"The cream of US military intelligence last week had their bungled attempt to prosecute a bedroom hacker thrown out by a British court," screamed the lead of a November 28, 1997 piece in the United Kingdom newspaper, The Guardian.

Even as the President's Commission on Critical Infrastructure Protection was spinning yet more scenarios of imminent techno-Gotterdammerung, the wheels were coming off one of the U.S. military's most extensive public relations campaigns. Aimed at creating the image of menacing hackers in the employ of foreign powers, U.S. Air Force claims fell apart in English court, out of sight of the U.S. newsmedia as the U.K. press looked on and smirked.

Matthew Bevan, 23, a hacker known as Kuji, walked out of a south London Crown Court a free man as prosecutors confessed it wasn't worth trying him on the basis of flimsy claims made by the U.S. military. Further, he was deemed no threat to national computer security.

Since 1994, the U.S. government has used Bevan, and a younger partner, Richard Pryce, in reports by the Air Force, the Government Accounting Office, the Pentagon's Defense Science Board report on information warfare and the recent Marsh Commission, on the dangers posed by international terrorists using the worldwide computer networks to attack the United States.

". . . [the] story of the Bevan and Pryce cases shows [the Air Force's] forensic work to have been so poor it would have been unlikely to have stood up in court and convicted Bevan. The public portrayal of the two Britons as major threats to U.S. national security was pure hype," wrote Duncan Campbell for The Guardian.

However, events really began in 1994, when the two young men broke into an Air Force installation known as Rome Labs, a facility at the now closed Griffiss Air Force Base, in New York. This break-in became the centerpiece of a Government Accounting Office report on network intrusions at the Department of Defense in 1996 and also constituted the meat of a report entitled "Security and Cyberspace" by Dan Gelber and Jim Christy, presented to the Senate Permanent Subcommittee on Investigations during hearings on hacker break-ins the same year. It is interesting to note that Christy, the Air Force Office of Special Investigations staffer/author of this report, was never at Rome while the break-ins were being monitored.

Before delving into this in detail, it's interesting to read what a British newspaper published about Richard Pryce, known as Datastream Cowboy, then seventeen, about a year before he was made the poster boy by the GAO.

In a brief article, blessedly so in contrast to the reams of propaganda published on the incident for Congress, the July 5, 1995 edition of The Independent wrote, "[Datastream Cowboy] appeared before Bow Street magistrates yesterday charged with unlawfully gaining access to a series of American defense computers. Richard Pryce, who was 16 at the time of the alleged offences, is accused of accessing key U.S. Air Force systems and a network owned by Lockheed, the missile and aircraft manufacturers."

Pryce, a resident of a northwest suburb of London, was charged with 12 separate offenses under the British Computer Misuse Act. He was arrested on May 12, 1994, by New Scotland Yard. The Times of London reported when police came for Pryce, they found him at his PC on the third floor of his family's house. Knowing he was about to be arrested, he "curled up on the floor and cried."

The Air Force's tracking of Pryce, and to a lesser extent, Bevan, was recounted in an eight page appendix to Gelber's and Christy's "Security and Cyberspace," entitled "The Case Study: Rome Laboratory, Griffiss Air Force Base, NY Intrusion."

Pryce's entry into Air Force computers was originally noticed on March 28, 1994, when personnel discovered a sniffer program he had installed on one of the Air Force systems in Rome. The Defense Information System Agency (DISA) was notified. DISA subsequently called the Air Force Office of Special Investigations (AFOSI) at the Air Force Information Warfare Center (AFIWC) in San Antonio, Texas. AFIWC then sent a team to Rome to appraise the break-in, secure the system and trace those responsible. During the process, the AFIWC team of computer scientists -- not AFOSI investigators, a point not clearly made by the Air Force authors and one that becomes more important when viewing the fallout and repercussions of the case -- discovered Datastream Cowboy had entered the Rome Air Force computers for the first time on March 25. Passwords had been compromised, electronic mail read and deleted and unclassified "battlefield simulation" data copied off the facility. The Rome network was also used as a staging area for penetration of other systems on the Internet.

Air Force personnel initially traced the break-in back one step to the New York City provider, Mindvox. According to the Christy report, this put the NYC provider under suspicion because "newspaper articles" said Mindvox's computer security was furnished by two "former Legion of Doom members." "The Legion of Doom is a loose-knit computer hacker group which had several members convicted for intrusions into corporate telephone switches in 1990 and 1991," wrote Gelber and Christy.

