A strange story

The story I am going to tell you in the following pages may sound like gossip going around in hacker's groups or like the paranoid reality of a nerd - and to be honest: I don't know exactly what to believe or not either...

But since my person is part of this story, I am probably a bit more interested (and informed, I think) than a lot of other people, even those writing books about this topic. So I am going to tell the story mostly from my point of view: what actually happened and what I know for sure.

Although there are some "threads" of action that went on in parallel, I tried to make the story as easy to follow as possible.

Fall 1986: The beginning

It probably all started in Spring 1986 when I wrote my first computer virus - not as a harm to anyone's computer but as an intellectual exercise - inspired by books like "Shockwave rider" by John Brunner or articles on "worm" programs I read about in scientific magazines.

The 3. Chaos Communictation Congress in Hamburg (Dec.1986) was the first "public" event where we discussed the technology of computer viruses, their threat for any computer system and the possible protection mechanisms.

In these days I was travelling around for the Chaos Computer Club to give talks and interviews to the media about computer viruses. In one of these discussions an IBM manager declared that "Computer viruses for PC's do exist, but it is not possible to write a virus for an IBM mainframe.

Whenever I think something can be done and someone else is denying that - well, I certainly give that something a try. So I started to think about computer viruses on mainframe computers which means getting as much information on IBM mainframes as possible:

Spring 1987: Writing a virus for an IBM/370 mainframe (and compatibles)

Of course I do not own a IBM mainframe; but I was studying at Heidelberg University which gave me access to an IBM/390 (a /370-based mainframe). At that time the Computer Center of the University got a new IBM mainframe system and was "depositing" all mainframe manuals right in front of their building in a huge paper recycle bin. So I ended up with about 3 meters of documentation.

But in the end I needed the actual mainframe just for "testing" purposes. When I started programming the mainframe I stumbled across "THE PC-SIG LIBRARY, 4TH EDITION", a IBM-PC shareware collection published in 1986. The disk set #402, "Cross Assembler for the IBM 370 Version R1.1" was exactly what I was looking for: a PC-based /370 cross assembler environment. A wonderful piece of software that even swallows original IBM mainframe macros and the like!

So it took me about two weeks to finish on the code in two steps: the first was a destructive virus (damaging the files it was infecting) while the second was a non-destructive virus. I know that not so many people still know /370 assembler language, but if you like you can have a look at the source (PDF) of the destructive virus.

An interesting footnote: The IBM/370 architecture was "cloned" by the Russian computer industry and was "the" mainframe system in the eastern countries for years. The virus would be able to spread on these computers as well as on Siemens mainframes (which are also /370-compatible) without modifications (or just slight ones).

Summer 1987: Loosing control

Whenever I did virus programming or net travelling, I thought it to be an intellectual challange without limits other than imagination and knowledge, but I soon had to realized that it's not fun to all the other people. I immediately realized how malicious such an mainframe virus could be in the hands of the wrong people - and made a naive and therefore wrong decision: I decided to tell only very good friends about the mainframe virus and to keep it generally a secret within this group. What a fool I was...

At the same time I was "testing" the virus on the actual mainframe (Believe me or not: I took all precautions to make sure the virus could not escape from my "playground") I was also working in a civil right movement group opposing the German Census in 1987. I was writing articles for the media - but in lack of an own laser printer I used the mainframe printer to get a hard copy of my "pamphlet".

Guess what happened? The operator at the Computer Center who was responsible for the paper output had a look at my texts and he obviously didn't agree with them - he informed the security stuff of a "misuse" of my account. These security guys where browsing my libs for more politically motivated textes and found: A mainframe computer virus!

I know that these guys passed the virus to IBM for analysis. One of them acknowledged that IBM has proven that the virus was fully functioning. So the virus was out of my hands - and I had a lot of trouble to deal with...

I spare you all the disgusting details of what followed - they tried to expell me from University - but in the end I probably convinced them that I didn't plan to do sabotage on the Computer Center of the University and they let me finish my studies.

Since 1989 - the time of the KGB hack done by other hackers - I spent less and less time with the Chaos Computer Club and lost touch with issues of computer security and virus programming. I concentrated on more "interesting stuff" and I wasn't eager to be related to information warfare at all.

So I never heard of my computer virus again, until 1996...

Spring 1996: Surprise, surprise

One day I got a phone call from a TV journalist who asked for an interview on a computer security issue. While we had a talk, he asked me if I am "the Bernd Fix" mentioned in a book written by American author Peter Schweizer.

Since I had never read the mentioned book (Peter Schweizer, Friendly Spies: How America's Allies are Using Economic Espionage to Steal Our Secrets, New York: The Atlantic Monthly Press, 1993) he sent me a photocopy of some of pages from the book:

Excert from "Friendly Spies" by Peter Schweizer, pp 158-163

[...]

