Section 20.9 A Recent International Tracking of a Cracker

20.9 A Recent International Tracking of a Cracker

In 1999, a system behind the firewall of a very large British company was used to steal our sunset database of airport names, cities, and locations in our sunset Web page (by their doing a query on every three-letter combination as an airport ID). I worked from Atlanta. Our Web server was in New Hampshire. The violating IP was traced to a British company with London telephone city codes.

A single polite but firm e-mail to the person listed as the responsible party for that domain got action. We received a number of overseas phone calls and they did an extensive audit of their logs. Their people were very knowledgeable and helpful and a pleasure to deal with. They stated that if they could find the employee responsible he would be sacked!

I provided our detailed logs of the cracking. I compared the system's time to the exact actual time and provided them with the correction. Again, he did not actually "break" security because he just made requests to our Web server. However, he did load down the server to an unreasonable degree, obtained the entire contents of our database, and reduced service levels to legitimate users. It is not clear whether his use actually was illegal, because we did not have a use policy on the site. We now do have such a use policy so that exceeding it will be considered unauthorized use.

Unfortunately, there were many, many systems behind this firewall with some not being theirs but rather being those of associated companies. After they scanned logs of systems in half a dozen countries, they did not find any that matched. They did suspect that the culprit was using a system in California belonging to one of their associated companies. Thus, he went from California to London and then back across the Atlantic to New Hampshire. (Because we had some phony airports in the database to detect theft we might catch him yet!)