the industrialized world has their own X.25 network.<br>
<br>
</font> <font face="Times New Roman, Times, serif">The international X.25
network has been running since the mid- and late 80's, but the Swedish Datpak
network has never been very big. The reason for this is that X.25 was not
targeted by the consumer market; X.25 is, as opposed to the common telephone
networks, not designed for individuals. X.25 was from the beginning a network
for corporations. The large consumer market that was conquered by the academic
Internet system, which is based on multiple service providers and competition
(as opposed to the X.25 market, which consists of oligopolies and only a
few providers), is so fundamentally different that X.25 does not have a
chance in this respect. X.25 is today mainly used for establishing logical
links between private networks. X.25 is even used for some Internet links.<br>
<br>
</font> <font face="Times New Roman, Times, serif">So, what Otto Sync didn't
know, or didn't think of, when he ordered his Datapak subscription, was
that Datapak was a small system in a small country, and that a person who
tried to manipulate it would immediately be detected by the monitoring systems.
The public phone network is quite safe to explore because of all the odd
and random calls people make to strange places. A few cases of manipulation
instantly disappear in the vast amount of calls, but </font> <font face="Times New Roman, Times, serif"><i>Datapak</i></font>
<font face="Times New Roman, Times, serif"> was the backyard of a few subscribers.
To enter the system was equal to walking around wearing emergency flashers
on your head -- your presence was not very discreet. When Otto began scanning
Datapak numbers, he finally drew Televerket's attention.<br>
<br>
</font> <font face="Times New Roman, Times, serif">It is worth mentioning
that Televerket had increased the monitoring of the Datapak network due
to an enormous attack by the British hacker group 8LGM (8-Legged Groovin'
Machine, a name taken from an 80's pop group) who had scanned 22,000 datapak
number entries and accessed 380 computers all over the country about two
years earlier.<sup><a href="#FTNT2">(2)</a></sup></font> <font face="Times New Roman, Times, serif">
Otto describes them as "a group of top-notch hackers who released 'exploits'
advisories between 1991 and 1994". (Exploits are ready-to-use scripts
that were used to get higher privileges, usually root-access, on Unix systems.)
A consequence of 8LGM's scans was that all activity on Datapak was now logged
and analyzed.<br>
<br>
</font> <font face="Times New Roman, Times, serif">Otto didn't subscribe
to Datapak in order to use it -- as a matter of fact, he only subscribed
in order to access the technical documentation given to every subscriber,
so he could find out how the system worked. That way he learned that you
connected to Datapak by dialing 020-910037 and submit your network user
identity (NUI). After this you could call as much as you pleased using Datapak,
and be charged per sent/recieved information packet at the end of the month
. In the Datapak network the NUI is used for customer identification, as
opposed to the common phone network where you are identified by your own
wall socket and phone number.<br>
<br>
</font> <font face="Times New Roman, Times, serif">But the Datapak manual
from Televerket also contained some other interesting things, e. g.
this example from page 4:</font> <font face="Times New Roman, Times, serif"><br>
</font> <font face="Times New Roman, Times, serif"><br>
</font> <font face="Times New Roman, Times, serif">To connect with a user
number, call 020-910037 using a modem. When the modem has answered, you
write three dots followed by carriage return: ...<CR> (CR = carriage
return, enter). Then write: N123456XYZ123-024037131270<CR>. N tells
the computer that user identity and password follow, 123456 is the user
number you got when you signed up for the subscription, XYZ123 is your secret
password, and the figures after the dash is the host computer adress. (i.
