Saturday, July 11, 2009

Recommended Reading - The Cuckoo's Egg

Security is always excessive until it's not enough.
— Robbie Sinclair
Head of Security, Country Energy, NSW Australia

Cliff Stoll has written what is absolutely the best book on computer security, ever. If you're interested in a riveting introduction to the maddening challenges of protecting computers from honest-to-goodness Bad Guys, this should be your first stop.

Stoll would know - as a systems administrator at UC Berkeley in 1986, he caught a German hacker breaking into his computers.
The lecturer on galactic structure droned on about gravitational waves. I was suddenly awake, aware of what was happening in our computer. I waited around for the question period, asked one token question, then grabbed my bike and started up the hill to Lawrence Berkeley Labs.

A super-user hacker. Someone breaks into our system, finds the master keys, grants himself privileges, and becomes a super-user hacker. Who? How? From where?

And, mostly, why?
The hacker was from Germany, and was using Stoll's computers to attack US Military computers. The intruder was looking for information on the Strategic Defense Initiative to sell to the KGB. You couldn't make this up.

That began a long, strange journey for a long haired hippy from Berkeley, who finds to his surprise that it was pretty hard to get The Man to sit up and take notice:
It took only one phone call to find out that the FBI wasn't policing the Internet. "Look, kid, did you lose more than a half million dollars?"
"Uh, no."
"Any classified information?"
"Uh, no."
"Then go away, kid." Another attempt at rousing the feds had failed.
So what elite hacking skills did the Bad Guy use? Ninja moves? Ninth-level black belt exploits? No - guessing bad passwords:
He was a burglar, patiently visiting each house. He'd twist the front doorknob to see if it was unlocked, then walk around and try the back door. Maybe try lifting a window or two.

Most of the time, he found the doors and windows locked. After a minute pushing them, he'd move on to the next place. Nothing sophisticated: he wasn't picking locks or digging under foundations. Just taking advantage of people who left their doors open.

One after another, he tried military computers: Army Ballistics Research Lab; U.S. Naval Academy; Naval Research Lab; Air Force Information Services Group; and places with bizarre acronyms, like WWMCCS and Cincusnaveur. (Cincus? Or was it Circus? I never found out.)


Is it easy to break into computers?
Elementary, my dear Watson. Elementary, and tediously dull.
But they were his computers, and he gathered evidence until he was able to get the CIA, NSA, FBI, and German Bundespost interested. And suddenly found himself seemingly on the other side of the counter-culture divide:
This experiment, and a lot of more subtle things about his way of operating, convinced me that he was no idealist. This hacker was a spy.

But I couldn't exactly prove that, and even after I explained my experiment to Laurie, she wasn't convinced. She still thought of anyone working against the military as one of "us," and in her eyes I was persecuting someone on "our own" side.

How do I explain that, having been mixed up in this thing so long, I had stopped seeing clear political boundaries? All of us had common interests: myself, my lab, the FBI, the CIA, NSA, military groups, and yes, even Laurie. Each of us desired security and privacy.
I remember when I was back at Three Letter Intelligence Agency, and he came to talk in Friedman Auditorium. The entire front row was nothing but uniformed Generals, there to see the long-haired anarchist from Berkeley. I remember the room being so quiet you could hear a pin drop when he pointed to the generals and said (paraphrasing from memory after 20 years):
You know why I hated working with you guys? You'd always talk about "the adversary". "The adversary did this," "the adversary is doing that." He's not the adversary - he's breaking into my computers! He's a bastard!
The generals gave him a standing ovation at the end. They didn't care that he didn't own socks. They cheered his passion for protecting security and privacy. Strange bedfellows, indeed.

Stoll set things up so he could monitor every move the hacker made. What he learned was that almost nobody detected the intrusions:
The hacker had tried to chisel into eighty computers. Two system managers had detected him.


A few of his targets weren't sleeping. The day after he tried to pry their doors open, two of them called me. Grant Kerr, of the Hill Air Force Base in Utah, phoned. He was annoyed that one of my users, Sventek, had tried to break into his computer over the past weekend. And Chris McDonald of White Sands Missile Range reported the same.

Super! Some of our military bases keep their eyes open. Thirty-nine in forty are asleep. But there are a few system managers who vigilantly analyze their audit trails.
A few, but not many. Audit trails (or logs, as they're more often called) are boring, with nothing interesting to see - until there's something interesting. Marcus Ranum sums the situation up with his typical wit:

And it wasn't just the military, who you'd think would be interested in security. Other folks were hit - folks you'd think were best positioned to defend themselves:
Wait a second. What other defense contractors had been hit? I scribbled a list on a pad of paper:

Unisys. Makers of secure computers.

TRW. They make military and space computers.

SRI. They've got military contracts to design computer security systems.

Mitre. They design high-security computers for the military. They're the people that test NSA's secure computers.

BBN. The builders of the Milnet.

What's wrong with this picture? These are the very people that are designing, building, and testing secure systems. Yet hackers traipse freely through their computers.
Finally, Stoll's evidence was overwhelming, and his new-found friends in the Defense Department started to close in on the hacker. But he was still in the thick of things:
"I just got a message from Wolfgang Hoffman at the German Bundespost. He says that there'll be a full-time policeman outside the hacker's apartment on Monday through Wednesday of next week. They'll keep watch continually, and they'll rush in to make an arrest as soon as he connects to Berkeley."

"How will the cop know when to bust in?"

"You'll give the signal, Cliff."
The book reads like a spy novel, and in a sense it is - only this really happened. It's an entertaining read, and along the way you'll pick up some solid Unix security tips. Painlessly.

I gave this to mom to read, in the 1990s, to give her a better idea of the sort of work I do. She liked it. I also gave it to #1 Son when he was 13, for the same reason. He liked it, too. If you're remotely interested in computer security, you'll like it, too.


none said...

One of my favorite books.

Anonymous said...

It is a good book. I should find my copy before something happens to it.

I heard the guy speak at a computer security conference (or maybe a Cisco Networkers conference) a few years ago.

wolfwalker said...

I read The Cuckoo's Egg years ago. His stories of default passwords and easily-guessed passwords -- on classified computers -- are simply appalling. Never again did I believe it's possible to make a networked computer secure. And today the problem is much worse. Stoll's experience dates from before the Internet went public or the Web was created.