The Secret Service, UUCP,and The Legion of Doom.txt

The Secret Service, UUCP,and The Legion of Doom
by Kevin Mullet, University of North Texas (KEV@VAXB.ACS.UNT.EDU)


UUCP and UNT

Back in 1978, a couple of bright fellows at AT&T's Bell Labs, where the Unix 
operating system was developed, wondered if computer files could just be 
copied from one computer to another over a cable.  State of the art data
transfer back then meant writing data to paper cards or magnetic tape and 
reading them in on another computer. 

The chaps with the bright idea were M.E. Lesk and A.S. Cohen and the program 
they wrote to implement the idea was Unix to Unix Copy, or UUCP.  The idea 
caught on just about the same time Unix was taking off in popularity.

As the number of computers that could UUCP to each other grew, the first 
wide-area network was born.  It slowly grew to the size it has today of over 
11,000 nodes, or individual computers.  The UUCP network, named
after the primary software used for communication across the network in its 
early days, now provides much more than simple file copying. The UUCP network
now provides electronic mail, network-based news services
and, of course, file transfer services between each computer on the network. 

Electronic mail, or e-mail, is a kind of computer-based postal system where
people can send messages back and forth to each other electronically without 
ever having to print them out on paper.

UUCP news is not unlike e-mail.  The network of computers where people read, 
write and distribute news is called Usenet.  Most, although not all, of this 
service takes place on UUCP.  Because of its popularity, though, the service 
is also available from the NSF-Internet and BITNET wide area networks.  
Usenet news is comprised of several hundred newsgroups.  These newsgroups are 
forums for ongoing discussions on an endless variety of topics ranging from 
specific computer languages and architectures to cooking, horseback riding, 
politics and religion.  When a person sends e-mail to a news group, the  
message is automatically sent out to every computer on the network that 
subscribes to that particular news group.  That way, each person who reads and 
posts to a news group is literally carrying on a dialogue with hundreds, often
thousands, of other people at the same time.

At NT, the most popular way to be a part of these Usenet news groups is with 
the ANU program on the VAX Cluster.  Through ANU, anyone with a VAX Cluster 
userid can take part in up to 366 different newsgroups. 
Messages from all over the world can be read from the user's terminal.

Usually this system works flawlessly, but a few weeks ago something happened.  
A computer and UUCP network node partially operated by AT&T called ATTCTC was 
seized by the US Secret Service as evidence in an ongoing nation-wide 
investigation of data piracy, credit card and long distance dialing abuse, and 
computer security violation called Operation Sun Devil.  When that happened, 
the umbilical cord between NT and UUCP was severed.

An understanding of why this impacted NT requires an understanding of how UUCP 
works.  The great strength and weakness of many wide area networks is their 
reliance on "store and forward" technology.  Wide area networks which use 
store and forward schemes typically communicate only with computers, or nodes, 
that are geographically close to them.  If a node on one side of the world has
some e-mail, news or a file to send to a node on the other end of the world, 
it simply passes the data to a computer close to it along with instructions
about the eventual destination.  That computer, in turn, passes the data on to
a computer close to it until, many nodes later, the e-mail, news or files 
reach their intended destination.

The great strength of this scheme lies in its economy.  Any particular site 
need only pay for connections to a nearby neighbor to access the rest of the 
world.  This way, a large number of sites can affordably interconnect
in a global wide area network.

The frailty of this technology is its weakness.  On a network where the cost 
is so low to connect, many sites don't arrange redundant routing in case a 
critical node goes down.  NT was such a site.  When ATTCTC was seized, all the
nodes "downstream" from it, including NT, lost their UUCP access.  All these 
sites had to scramble to contact other geographically close UUCP nodes that 
were "upstream" of ATTCTC to arrange for new UUCP access.  Three days later, 
thanks to the Computer Science department at the University of Texas at Austin,
NT was back online to UUCP, but for some other sites on the UUCP network, the 
story was just beginning.


The rest of the story
    	
        This account is based largely on the grand jury indictments 
        against alleged Legion of Doom members and accounts by actual Legion 
    	of Doom members who posted to the Usenet group comp.dcom.telcom

Sometime in December of 1988, Robert Riggs, a 20 year-old student of DeVry 
Technical School, hacked his way into a computer at Bell South telephone 
company headquarters in Atlanta.  Bell South provides telephone
service for Alabama, Missippi, Georgia, Tennessee, Kentucky, Louisiana, North 
Carolina, South Carolina and Florida. 

Riggs was a member of a group called the Legion of Doom.  Members of this 
organization are hackers who illegally compromise the security of various 
computer and telecommunications installations on a regular basis in
order to enhance their reputation within the computer underground.

Once he gained access to the Bell South computer, Riggs stole a document 
describing some of the workings of the emergency 911 service.  On 23 January, 
1989 Riggs copied the file through the UUCP network to Jolnet, a public access 
Unix system in Lockport, Illinois and made it available to Craig Neidorf, an 
editor of an underground on-line magazine for hackers and phreakers 
(hackers who specialize in compromising telecommunications security).

Phrack, the magazine edited by Neidorf, is published electronically through 
the UUCP and NSF-Internet networks and on numerous BBS's across the country 
which specialize in disseminating information about hacking and
phreaking.  The magazine, a mainstream publication in the computer underground,
is generally considered required reading for hackers and phreakers.  The 
content of Phrack ranges from actual and fictional accounts of breaking into 
computer systems to technical details of computer security and 
telecommunications systems.  Sources close to the Phrack publishers assert 
that the magazine has always been careful to avoid publishing anything that 
was overtly illegal.

Neidorf, a 19 year old political science major at the University of Missouri, 
used his userid on a school unix system to retrieve the Bell South 911 file 
from Jolnet.  Once he got the file, he edited it, as advised by Riggs,
to conceal its source.  Neidorf and Riggs intended to eventually write an 
article about the 911 system in Phrack.

The actual 911 file in question is a six page, 20 kilobyte document describing
some technical and administrative details of the emergency 911 system that 
Bell South uses for its nine state service area.  

Through the 911 system, Bell South customers can dial 911 and be instantly 
connected with a Public Safety Answering Point (PSAP).  Computers called 
Electronic Switching Systems (ESS's) are critical to telephone routing.  Once 
someone in the Bell South service area calls 911, an ESS ensures they are 
connected with an appropriate PSAP.  The 911 system then allows an emergency 
operator to determine automatically what number and address the caller is 
calling from and alert the appropriate emergency service dispatchers.

Obviously, the details of security around such a system should be very closely
guarded.  The potential for loss of life and property if such a system were 
maliciously compromised is enormous.

The Plot Thickens

Unknown to Riggs and Neidorf, Richard Andrews, the system administrator of 
Jolnet discovered the Bell South 911 file on his computer soon after it was 
transferred there.  Andrews sent a copy of the file through the UUCP network 
to another computer system called "Killer" that was owned and operated by an 
AT&T employee, Charles Boykin.  Andrews requested that Boykin forward the 
file to the appropriate authorities.  Andrews didn't prevent further access to
the file, delete it or frustrate the efforts of Riggs and Neidorf.  He also 
kept a copy of the file for himself.

Several months later, Andrews received a call from someone at AT&T who asked 
for another copy of the file. Not soon after that, the United States Secret 
Service came paid him a visit.  Andrews has been cooperating with the 
authorities ever since.  It is largely through his cooperation that federal 
indictments have been returned against five alleged members of the Legion of 
Doom: Robert Riggs, Craig Neidorf, Adam Grant, Franklin Darden, Jr., and 
Leonard Rose.

On February 3rd, 1990, after receiving Andrews' cooperation for over a year, 
the Secret Service raided Jolnet and seized it as evidence.

Killer Falls

In 1989, the privately-owned UUCP node known as Killer, through which Richard 
Andrews alerted AT&T of the stolen 911 file, was moved to the Dallas Infomart.
It was used by its owner, Charles Boykin and AT&T as a public demonstration 
system.  It was given a new name, AT&T Customer Technology Center, or ATTCTC.
In the years since 1985, when it began operation, Killer/ATTCTC became a 
critical node on the national UUCP backbone.  Computers throughout the 
southwest, and people who used them, depended on ATTCTC for Usenet news, 
electronic mail and UUCP file transfer services.  On the 20th of February, 
1990, without any advance notice, ATTCTC was permanently shut down, leaving NT
with no UUCP access.

AT&T claims that the closure was due to lack of funds, although the system was
privately ...