e., the computer you want to connect to.)<br>
</font> <font face="Times New Roman, Times, serif"><br>
</font> <font face="Times New Roman, Times, serif">Further on in the manual,
it illustrates how user 123456 changes password from BERTIL to CAESAR. User
identity (NUI) 123456 is clearly used as an example.<br>
<br>
</font> <font face="Times New Roman, Times, serif">When Otto considered
different ways of accessing Datapak, he came up with the idea of writing
a so-called "scanner", which would test different combinations
of usernames and passwords.<br>
<br>
</font> <font face="Times New Roman, Times, serif">Scanning is a technique
originally developed for the public phone network, and works by systematically
calling every possible number in some order, e g 111111, 111112, 111113
and so forth until you get an answer. When a computer answers the call,
you make a note of the number and move on to the next. Afterwards you can
pick systems from this list of accessible computers and see if you can hack
them. Of course you don't do scanning by hand. Just like in the movie War
Games, you write a program to test all numbers one by one. Scanning in itself
is not illegal -- part of the point of having a telephone is that you have
the right to place as many calls as you like, to whomever you like.<br>
<br>
</font> <font face="Times New Roman, Times, serif">Otto's scanner was a
bit different. It was not supposed to call any numbers, just scan for user
identities and passwords that granted access to the Datapak PAD. Usually
a X.25-PAD will only allow you three tries to enter username and password
before the line is disconnected, but Otto found out that by connecting to
the Datapak password-database you could try three passwords at a time without
having the line disconnected. Otto's scanner was a computer program that
could test three passwords at a time, get thrown out of the database (without
being disconnected from the PAD), reconnect to the database, test three
more passwords and so forth. To disconnect / reconnect the phone line would
take a lot of time and result in a slow scan, but with the scanner using
the password database it was lightning-fast!<br>
<br>
</font> <font face="Times New Roman, Times, serif">When Otto wrote his scanner
he needed some number to test the program. By pure chance he entered the
obviously stupid combination of user identity 123456 and password 654321,
and it worked! (Does anybody besides me come to think of the movie "Spaceballs"?
-- only an idiot would use that code on his suitcase.)<br>
<br>
</font> <font face="Times New Roman, Times, serif">User identity 123456
was one of Televerkets own lines, a test line which purpose is yet unknown.
It is perfectly possible that user 123456 was simply "left over"
by mistake by Televerket.<br>
<br>
</font> <font face="Times New Roman, Times, serif">Otto began using identity
123456 for regular calls to the conference system QSD, which functionally
resembles the now very popular IRC, Internet Relay Chat. Apart from the
conferences there are also mailboxes for the users. Among the most frequent
participants were, for example, SCSI, who has hacked into every X.25 network
in the entire world (no overstatement), Sentinel from ex-Yugoslavia, the
female hacker Venix from Greece, Seven Up, the sysop at SECTEC (Sector Tectonics,
another X.25-bulletin board), and Raol from Italy -- the master of VAX-hacking
who was recently arrested for computer intrusion at the Bank of Italia.<br>
<br>
</font> <font face="Times New Roman, Times, serif">This chatting kept going
until he, on the night of the 7th of November, was called (on the chat system
QSD) by another hacker from Sweden.<br>
</font> <font face="Times New Roman, Times, serif"><br>
</font> <font face="Times New Roman, Times, serif"><b>The "White Knight</b></font>
<font face="Times New Roman, Times, serif">"<br>
<br>
</font> <font face="Times New Roman, Times, serif">The hacker that called
Otto named himself White Night. The duality of the name is a conscious misspelling
of the kind that hackers love. The first conversation between Otto Sync
and White Night went thus:<sup><a href="#FTNT3">(3)</a></sup></font> <font face="Times New Roman, Times, serif"><br>
</font> <font face="Times New Roman, Times, serif"><br>
</font> <font face="Times New Roman, Times, serif"><b>White Night</b></font>
<font face="Times New Roman, Times, serif">: Hi! Hej! [Hej is Swedish for
Hi]<br>
</font> <font face="Times New Roman, Times, serif"><b>Otto Sync</b></font>
<font face="Times New Roman, Times, serif">: Hi! Hej! Sorry I'm not Swedish
I'm French. Calling from Flen, a #$&% city 120 km from Stockholm.<br>
</font> <font face="Times New Roman, Times, serif"><b>WN</b></font> <font face="Times New Roman, Times, serif">:
I see. What are you doing there?<br>
</font> <font face="Times New Roman, Times, serif"><b>OS</b></font> <font face="Times New Roman, Times, serif">:
Working as an automation engineer at a French company. And you?<br>
</font> <font face="Times New Roman, Times, serif"><b>WN</b></font> <font face="Times New Roman, Times, serif">:
I'm working at Volvo.<br>
</font> <font face="Times New Roman, Times, serif"><b>OS</b></font> <font face="Times New Roman, Times, serif">:
Where? I worked at their factory in Olofström some months ago.<br>
</font> <font face="Times New Roman, Times, serif"><b>WN</b></font> <font face="Times New Roman, Times, serif">:
DA-verken in Göteborg. [Gothenburg]<br>
</font> <font face="Times New Roman, Times, serif"><br>
</font> <font face="Times New Roman, Times, serif">Then they began talking
tecnicalities, as all hackers do. Otto asks White Night how he manages to
handle Swedish characters and they discuss the pros and cons of different
terminal programs. White Night then turns the discussion to how he has managed
to call QSD -- "Do you know how much it costs?". Otto suggests
that they should swap "outdials" -- access codes to computers
on public access networks such as Internet, with connected modems allowing
you to dial out for free from that computer by accessing it's modem. He
also tells the stranger that he often calls Synchron City, and that a lot
of "H/P/A" (Hacking, Phreaking, Anarchy -- perfectly legal textfiles
describing hacking techniques) can be found there. Strangely, White Night
has never heard of Synchron City, and is immediately curious.<br>
<br>
</font> <font face="Times New Roman, Times, serif">For some weeks Otto calls
QSD on a regular basis. So on the night of November 29th, the white knight
appears again, but he doesn't recognize Otto, as Otto is using another alias
this time. Otto has already forgotten about White Night and doesn't recognize
him either when he is called. However he can see that White Night is also
using identity 123456, and gets a bit suspicious, as he has revealed that
identity only to a single other hacker, which we will call Phred. A bit
hesitatingly, he starts chatting with the stranger:<br>
</font> <font face="Times New Roman, Times, serif"><br>
</font> <font face="Times New Roman, Times, serif"><b>WN</b></font> <font face="Times New Roman, Times, serif">:
Hi.<br>
</font> <font face="Times New Roman, Times, serif"><b>OS</b></font> <font face="Times New Roman, Times, serif">:
Phred?<br>
</font> <font face="Times New Roman, Times, serif"><b>WN</b></font> <font face="Times New Roman, Times, serif">:
No, but I know him!<br>
</font> <font face="Times New Roman, Times, serif"><b>OS</b></font> <font face="Times New Roman, Times, serif">:
I guess so... I know you?<br>
</font> <font face="Times New Roman, Times, serif"><b>WN</b></font> <font face="Times New Roman, Times, serif">:
Fun, do I know U?<br>
</font> <font face="Times New Roman, Times, serif"><b>OS</b></font> <font face="Times New Roman, Times, serif">:
Maybe, I'm usually Otto Sync here...<br>
</font> <font face="Times New Roman, Times, serif"><b>WN</b></font> <font face="Times New Roman, Times, serif">:
Hi Otto, hm hm hm.<br>
</font> <font face="Times New Roman, Times, serif"><b>OS</b></font> <font face="Times New Roman, Times, serif">:
Hey, could you tell me who you are... cool!<br>
</font> <font face="Times New Roman, Times, serif"><b>WN</b></font> <font face="Times New Roman, Times, serif">:
U speak Swedish?<br>
</font> <font face="Times New Roman, Times, serif"><b>OS</b></font> <font face="Times New Roman, Times, serif">:
Very badly. But can't you tell me who u are??? As for me, I'm the one who
found the NUI you're using.<br>
</font> <font face="Times New Roman, Times, serif"><b>WN</b></font> <font face="Times New Roman, Times, serif">:
Why do U think I use the NUI "you" found?<br>
</font> <font face="Times New Roman, Times, serif"><b>OS</b></font> <font face="Times New Roman, Times, serif">:
You can ask Phred if you don't believe me.<br>
</font> <font face="Times New Roman, Times, serif"><b>WN</b></font> <font face="Times New Roman, Times, serif">:
Why should I ask Phred?<br>
</font> <font face="Times New Roman, Times, serif"><b>OS</b></font> <font face="Times New Roman, Times, serif">:
Because he was the first one to whom I gave the NUI. We talk voice sometimes.<br>
</font> <font face="Times New Roman, Times, serif"><b>WN</b></font> <font face="Times New Roman, Times, serif">:
What NUI?<br>
</font> <font face="Times New Roman, Times, serif"><b>OS</b></font> <font face="Times New Roman, Times, serif">:
The very obvious one with the very obvious password. And the second one
that I see on QSD.<br>
</font> <font face="Times New Roman, Times, serif"><b>WN</b></font> <font face="Times New Roman, Times, serif">:
Wow, I haven't spoken to Phred 4 a long time!<br>
</font> <font face="Times New Roman, Times, serif"><br>
</font> <font face="Times New Roman, Times, serif">The misunderstandings
between Otto Sync and White Night is of course due to the fact that White
Night is not a hacker. As a matter of fact, he is using Televerket's test
line, 123456, </font> <font face="Times New Roman, Times, serif"><i>from
inside</i></font> <font face="Times New Roman, Times, serif"> Televerket.
When Otto claims that he found it, White Night first gets a bit sulky, but
then realizes he has to play the game:<br>
</font> <font face="Times New Roman, Times, serif"><br>
</font> <font face="Times New Roman, Times, serif"><b>OS</b></font> <font face="Times New Roman, Times, serif">:
The previous [NUI I used] was 159800. Are you from Sweden by the way?<br>
</font> <font face="Times New Roman, Times, serif"><b>WN</b></font> <font face="Times New Roman, Times, serif">:
Sweden what.<br>
</font> <font face="Times New Roman, Times, serif"><b>OS</b></font> <font face="Times New Roman, Times, serif">:
Just wondering... If you don't want to chat, then why go on QSD?<br>
</font> <font face="Times New Roman, Times, serif"><b>WN</b></font> <font face="Times New Roman, Times, serif">:
Of course I want 2 chat. I'm Swede! R U?<br>
</font> <font face="Times New Roman, Times, serif"><b>OS</b></font> <font face="Times New Roman, Times, serif">:
Nope I'm French. But I like Televerket, except when they send me bills :)<br>
</font> <font face="Times New Roman, Times, serif"><b>WN</b></font> <font face="Times New Roman, Times, serif">:
Do they? Why?<br>
</font> <font face="Times New Roman, Times, serif"><b>OS</b></font> <font face="Times New Roman, Times, serif">:
I asked for a NUI some weeks ago to get the technical doc about the PAD...
But I won't pay!<br>
</font> <font face="Times New Roman, Times, serif"><br>
</font> <font face="Times New Roman, Times, serif">When Otto has made these
statements, White Night disconnects the line and picks up the papers with
the print-out of the conversation from the printer. These papers, most of
which contents are cited above, are then used as part of the evidence in
the trial against Otto Sync at the Katrineholm Court of Law.<br>
<br>
</font> <font face="Times New Roman, Times, serif">What Otto didn't know
when this conversation took place, was that Televerket was busy tracing
him. From November 28th to December 1st, the day before the arrest, Televerket
registered all telephone traffic from Ottos office at the French telecom
company. In order to do this, they had taken some extraordinary measures.<br>
<br>
</font> <font face="Times New Roman, Times, serif">Flen's telephone station
was at that time not equipped with the new electronic switching system AXE
(Automatic Cross-connection Equipment). Istead, an old electro-mechanical
exchange was in use. (It has now been replaced.) </font> <font face="Times New Roman, Times, serif"><i>If</i></font>
<font face="Times New Roman, Times, serif"> the telephone station had been
equipped with AXE, the monitoring would have been a lot easier, since it
would simply have been a matter of requesting information from Televerket's
information system (IS), which can monitor a number automatically for unlimited
time. Present-day Telia (a private corporation which has replaced Televerket
after deregulation) even investigated the possibility of having computers
examine all calls automatically in order to classify which subscribers that
showed "fraudulent patterns" -- but these investigations didn't
bear fruit</font> <font face="Times New Roman, Times, serif">.<br>
<br>
</font> <font face="Times New Roman, Times, serif">When Televerket, under
the command of Pege Gustafsson, had traced the "fraudulent" calls
to the Datapak number 020-910037, they found that they came from a group
number belonging to the company Otto worked for. A group number works by
letting a company with an internal exchange connecting some number of telephones,
say 500, share a suitably large number of outgoing lines (perhaps 10--20
of them) so that they can minimize the subscription charges. By tracing
the group number, nothing was proven, as anyone at the company could have
called using the group number. The calls could not be tied to a physical
person, which is the kind of evidence required for this type of case.<br>
<br>
</font> <font face="Times New Roman, Times, serif">To make further tracing
possible, Telverket installed a reader on the exchange of the company Otto
worked for<sup><a href="#FTNT4">(4)</a></sup></font> <font face="Times New Roman, Times, serif">.
