All in a day’s hack: UW staffer
fights cyberspace bad guys

When you first meet Dave Dittrich, “obsessive” is not a word that comes to mind.

The 38-year-old software engineer and consultant who works for the University of Washington’s Computing and Communications Client Services Group and helps the university’s UNIX system administrators keep their systems running smoothly appears casual in a T-shirt and jeans. He has an easy, relaxed way of talking and a lazy smile.

Dave Dittrich in his usual position - in front of a computer.

Then he tells you about the weekend last fall when he worked practically nonstop at home decoding a complex program used by computer intruders to commandeer unwitting machines and attack other sites.

Or the three days in December when, home with the flu, he collapsed in bed with a bottle of water and crackers nearby - and his laptop perched on his stomach so he could work on cracking another hacker tool when he wasn’t dozing.

Or the Web site he’s loaded with resources, many collected or developed on his own time, for understanding and combating hacker attacks, available to anyone who needs help.

And you start to wonder.

Last week, Dittrich was in the news at the center of stories about the distributed denial of service attacks that crippled such Internet giants as Yahoo!, Amazon.com and eBay. Stories ran in USA Today, the Washington Post, the Toronto Star, newspapers in Germany and Britain, Online Magazine, on CNN, MSNBC, the BBC, Slashdot, InternetNews Radio and three National Public Radio shows that featured Dittrich and his work cracking codes of programs that hackers use. He was invited as a guest on Good Morning America, woke up at 2:30 a.m. to get ready, then, as he was on his way out the door, got a call to cancel.

“I got bumped by the Connecticut debates,” he said. “If those attackers had only picked a non-election year!”

Dittrich's tips to avoid being 'hacked' Make certain the office has a way to quickly copy files, such as a tape back up. It will make things easier and faster if an intruder does get into your system, and it might save critical documents that would otherwise be lost. Change your passwords. Dittrich said campus computer managers have received a lot of complaints about the recent resurrection of the requirement to change passwords at least every 120 days. There are good reasons to do so. Often, it¹s not just an e-mail account that is compromised when a password is cracked. The account could lead to other computers, possibly some containing important research. Or, depending on whom the office in question works with, it could lead to an agency outside the UW. Make certain that someone in the office is tasked with monitoring computer systems, spending a few minutes a day keeping up with security patches and turning off services that are not needed. The days of being able to buy a computer, put it on the Internet and forget about it are long gone. Well-administered systems are the least likely to be compromised. If you suspect an intrusion, report it quickly and be ready to take measures to not only get the system running correctly again, but to preserve evidence as well. Further information can be found on Dittrich¹s Web site at http://staff.washington.edu/dittrich.

In the Wall Street Journal, he was called “the world’s foremost expert on denial-of-service, or D.O.S., attacks.” That’s a label Dittrich is quick to qualify.

“Not on D.O.S. in general,” he said, with a laugh. “But I guess with these particular distributed D.O.S. tools, yes - I’m the guy who figured out what they are and what they do.”

The story began last August, when Dittrich began receiving reports of a strange program on some of the UNIX workstations around campus. The copies of the program were dormant, and without any source code it was difficult to tell just what their purpose was. Then a call came from the University of Minnesota, which had just suffered a crippling D.O.S. attack. The information trail indicated that some UW machines were among the assailants. That indicated the program’s purpose, but it was still unclear how it worked.

About a month into the investigation, Dittrich found evidence that the intruders had installed a program on a campus network that “sniffed” passwords. “That led to where they were storing some of their files,” he said, including the source code for a program Dittrich later dubbed “trinoo.”

That weekend a date fell through, so he took the program home, put it on his own network and worked around the clock to figure it out. On Oct. 21, he published a 22-page analysis of the trinoo tool. In the coming weeks, he repeated the process, picking apart two other hacker tools, one called Tribe Flood Network and the other stacheldraht, German for barbed wire. Those analyses were vital tools as federal authorities tried to address the recent attacks.

In November, Dittrich was invited to give a presentation in Pittsburgh sponsored by the CERT computer security group, which published advisories based on his findings. He’s been working routinely with CERT and other organizations that monitor computer security, including the FBI.

Although the media attention has been overwhelming (at one point Dittrich activated an automated e-mail response that said he was suffering his own media-induced denial of service attack and referred interested parties to information on his Web site), Dittrich says his current role is one that makes sense to him. Apparently, computing is in the genes.

Both his grandfather and uncle worked for Boeing as engineers. His father was a physics professor, as is one of his brothers. As a youth, he enjoyed tinkering with mechanical problems. He taught himself to pick locks - in middle school, he obtained a sack of locks whose combinations had been lost. He figured out the combinations, then returned the locks to the school.

In high school, he took a programming course. “At that point, we were still using punch cards,” he recalled. “I remember walking down the hall and would trip and cards would go flying everywhere.” In 1986 he earned a computer science degree from Western Washington University.

Then there’s the cousin who earned his own 15 minutes of cyber fame.

“He did one of the more famous hacks of the ’80s,” Dittrich explained. “He took control of the scoreboard during the Rose Bowl.”

After two years of preparation, the cousin situated himself on a hill near the stadium with a laptop, cellular modem and a portable television so he could watch as his takeover unfolded. At halftime, he seized control of the scoreboard’s lights and sound, posted MIT and Cal Tech as the team names and ran a series of animated figures across the marquee.

“He was just getting ready to play the Cal Tech anthem when they shut off the power, so he didn’t quite get to complete his plan.”

Dittrich can’t hide a hint of admiration as he tells the story. On one level, he said, he considers himself a hacker: someone who enjoys knowing how computers and programs work, and finding weaknesses or improvements. And he understands the thrill that hackers experience when they orchestrate a complex hack.

“It was the same for me, as I studied these tools, analyzed them, found their weaknesses then wrote a program to exploit those weaknesses,” he said. “As I watched my program run, there was a point when I realized, ‘Hey, I just hacked a hack - this is so cool.’”

Given the anarchistic nature of the Internet, Dittrich speculates that computer attacks may get worse before they get better. But the media attention will help, he hopes. It should make people aware that they need to closely guard their own networks to avoid being used in attacks on others.

“Everyone has a role and a responsibility to be a good neighbor,” he said. ¶

Rob Harrill, News & Information