Inside a looking-glass-covered professional building on a wooded lot on the outskirts of Frankfurt, important work is taking place that could revolutionized the field of economic intelligence and espionage. Approximately thirty-six computer specialists and senior intelligence officials are working on a top-secret project to bring computer hacking in to the realm of spying and intelligence. They hope that through the use of sophisticated computers and specially trained personnel, German intelligence agents will be able to enter computer data bases of corporations and foreign governments around the world. And the access could be achieved while the agents remained thousands of miles away.

The few scholars who have ventured into the field of professional computer hacking by national intelligence agencies give the Germans high marks in this area. A paper delivered by computer specialist Wayne Madsen to a computer-security conference in Helsinki in 1990 provides a rating of each of the world's national intelligence services in terms of its capabilities to hack as a means of engaging in computer espionage. Madsen rated German capability "excellent."

The German effort was dubbed Project Rahab, named for the harlot who helped the Israelites infiltrate Jericho. The concept of bringing computer hacking into the world of intelligence was developed under the-BND Director Eberhard Blum in 1985. In 1988, the idea was developed further and became an experimental program.

The original plans for Rahab were drawn up by a BND official name Christian Stoessel. An expert in computers and computer security, he had been working for the BND for eight years, tracking the activities of West German computer hackers and learning about ways in which foreign intelligence services might try to penetrate BND data bases. He had taken a particular interest in a Hamburg computer hacker's club called Chaos and was impressed with its technical proficiency and the technological reach it had achieved with ordinary computers. "He wanted to harness the power [of the computer} to serve our intelligence ends," says a former colleague.

In August 1988, Stoessel issued an eighteen-page paper concerning his findings and the feasibility of using hacking for intelligence purposes, and he submitted it to senior directors of the BND's Division II. He proposed that the BND establish a hybrid project to explore the possibility of developing an arm of Division II that would be devoted to entering systematically the data bases of foreign governments and companies.

Although neither Stoessel nor senior officials of Division II spoke about potential targets while in the conceptual stage, U.S. intelligence officials are adamant that the focus of the main effort was intended to be Germany's Western allies. "As much as they may like the claim that they wanted a worldwide capability to target anybody, that claim just doesn't hold water," says a senior U.S. counterintelligence official. "No one in what at that time was the Soviet bloc really had the sort of computer network that could be entered. In the U.S., France, Britain, Japan, and every other Western industrial power, it's another story. Everybody is linked somehow and therefore accessible."

[...]

In the initial months, Rahab was focused almost exclusively on gleaning as much as possible from earlier hacker cases. Stoessel use the files he had developed for protecting BND networks to learn more about how to enter other data bases. Rahab officials established an internal, detailed computer network to replicate those they might be attempting to enter. The operation was concerned not only with data base entry, however, but with all that might be of use to the BND.

Because of an expressed interest in the possibility of using the Rahab network against the Soviet bloc during a crisis or a war, in April of 1989 the network was subjected to deliberate attempts to replicate a computer virus that had been created by a West German hacker named Bernd Fix. Like all such viruses, this one had two parts: a code that infected other programs by duplicating itself with those programs and a function that, once planted, could erase or damage magnetic data or interfere with normal computer operations.

Fix's virus attracted the Rahab team because it was particularly powerful. It was capable of destroying all the information in a large mainframe computer in a matter of minutes. If widely used, it could render national computer systems useless in the course of a few hours. But it was also dangerous. By their nature, viruses cannot be contained, and Rahab officials recognized that for practical purposes using the Fix virus against a potential enemy could eventually lead to Germany's being infected, too. And, finally, the Fix virus was incredibly complex. Once the program was reproduced by the Rahab team, it would take twenty hours of programming to recreate it from start to stop.

BND agents, with the cooperation of the BfV, did extensive research on other hackers, including individual members of the infamous Chaos Club. According to one German official with knowledge of Rahab, BND officials were truly shocked at what they learned: "They discovered that they knew very little about hacking." They learned, for example, that it was not technique that mattered so much as understanding one secret: few legitimate owners of information install computer security products properly. Once you figured out the flaw in the installation, you could easily defeat them.

[...]

Can all this be true?

I was quite surprised when I read the text above for the first time - and my first question was if all this can be true - and if it is true, what does that mean for me?

Is Peter Schweizer a reliable source for this kind of information? Officially he is a Visiting Scholar at the Hoover Institution on War, Revolution and Peace, at Stanford University. British and German journalists I talked to said that he is not a good author but nevertheless has to be taken serious. At least he has a chance to know about such things for he has working relationship with people like Casper Weinberger.

But what if he is not that reliable and the whole story is just fiction? He possibly read about my mainframe virus in the "International Business Week" from August 1988 or talked to someone how told him that fact. It is something anyone can find out.

The SWIFT story is probably related to my talk at SIBOS'89 in Stockholm. SIBOS is the annual meeting of all these bankers worldwide that are responsible for the electronic fund transfer between banks and nations based on SWIFT. I was invited and gave a talk about computer security, especially the security holes in the VAX operating system that made the NASA hack (and others) possible. Did Peter Schweizer used just too much imagination and this SWIFT hack is fiction?