With the reader, every outgoing call from any extension at the company was
registered and printed. This list could then be compared by corresponding
list for connections to the Datapak PAD at 020-910037. In this manner, Televerket's
technicians found that Otto had called for 41 hours and 20 minutes through
Datapak during the week the tracing was carried out, and during that time
transmitted information packets for about 4000 Swedish crowns' worth [roughly
$570]. (You can call this the total "postage fee" for the information
packets.) The low cost thus depended upon the fact that you only pay for
the data actually transmitted, not for online time, as in the case of common
telephone calls.<br>
<br>
</font> <font face="Times New Roman, Times, serif">All of this tracing was
supervised by Pege Gustafsson.<br>
</font> <font face="Times New Roman, Times, serif"><br>
</font> <font face="Times New Roman, Times, serif"><b>A Night at the Hotel</b></font>
<font face="Times New Roman, Times, serif"><br>
<br>
</font> <font face="Times New Roman, Times, serif">Otto himself tells us
what happened on the morning of December 2:<br>
<br>
</font> <font face="Times New Roman, Times, serif">"They came to arrest
me at work. Imagine the embarrassement. First I see these guys coming in
my room and think 'oh shit, some more customers who want a demo on some
product', but then they showed me their police ID and my heart stopped.
They searched my office, took all notes and computer stuff. Then they took
me out and had me open my apartment, and did a search there as well."<br>
<br>
</font> <font face="Times New Roman, Times, serif">He was then brought to
Katrineholm police station (the police authority closest to Flen) for interrogation.
On his way there all sorts of thoughts ran through his head: "What
to tell? I thought it was a BBS? I thought it was a free line? Reverse-charging?"<br>
<br>
</font> <font face="Times New Roman, Times, serif">The interrogation begins
without the representatives of Televerket as well as Otto's counsel present,
but as Otto doesn't understand all the Swedish words (though he knew some,
as the company sent him to evening Swedish language classes), the interrogation
is postponed until a French interpreter arrives.<br>
<br>
</font> <font face="Times New Roman, Times, serif">When the interpreter
arrives, Otto asks for a counsel but agrees to continue the interrogation
without the defense present. Neither does he find it necessary to talk to
the French embassy. He tells the interrogators that he is in non-combat
military service duty at the company in Flen, and that he has considered
working for them even after the service is finished. The police and Otto
simply get to know each other.<br>
<br>
</font> <font face="Times New Roman, Times, serif">At 14.25 Otto experiences
the luckiest moment of his life so far. That is when his counsel arrives,
and who by a remarkable coincidence happens to be an extremely professional
lawyer with his own firm, who thought the hacker case looked interesting
at first glance, and thus took upon himself to defend Otto. This lawyer
primarily deals in industrial corporate disputes. Otto tells us about his
lawyer that "he was a real pro (I know, as this was the third time
I went to court), a very nice man, well educated, and interested in French
wines".<br>
<br>
</font> <font face="Times New Roman, Times, serif">The remainder of the
interrogation session mostly consists of technical discussions between Pege
and Otto Sync. The other people present soon have trouble understanding
what is being said. Otto claims that he has been searching for a "reverse
charge" number (the X.25 counterpart to a 800-number which are actually
quite common) and that he thought NUI 123456 that he got from Televerket's
manual to be a "test line" of some kind. He says he is very curious
and that is his reason for exploring Televerket's systems. Pege Gustafsson
produces his printouts from the chat sessions where he acts as White Night,
and confronts Otto with parts of these printouts (the same that are partly
reproduced above). Otto, who for the first time gets to know who White Night
actually is, reminds the others that anyone can have used his alias on QSD.
Pege asks if he has passed around the NUI 123456 to others. "No",
he answers.<br>
<br>
</font> <font face="Times New Roman, Times, serif">Today Otto tells us that
"Pege tried to have me say that I knew what I was doing and that I
hacked the NUI etc. All the way I denied it and said I thought it was public
line to be used in reverse-charging mode, and kept that line all the way.
Of course Pege could see it was bullshit, he knew pretty well what I was
up to. And he was right."<br>
<br>
</font> <font face="Times New Roman, Times, serif">When the interrogation
ended at 6 p.m. he was brought to a cell, as it was too late to go to court
that day. Otto was instantly impressed by the Swedish custody standard:
"In France it's dirty, you get to sleep with drunkards, no food, rough
treatment etc. In Katrineholm it was like being at a hotel, I had my own
little bed in a neat room. In the morning I was given a breakfast as good
as the ones you get on planes -- fantastic! Slept really well there."<br>
<br>
</font> <font face="Times New Roman, Times, serif">The next day he was brought
to Katrineholm court, which decided not to keep him in custody. Instead
he was given a travel ban, which meant he had to leave his passport and
had to report to the Flen police office before noon every day until the
start of the trial.<br>
</font> <font face="Times New Roman, Times, serif"><br>
</font> <font face="Times New Roman, Times, serif"><b>"Dangerous International
Terrorist"</b></font> <font face="Times New Roman, Times, serif"><br>
<br>
</font> <font face="Times New Roman, Times, serif">What initiated the chain
of events that culminated in Televerket finding Otto Sync was the scanning
of the Datapak PAD. When Pege found out that someone was scanning the Datapak
PAD for user identities, he must have been shocked. This was exactly the
thing that had happened two years earlier, and that time they had suspected
that this was an act of international terrorism. In reality it proved to
be the brothers Pad and Gandalf from 8LGM, two perfectly normal, curious
hackers without any connection to international terrorists whatsoever.<br>
<br>
</font> <font face="Times New Roman, Times, serif">As all other computer
security officials in Sweden, Pege Gustafsson had read the book </font>
<font face="Times New Roman, Times, serif"><i>The Cuckoo's Egg</i></font>
<font face="Times New Roman, Times, serif"> by Clifford Stoll. In the book
Stoll describes how he, using imagination and endless nights of unpaid work,
managed to trace a hacker that had entered his system at Berkeley and started
searching for military secrets throughout the American part of Internet.
The hacker doing this was on mission from the KGB, receiving instructions
through the circle around hackers like Pengo and Hagbard in West Berlin
-- a bunch of freaked-out, coke-snorting, fuzzy leftist hackers who probably
never caused any serious harm. Those last facts are never mentioned in the
book, but it is closer to the truth than the image of international computer
spies that Stoll conjures up.</font> <font face="Times New Roman, Times, serif"><br>
<br>
</font> <font face="Times New Roman, Times, serif">So as Otto started scanning
the Swedish Datapak network, Pege hit the sirens. The incident was probably
associated with other, similar incidents, and was therefore interpreted
not as the sum total of some small hacking adventures using simple scanners,
but as a systematic pattern of intrusion attempts by some foreign power.
Simply pure paranoia.<br>
<br>
</font> <font face="Times New Roman, Times, serif">After closing a ring
round Otto in Flen and after conducting a series of tracings, there was
also "confirmation" of the suspicions: Otto made several calls
to Thailand -- which were interpreted as communications with his mission
providers, which could be anyone ranging from the KGB to the IRA. Actually,
these calls were made to a long-time friend, and he had the company's permission
in calling Thailand every now and then. Every hacker gets to know lots of
people around the planet, as the "global village" is their home
district.<br>
<br>
</font> <font face="Times New Roman, Times, serif">So what the police and
Televerket expected to find, as they turned up at Otto's office on the 2nd
of December 1992, was a dangerous international terrorist. They found a
25-year-old socially maladjusted, and bored engineer, who had been amusing
himself by exploring the Swedish Datapak network for the lack of anything
better to do. Otto describes the situation as \"Pege thought he was
the good guy trying to catch the bad guy. He told me himself that he was
a fan of Clifford Stoll and that he met him at some security conference
some years ago." During the interrogation with Otto, Pege drew maps
showing which countries Otto's X.25-connections had accessed -- maps that
according to Otto himself looked like "maps from your average international
terrorist handbook".<br>
<br>
</font> <font face="Times New Roman, Times, serif">Even though this was
clearly stated in the following investigation -- which didn't even mention
the suspicion of espionage -- these suspicions about Otto stuck to him long
after he left Sweden. When the computer programs that were to control starting
lists, time measures and result lists during the Olympic Games in Lillehammer
1994 were stolen from a military storage in the autumn of 1993, the Norweigan
police (for some reason) believed that Otto was involved. Expressen (a major
Swedish evening paper) called him "the hacker leader", and took
the opportunity to draw suspicions to Otto as well as to the company he
had worked for in Flen. In between the lines, they hinted that this was
a way in which the French military sent spies to Sweden<sup><a href="#FTNT5">(5)</a></sup></font>
<font face="Times New Roman, Times, serif">. Personally, he tells us that
"I was in Thailand, and at that time didn't have job nor a computer."
