Feature: Cracked! Part 6: Talking with the Enemy

This is the sixth part of the story of a community network that was cracked and what was done to recover from it.

• Cracked! Part1: Denial and truth details the report that leads to the discovery that the community network was indeed cracked and some of the initial reactions.
• Cracked! Part 2: Watching and Waiting talks about how they learned more about the cracker and what they did next.
• Cracked! Part 3: Hunting the hunter talks about some of the efforts made to track down the cracker and some surprises.
• Cracked! Part 4: The Sniffer tells how they found the sniffer that the cracker was running on their network and what they did next.
• Cracked! part 5: Rebuilding covers the rebuilding of the system to recover from the crack and fix some long standing problems.
• Cracked! Part 7: The Cracker's Revenge explains what the Cracker did when he broke back in, our recovery from this, talking to the cracker afterwards and brings the story to a close.

In this article I talk to the cracker in IRC.

 (Submitted by Noel Wed Jun 28, 2000 )

Cracked! Part 6: Talking with the Enemy "so they'd rather have some bad shit happening here rather than let me sniff passwords? you sure of that?" Soon after rebuilding the system I started talking to someone on IRC that identified themselves as the person that had cracked our system. He was connecting from the same places that the cracker had been coming from and seemed to know things that only the cracker would have known, so I decided to take him at face value. Over the first couple of weeks we talked about a variety of subjects. I have selected some of the most interesting bits and grouped them together to give an idea of the flavor of the conversations. It was an interesting window into the mind of someone living a very different life. He did not say very much about cracking us. Perhaps he was not sure of how much we knew and was trying to not let anything out. He did say things like he had cracked us for six months and that we were a bunch of lamers. He said that he had been aware that we had noticed him and had just decided not to do anything. Cracker - btw... i knew you've noticed me... but i was to busy to bother doing anything about it Cracker - figure you left those suid shells just so i wont get mad at u or something Noel - Well it is to late to bar the door, when the cow is gone Cracker - yeah Cracker - i guess Cracker - although, most sysadmins delete such things immediately when found Cracker - so your a weird one :) It had been hard for me to leave those set user id files just sitting there. But it had bought us time that we had used to good effect in planning the rebuild of the system. I still think that if I had just removed them that things would have come to a head long before we were ready. He continually tried to get me to tell him some detail about how the system had been rebuilt and how it was now set up. I did my best to avoid discussing the technical details of the system because I did not want to provide any help when and if he tried to crack us again. This may have been security through obscurity but I wanted it to be as hard as I could make it. To secure it as much as I could and make it harder to find any holes we might have missed. Cracker - *silence* * Cracker chuckles Noel - I really don't want to answer those kind of questions, after all perhaps we were lucky that you did not rm -rf / Cracker - yeah perhaps u r Cracker - is there anything interesting on your subnet now? Noel - nope... we are segmented off Cracker - pity He presented himself as a very skilled and experienced cracker and programmer. Several times he mentioned other cracks that he had done or software that he had written. He claimed to have cracked more than a thousand machines. At the time this seemed like an impossible number but with all the DDOS attacks I am not as sure now. Cracker - just hacked into a top-level domain name server. Noel - Why? Cracker - for phun & excitement Cracker - not to mention i can now hack any system in that country the name server is for. Noel - After so many does it not loose it's thrill? Cracker - yeah, sort of Cracker - i used to run the sniffer on the sparc at first, then i had to port it to osf/1 when you got rid of the sparc. Cracker - well my sniffer runs fine on aix4 dude! but aix3 is no can-do Cracker - i have it ported to the 10 most common unix types in use today. Cracker - it r0x Noel - what is diff about your sniffer? Cracker - my sniffer is eleet and stuff.... Noel - if you got it running on ten OSs then it is pretty portable Cracker - yeah it is Cracker - lame haqr d00dz can only sniff on lamex, sun-loss, and slowlaris.... Cracker - i can sniff on pretty much anything Cracker - the fedz cant get me bwah hah hah hah There was a steady undercurrent of threats and hints about what would happen to us if we did not give him what he wanted and what he wanted was nothing less than for us to help him crack other systems. Cracker - well, i'm not destructive as long as i have some use of the system..... Cracker - so they'd rather have some bad shit happening here rather than let me sniff passwords? you sure of that? Cracker - failing that, i could only leave your system alone as a personal favour to you , and only if i can sniff passwords for other systems from here His number one desire seemed to be to use our system as a sniffing platform. So that he could work to crack other systems. He on several occasions told us that if he was not allowed to run a sniffer he was going to work to damage or destroy us. Cracker - anyways, the question is, what do you think i should do with your system? Noel - I think you should continue to use it... without bothering to crack root :) Cracker - use it for what? Noel - whatever (- sniffing) Cracker - why - sniffing? Noel - Well to do that you would have to crack root again... Cracker - not if you let me do it Cracker - you can give me a shell and set permissions on the filter devices appropriately. Cracker - the question is this Cracker - you use ssh for logins now, so what harm can it do if someone sniffs passwords? Noel - I think that there is 0% chance that the board would allow you to sniff the network. Cracker - well maybe you dont have to tell the board Noel - I don't work that way, sorry Cracker - so they'd rather have some bad shit happening here rather than let me sniff passwords? you sure of that? Noel - You know I have been polite to you... I have treated you with respect there is no need to threaten me. not at all. Cracker - i didn't threaten you Cracker - just asked a question Noel - I do not think sniffing passwords will be an option. Cracker - well then it's probably only the first variant thats left Talking to him this way for several weeks I started thinking that I was getting to know him. He did not seem to be a bad guy. The fact that he would tell me that he was not a nice guy and that we had better watch out or he would destroy us did not really seem to me to be a serious threat. I had started to like him a little bit. He seemed a little angry at the world in general but he was smart and I could imagine myself in his world cracking boxes for the thrill of it if my life had gone differently. I have never been sure if I was really getting a picture of who he was or if it was just a carefully crafted image. It did turn out that when he said that he was not a nice guy and that we should watch out that he was telling us the truth.