What about the other persons mentioned in the book. Do they really exist? Do they work for the BND? Will they ever tell?

So the chances to find out what really happened are rather small. In Germany nothing like the "Freedom Of Information Act" exists, so there are no legal means to get access to BND files, even if your own person is involved.

If the BND had actually used my computer virus without any permissions from my side as a kind of weapon against foreign computer systems, I would be more than upset.

When I started to look for further material on the topic "Project Rahab" on the internet, I found a lot of "unprovable" quotations from hackers, computer magazine editors and journalists alike.

At least on the internet I have found nearly nothing worth to mention for it's content, except the following two pages:

While browsing the web for more information I found the following in the Los Angeles Times from January 1998, although this may be taken from Schweizer's book published five years earlier.

Anyway, do you believe that the number "23" is there by chance?

Los Angeles Times January 12, 1998 (WASHINGTON)

Foreign spies target U.S. industry

FBI says at least 23 nations take part in economic spying

... Fraumann wrote that Germany's Federal Intelligence Service had been "very active and quite successful" in economic espionage by using a top-secret computer facility outside Frankfurt to break into data networks and databases of companies and governments around the world.

Their operation, code-named Project RAHAB, he wrote, involves gaining systematic entry into computer databases and accessing computer systems throughout the United States, targeting electronics, optics, avionics, chemistry, computers and telecommunications.

This page is quite precise with quotations on the "Operation Rahab"; but I have no way to tell if this publication has to be taken serious.

From: Operations Security - INTELLIGENCE THREAT HANDBOOK

Chapter 5 - ECONOMIC INTELLIGENCE COLLECTION DIRECTED AGAINST THE UNITED STATES

Germany

Germany has been accused of using computer intrusion techniques and SIGINT to gather information on foreign competitors to be passed on to German companies.[1] There are no indications of a HUMINT effort against United States corporations, however, it is likely that German trade officers are collecting economic intelligence through open-source analysis. The German Federal Intelligence Service (BND) is alleged to have created a classified, computer intelligence facility outside Frankfurt designed to permit intelligence officers to enter data networks and databases from countries around the world. This program, code named Project RAHAB, is alleged to have accessed computers in Russia, the United States, Japan, France, Italy, and the United Kingdom.[2]

[1] Samuel D. Porteous, "Economic Espionage: Issues Arising from Increased Government Involvement with the Private Sector," Intelligence and National Security, 9:4, October 1994, pp. 735-752.

[2]Wayne Madsen, "Intelligence Agency Threats to Computer Security," International Journal of Intelligence and Counterintelligence, 6:4, Winter 1993. pp. 413-488.]

Misinformation

It seems to me that some people are telling "wild" stories about the "Project Rahab". So here are two examples of especially silly content, something you encounter quite often when it comes to hackers and the secret services. They may sound funny to you, but I was asked a lot of stupid questions because of them...

The first one is from a newsletter and I still can't believe what the CRYPT NEWSLETTER #27 wrote there about me - that I was hired by and worked for the BND. That is a complete nonsenese. I have never worked for any secret service and I can't imagine I ever will.

By the way, Schweizer never claimed such a thing, so the people from the CRYPT NEWSLETTER even cited the original source incorrectly.

From: CRYPT NEWSLETTER 27, September 1994
Editor: Urnst Kouch (George Smith, Ph.D.)
Media Critic: Mr. Badger (Andy Lopez)
Urnst.Kouch@comsec.org

... The special [CHIP magazine] could turn out to be a must read since Germany is the home of a number of famous figures in the history of computer viruses. Frankfurt, for example, is the home of Project Rahab.

According to Peter Schweizer's book, "Friendly Spies," [1] Rahab was the code name for a German intelligence group committed to using hackers and their methods to gather information and secrets on whatever was of high-tech interest to the Bundesnachrictendienst, Germany's CIA analog.

Schweizer claimed the Rahab group routinely included America in its operations during the early '90s and hired a famous German hacker, Bernd Fix, to supply a virus for possible military applications.

Fix's work was well known within the circle of experts familiar with PC viruses! He had provided another German, Ralf Burger, with a disassembly of the famous Vienna virus and another of his own, Rush Hour, which Burger subsequently reprinted in a book published in 1987 called "Computer Viruses: A High-Tech Disease." ...

[1] Peter Schweizer, Friendly Spies: How America's Allies are Using Economic Espionage to Steal Our Secrets, New York: The Atlantic Monthly Press, 1993

This one is really disgusting - no further comment on it.

From: Phrack Magazine, Volume Seven, Issue Forty-Eight, File 2 of 18, Phrack Loopback

Rumor has it that the Internet Liberation Front was behind these viruses with heavy investement coming from the German Bundesnachrichtendienst's Project Rahab. These hackers were paid with AT&T calling cards encoded with a polymorphic encryption scheme, and cocaine.

You can quote me on this.

The End?

This is more or less all I knew about the whole case. Of course there are much more details but that's nothing for a web page.

If you have some more information on the topic or any comment, feel free to contact me via email.