Retracting the Tendrils

Flir immediately switched back to the bstrobell shell and changed the source file so that it held its previous contents. He then used the touch -t command to change the access and modification times back to their original values before he d touched the directory. Every time he had modified a file or directory, he d always stored the modification and access times so that he could easily put these back. This made retracing so much easier.

He exited the Ben Strobell shell, logged out and logged back in as mrash, the first account from which he d done so much on the mac3 server. He removed each wrapper program, renaming the original programs back to their original names . With the wrappers no longer generating new Set-UID shells, Flir deleted the stash of Set-UID shells :

 [mac3:~] mrash% rm -fr ~/Public/Drop\ Box/.shells 

Finally, Flir set the history length environment variable to 1 and logged out of the mrash account.

With his tracks mostly removed on the mac3 shell server, he now needed to remove his sniffing capability on the Rogue laptop. He shut down the arpspoof tool, so that the rogue would no longer serve as the first router for the lab. This would also prevent new DNS requests from reaching the laptop, which would result in the lab machines shortly communicating with the real my.ptech.edu directly. He shut down the dnsspoof tool next . He checked to make sure that webmitm wasn t currently proxying any connections, to avoid shutting it down during any sessions, and then shut down the webmitm process.

Flir did use a secure deletion utility to destroy all the data he d captured. He knew he had immunity and thus it wouldn t be gathered for evidence, but the laptop could be stolen. He definitely didn t want all that sensitive student information in the hands of criminals!

He overwrote the partitions containing the data and the swap space with the seven patterns of ones and zeroes recommended by the NSA and turned it off. Now he needed to get the student information to Knuth. He wondered if he should offer the cluster to Knuth, but decided against it. The CIA had NSA, right? They had far more computing power than VA Tech could offer. He placed the student information on a USB thumb drive and sent it by International Fed-Ex to the address Knuth had given him in Switzerland.