Thailand is quite far away from Lillehammer.<br>
<br>
</font> <font face="Times New Roman, Times, serif">He is also backed up
by SÄPO (Swedish counter-espionage) who through director Jörgen
Almblad said that the French volunteer workers in Sweden in general, and
Otto Sync in particular, did not pose a security risk. "If they are
Frenchmen or Russians doesn't matter, as far as being security risks"
he told Expressen. SÄPO are ultimately responsible for the national
security and should be well-informed. If they publicly deny any suspicions,
you can be certain that they are telling the truth. If they had even the
slightest suspicions, they would rather not comment. So much for that terrorist.<br>
<br>
</font> <font face="Times New Roman, Times, serif">Even Pege himself realized
that Otto was not what he first thought him to be. In private he told Otto,
that if he had known what a small-timer he actually was, he wouldn't have
carried the case this far. He even "said he'd like to have a beer with
me when all this was over." Today, Otto is doubtful about Pege's competence
as a security officer: "I remember he told me he was involved in concerts
security as well (rock concerts). Although he was the security officer there,
he didn't know too much about Unix security or hacking techniques. In fact
he seemed to be ignorant of some basic things about Datapak such as reverse-charging".<br>
</font> <font face="Times New Roman, Times, serif"><br>
</font> <font face="Times New Roman, Times, serif"><b>Good versus Evil</b></font>
<font face="Times New Roman, Times, serif"><br>
<br>
</font> <font face="Times New Roman, Times, serif">It appears as though
Pege was carried away by the idea of defending Sweden from imaginary terrorists.
Just as American counter-espionage was completely disinterested in the practically
harmless hacker hunted by Clifford Stoll, SÄPO was as disinterested
in the equally harmless hacker hunted by Pege. Otto wasn't even looking
for military secrets -- he was considered a threat just because he was so
curious.<br>
<br>
</font> <font face="Times New Roman, Times, serif">So, on the 18th of December
the, "white knight" from Televerket drags the French dragon to
a Swedish court with the help of district prosecutor Christer Pettersson.
The trial itself is a farce -- soon it turns out that of all the people
present, only Pege and Otto have the technical knowledge required to understand
the summons from Televerket. Then the first thing Otto's counsel does as
the trial begins, is to throw Pege out of the court room, as no reasons
have been given for his presence. The only time that Pege is allowed in
the room, is when he is cross-examined by the court. Suddenly Otto himself
is the only one that understands what the prosecution is actually about.
None of the members of the court have any kind of practical technical knowledge.<br>
<br>
</font> <font face="Times New Roman, Times, serif">"The trial was real
fun because no one really knew the subject. Some of the documents I produced
during the trial were a bit dodgy, like this e-mail from some guy telling
me how to use reverse-charge on Televerket. I also produced a valid list
of all Swedish BBS:es, telling the judge that they were 'free access computer
systems'. Of course no one had a clue about the difference between a BBS
running on a 386SX in a 17-year-old teenager's room and a nationwide X.25
data network."<br>
<br>
</font> <font face="Times New Roman, Times, serif">Otto doesn't think he
is guilty of any crime, and is wise enough to use simple descriptions which
the court can understand. He doesn't deny using Datapak exactly as much
as Televerket claims, and is prepared to pay for it. But he think it's unreasonable
that he shall pay the costs of tracing and investigation by Televerket.<br>
<br>
</font> <font face="Times New Roman, Times, serif">Pege is called in only
to describe how the tracing of Otto was performed. In all other questions
they must refer to the preliminary investigation protocol, a horrible pile
of papers containing almost exclusively technical desciptions and different
lists of tracings carried out by Pege. Among the "evidence" is
Ottos own notes, some of them completely harmless, with detailed technical
information about phone numbers etc. to different computer systems all over
the world. Without further explanation of what kind of information this
is, these cryptic notes are called "hacker notes". There are also
a bunch of print-outs of files found on Ottos hard disk.<br>
<br>
</font> <font face="Times New Roman, Times, serif">This material has apparently
only been included in the protcol in order to make Otto look "obscure".