The Air Force then got permission to begin monitoring -- the equivalent of wiretapping -- all communications on the Rome Labs network. Limited observation of other Internet providers being used during the break-in was conducted from the Rome facilities. Monitoring told the investigators the handles of hackers involved in the break-in were Datastream Cowboy and Kuji.

Since the monitoring was of limited value in determining the whereabouts of Datastream Cowboy and Kuji, investigators resorted to "their human intelligence network of informants, i.e., stool pigeons, that 'surf the Internet.' Gossip from one 'Net stoolie to Air Force investigators uncovered that Datastream Cowboy -- [Richard Pryce] -- was from Britain. The anonymous source said he had e-mail correspondence with Datastream Cowboy in which the hacker said he was a 16-year old living in England who enjoyed penetrating ".MIL" systems. Datastream Cowboy also apparently ran a bulletin board system and gave the telephone number to the AFOSI source.

The Air Force team contacted New Scotland Yard and the British law enforcement agency identified the residence, the home of Richard Pryce, which corresponded to Datastream Cowboy's system phone number. English authorities began observing Pryce's phone calls and noticed he was making fraudulent use of British Telecom. In addition, whenever intrusions at the Air Force network in Rome occurred, Pryce's number was seen to be making illegal calls out of Britain.

Pryce travelled everywhere on the Internet, going through South America, multiple countries in Europe and Mexico, occasionally entering the Rome network. From Air Force computers, he would enter systems at Jet Propulsion Laboratory in Pasadena, California, and the Goddard Space Flight Center in Greenbelt, Maryland. Since Pryce was, according to Air Force investigators, capturing the logins and passwords of the networks in Rome Labs, he was then able to get into the home systems of Rome network users, defense contractors like Lockheed.

By mid-April of 1994 the Air Force was monitoring other systems being used by the British hackers. On the 14th of the month, Kuji logged on to the Goddard Space Center from a system in Latvia and copied data from it to the Baltic country. According to Gelber's report, the Air Force observers assumed the worst, that it was a sign that someone in an eastern European country was making a grab for sensitive information. They broke the connection but not before Kuji had copied files off the Goddard system. As it turned out, the Latvian computer was just another system the British hackers were using as a stepping stone; Pryce had also used it to cover his tracks when penetrating networks at Wright-Patterson Air Force Base in Ohio, via an intermediate system in Seattle, cyberspace.com.

The next day, according to the AFOSI report, Kuji was again observed trying to probe various systems at NATO in Brussels and The Hague as well as Wright-Patterson. On the 19th, Datastream Cowboy successfully returned to NATO systems in The Hague through Mindvox. The point Gelber and Christy were laboriously trying to make was that Kuji -- Matthew Bevan -- a 21-year old, was coaching Pryce during some of his attacks on various systems.

By this point, New Scotland Yard had a search warrant for Pryce with the plan being to swoop down on him the next time he accessed the Air Force network in Rome.

In April, Datastream Cowboy penetrated a system on the Korean peninsula and copied material off a facility called the Korean Atomic Research Institute to an Air Force computer in Rome. At the time, the investigators had no idea whether the system was in North or South Korea. The impression created was one of hysteria and confusion at Rome. There was fear that the system, if in North Korea, would trigger an international incident, with the hack interpreted as an "aggressive act of war." The system turned out to be in South Korea.

It's worth noting that while the story was portrayed as the work of an anonymous hacker, New Scotland Yard already had a suspect. Further, according to Gelber's and Christy's report, English authorities already had a search warrant for Pryce's house.

On May 12, British authorities pounced. Pryce was arrested and his residence searched. He crumbled, according to the Times of London, and began to cry. Gelber and Christy write that Pryce promptly admitted to the Air Force break-ins as well as others. Pryce confessed he had copied a large program that used artificial intelligence to construct theoretical Air Orders of Battle from an Air Force computer to Mindvox and left it there because of its great size, 3-4 megabytes. Pryce paid for his Internet service with a fraudulent credit card number. At the time, the investigators were unable to find out the name and whereabouts of Kuji. A lead to an Australian underground bulletin board system yielded nothing.

On June 23 of 1996, Reuters reported that Matthew Bevan had been arrested and also charged in connection with the 1994 Air Force break-ins in Rome.

Bevan was found in the same low-tech manner as Pryce. His phone number was eventually lifted by Scotland Yard from Pryce's seized PC. "Had it not been for Scotland Yard, the relatively innocuous Pryce and Bevan would never have been found and the U.S. Senate would still be hearing about cyberterrorists from faraway lands," wrote the Guardian's reporter.

