Underground: Hacking, madness and obsession on the electronic frontier - Suelette Dreyfus

And the AFP stayed on the line.

In the twelve months following the initial line trace in late 1990, the AFP continued to monitor the RMIT dial-up lines. The line traces kept failing again and again. But as new reports of hacker attacks rolled in, there seemed to be a discernible pattern in many of the attacks. Detectives began to piece together a picture of their prey.

In 1990 and 1991, RMIT dial-ups and computers were riddled with hackers, many of whom used the university's systems as a nest—a place to store files, and launch further attacks. They frolicked in the system almost openly, often using RMIT as a place to chat on-line with each other. The institute served as the perfect launchpad. It was only a local phone call away, it had a live Internet connection, a reasonably powerful set of computers and very poor security. Hacker heaven.

The police knew this, and they asked computer staff to keep the security holes open so they could monitor hacker activity. With perhaps a dozen different hackers—maybe more—inside RMIT, the task of isolating a single cell of two or three organised hackers responsible for the more serious attacks was not going to be easy.

By the middle of 1991, however, there was a growing reluctance among some RMIT staff to continue leaving their computers wide open. On 28 August, Allan Young, the head of RMIT's Electronic Communications Group, told the AFP that the institute wanted to close up the security holes. The AFP did not like this one bit, but when they complained Young told them, in essence, go talk to Geoff Huston at AARNET and to the RMIT director.

The AFP was being squeezed out, largely because they had taken so long conducting their investigation. RMIT couldn't reveal the AFP investigation to anyone, so it was being embarrassed in front of dozens of other research institutions which assumed it had no idea how to secure its computers. Allan Young couldn't go to a conference with other AARNET representatives without being hassled about `the hacker problem' at RMIT. Meanwhile, his computer staff lost time playing cops-and-robbers—and ignored their real work.

However, as RMIT prepared to phase out the AFP traps, the police had a lucky break from a different quarter—NorTel. On 16 September, a line trace from a NorTel dial-up, initiated after a complaint about the hackers to the police, was successful. A fortnight later, on 1 October, the AFP began tapping Prime Suspect's telephone. The hackers might be watching the police watch them, but the police were closing in. The taps led back to Trax, and then to someone new—Mendax.

The AFP considered putting taps on Mendax and Trax's telephones as well. It was a decision to be weighed up carefully. Telephone taps were expensive, and often needed to be in place for at least a month. They did, however, provide a reliable record of exactly what the hacker was doing on-line.

Before police could move on setting up additional taps in Operation Weather, the plot took another dramatic turn when one of the IS hackers did something which took the AFP completely by surprise.

Trax turned himself in to the police.