The print-outs could just as well have been xerox copies of "unsuitable
books" from his bookshelf. The only purpose of including this material
must have been to throw suspicions on Otto for belonging to a certain subculture.<br>
<br>
</font> <font face="Times New Roman, Times, serif">At some point the court
must have grown bored with the fact that Televerket had not been able to
present an understandable prosecution. Regardless of whom had lied or told
the truth, Ottos claim that he had believed that the calls were for free
seemed probable to the court. As the prosecutor could not prove the opposite,
the court found for the defendant. Televerket's claim for damages, and the
claim that Otto should be forced to leave the country, was also dismissed.
Televerket had to pay their own costs for the trial. In short, Televerket
lost, and Otto Sync won. This decision was made December 18th 1992, but
wasn't made public until January 8th.<br>
<br>
</font> <font face="Times New Roman, Times, serif">Lookin back he says that
"although I was guilty like hell and went to court, Televerket lost
the case."<br>
</font> <font face="Times New Roman, Times, serif"><br>
</font> <font face="Times New Roman, Times, serif"><b>All's well that..</b></font>
<font face="Times New Roman, Times, serif"><br>
<br>
</font> <font face="Times New Roman, Times, serif">Televerket, now named
Telia, appealed the sentence in the court of appeals on January 15. As Otto
would only be present in Sweden until April 1st, they asked the court of
appeals to review the case before then, which was of course a hopeless request.<br>
<br>
</font> <font face="Times New Roman, Times, serif">In September, Otto was
back in France, still hacking. Then, one night "White Night" turns
up at QSD again. "I started chatting with Pege, who was expecting me
show up at appeals court in October", Otto says. The court of appeals
probably couldn't have him extradited to Sweden, and in any case he had
already booked a ticket to Bangkok for October 4.<br>
<br>
</font> <font face="Times New Roman, Times, serif">The court of appeals
considered the case at a hearing October 25th. As Televerket hadn't added
something new to their application of summons, and as Otto wasn't available,
the court of appeals decided to dismiss the case. Televerket and Pege lost
again.<br>
</font> <font face="Times New Roman, Times, serif"><br>
</font> <font face="Times New Roman, Times, serif">Note: Otto Sync recently
left his job as an engineer at a huge, multi-national enterprise in Bangkok.
He is currently busy setting up his own Internet-service company. Pege Gustafsson
still handles security issues at Telia.</font> <font face="Times New Roman, Times, serif"><br>
</font>
<hr>
<font face="Times New Roman, Times, serif" color="#666666"><a name="FTNT1"></a>
1. </font> <font face="Times New Roman, Times, serif" color="#666666">All quotes are lifted from e-mail communication with Otto Sync.<br>
<br>
<a name="FTNT2"></a> 2. <b>Ledell, Göran</b> (ed)
<i>Dataolyckor -- Har det verkligen hänt någon gång?</i>
INFOSEC, Lund 1992<br>
<br>
<a name="FTNT3"></a> 3. Quotes from the conversation are drawn from the court documents.<br>
<br>
<a name="FTNT4"></a> 4. To be technically precise: a DNR -- Dialled Number Recorder.<br>
<br>
<a name="FTNT5"></a> 5. <i>Expressen</i> , Friday February 4th 1994, page 11.</font></td>
</tr>
</table>
<div align="center"><FONT SIZE=3 FACE="Courier New"><BR>
</font><font size="2" face="Times New Roman"><b><a href="ch17web.htm"><img src="arrowleft.gif" width="45" height="54" align="absmiddle" name="ch1web.htm" border="0"></a></b><font color="#999999" face="Arial, Helvetica, sans-serif" size="+1"><a href="mainindex.htm">INDEX</a></font></font>
</div>
<p align=center> </p>
<p align=center><font face="Times New Roman, Times, serif" size="1">Design and
formatting by <a href="mailto:nirgendwo@usa.net">Daniel Arnrup</a>/<a href="http://www.voodoosystems.nu">Voodoo
Systems</a></font></p>
<FONT SIZE=3 FACE="Courier New">
<P ALIGN=CENTER> </P>
</font>
</BODY></HTML>
|