Lacking much evidence for conspiratorial computer-waged campaigns of terror and chaos against the U.S., the makers of Congressional reports nevertheless resorted to telling the same story over and over in 1996, three times in the space of the hearings on the subject.

As a result, Pryce and Bevan appeared in "Security in Cyberspace" and twice in Government Accounting Office reports AIMD-96-84 and T-AIMD96-92 in 1996, which were essentially rewritten versions of the former with additional editorializing.

Jack Brock, the author of these now famous GAO reports on hacker intrusions at the Department of Defense wrote, ". . . Air Force officials told us that at least one of the hackers [of Rome Labs] may have been working for a foreign country interested in obtaining military research data or areas in which the Air Force was conducting advanced research."

This was not even close to the truth.

[Alert Crypt Newsletter readers will recall Mr. Brock was a nominee in the 1996 Computer Virus Hysteria Awards.]

But what were Bevan and Pryce really after?

Not Air Force advanced research! Unless . . . you are one of those who are convinced the U.S. military is really hiding a flying saucer at Area 51 in Nevada. According to the Guardian account, Matthew Bevan was interested in little but gathering evidence confirming that Area 51 was a secret hangar for captured alien spacecraft.

The Guardian news report was also extremely critical of Air Force computer scientist Kevin Ziese.

Ziese, said the Guardian, "led a six-strong team [from San Antonio] whose members, or so he told Fortune magazine, slept under their desks for three weeks, hacking backwards until Pryce was arrested."

"Since then, Ziese has hit the US lecture circuit and [privatized] his infowar business. As the WheelGroup corporation of San Antonio, he now sells friendly hacking services to top U.S. corporations," reported the Guardian.

However, while the Guardian was accurate in its assessment of the trivial menace of Bevan and Pryce, it was off in its characterization of Ziese, missing the real target -- investigators from AFOSI and the authors of the Gelber/Christy report, according to information supplied in interviews with Ziese.

Ziese commented to Crypt Newsletter that he "[had] not hit the lecture circuit." He added that he was amused by the content of the article in the Guardian and that "to date, no one has ever asked me even one question -- beyond my initial deposition to New Scotland Yard in 1996 -- regarding the Rome Lab case!"

Digging more deeply into the story, the evidence gathered on the Rome Labs break-in can be separated into two distinct classes. "The first," said Ziese," [was] the deposition I gave sometime in and about May of 1996 to New Scotland Yard." The second is the same shopworn story the "extremely incompetent criminal investigators had gathered originally," he added.

It was the investigators from the Air Force Office of Special Investigations, not the group of computer scientists from the Air Force's Information Warfare Center in San Antonio -- which Ziese led -- who peddled the Rome Labs break-in as evidence of international spying.

"Unbeknownst to the public at large, we had a very complete set of tools [and a] chronology," said Ziese. "It was the criminal investigators who tied our hands, lost critical pieces of data and refused to allow us to testify/discuss the case. "They wanted to make a mountain out of a molehill."

In this, they were successful.

". . . it was incompetent criminal investigators who saw a spy under every rock," Ziese continued, "not the computer scientists I brought with me to Rome." AFOSI was responsible for the "hogwash that has been published to date about the Rome Lab attacks."

By the English account, the evidence submitted by the U.S. military investigative team was almost worthless: "[E-mails] of edited files that had been relayed to Ziese and others."

A desire for secrecy also backfired on the Air Force. In May of this year, the Air Force declined to allow Bevan's defense to look at the test programs they claimed to have used to monitor his intrusions and " . . . having set traps to catch hackers, [the Air Force] neglected to produce before and after file dumps of the target computers."

The result was: "In the end, all the Americans handed over was patchy and circumstantial evidence that their computers had been hacked from Britain."

In March of this year, Richard Pryce -- now 19 -- was fined 1,200 pounds for offenses related to unauthorized access in connection with the break-ins at Rome Labs.


In sort of related news:

About the same time the wheels were coming off the Rome Labs myth, a similar fate was being meted out to the hoary tale of electromagnetic pulse gun attacks on banks in the United Kingdom.

Alert Crypt Newsletter readers already know the publication has dissed the legend of the non-nuclear electromagnetic pulse (HERF, microwave, radio frequency) gun as the chupacabras of cyberspace for the last two years.

On December 4, a British journalist for TechWeb dubbed them the same.

These stories are nonsense, said Michael Corcoran of Britain's Defense Evaluation and Research Agency, for TechWeb. "There are no radio-frequency weapons out there that anyone is in a position to use against banks." Corcoran then waffled for the publication and equivocated that sometime in the unspecified future emp guns might be possible.


Other relevant links: