Page 048

Undergound. Go to Table of Contents.

   network to attack each other in ever greater numbers. By 11 a.m. it

   was almost impossible to tell where any one attack began and the other



   Some time after the first attack, DST sent word that certain agents

   were going to be in Washington DC regarding other matters. They wanted

   a meeting with the FBI. A representative from the NASA Inspector

   General's Office would attend the meeting, as would someone from NASA

   SPAN security.


   Tencati was sure he could show the WANK worm attack on NASA originated

   in France. But he also knew he had to document everything, to have

   exact answers to every question and counter-argument put forward by

   the French secret service agents at the FBI meeting. When he developed

   a timeline of attacks, he found that the GEMPAK machine showed X.25

   network connection, via another system, from a French computer around

   the same time as the WANK worm attack. He followed the scent and

   contacted the manager of that system. Would he help Tencati? Mais oui.

   The machine is at your disposal, Monsieur Tencati.


   Tencati had never used an X.25 network before; it had a unique set of

   commands unlike any other type of computer communications network. He

   wanted to retrace the steps of the worm, but he needed help. So he

   called his friend Bob Lyons at DEC to walk him through the process.


   What Tencati found startled him. There were traces of the worm on the

   machine all right, the familiar pattern of login failures as the worm

   attempted to break into different accounts. But these remnants of the

   WANK worm were not dated 16 October or any time immediately around

   then. The logs showed worm-related activity up to two weeks before the

   attack on NASA. This computer was not just a pass-through machine the

   worm had used to launch its first attack on NASA. This was the

   development machine.


   Ground zero.


   Tencati went into the meeting with DST at the FBI offices prepared. He

   knew the accusations the French were going to put forward. When he

   presented the results of his sleuthwork, the French secret service

   couldn't refute it, but they dropped their own bombshell. Yes they

   told him, you might be able to point to a French system as ground zero

   for the attack, but our investigations reveal incoming X.25

   connections from elsewhere which coincided with the timing of the

   development of the WANK worm.


   The connections came from Australia.


   The French had satisfied themselves that it wasn't a French hacker who

   had created the WANK worm. Ce n'est pas notre problem. At least, it's

   not our problem any more.


   It is here that the trail begins to go cold. Law enforcement and

   computer security people in the US and Australia had ideas about just

   who had created the WANK worm. Fingers were pointed, accusations were

   made, but none stuck. At the end of the day, there was coincidence and

   innuendo, but not enough evidence to launch a case. Like many

   Australian hackers, the creator of the WANK worm had emerged from the

   shadows of the computer underground, stood momentarily in hazy

   silhouette, and then disappeared again.