Thursday, July 11, 2019

Recommended reading from ten years ago

I posted this ten years ago, and it's still current.  This is probably the best introduction to computer security for non-technical readers.  It's really a spy whodunnit story, with literal KGB operatives and valiant defenders of freedom (really!).  It also has a pretty good brownie recipe.  Along the way, you'll pick up some real computer security knowledge.

And this is a good time to remind folks that I have a Recommended Reading category.

Recommended Reading - The Cuckoo's Egg

Security is always excessive until it's not enough. 
— Robbie Sinclair
Head of Security, Country Energy, NSW Australia

Cliff Stoll has written what is absolutely the best book on computer security, ever. If you're interested in a riveting introduction to the maddening challenges of protecting computers from honest-to-goodness Bad Guys, this should be your first stop.

Stoll would know - as a systems administrator at UC Berkeley in 1986, he caught a German hacker breaking into his computers.
The lecturer on galactic structure droned on about gravitational waves. I was suddenly awake, aware of what was happening in our computer. I waited around for the question period, asked one token question, then grabbed my bike and started up the hill to Lawrence Berkeley Labs.

A super-user hacker. Someone breaks into our system, finds the master keys, grants himself privileges, and becomes a super-user hacker. Who? How? From where?

And, mostly, why?
The hacker was from Germany, and was using Stoll's computers to attack US Military computers. The intruder was looking for information on the Strategic Defense Initiative to sell to the KGB. You couldn't make this up.

That began a long, strange journey for a long haired hippy from Berkeley, who finds to his surprise that it was pretty hard to get The Man to sit up and take notice:
It took only one phone call to find out that the FBI wasn't policing the Internet. "Look, kid, did you lose more than a half million dollars?"
"Uh, no."
"Any classified information?"
"Uh, no."
"Then go away, kid." Another attempt at rousing the feds had failed.
So what elite hacking skills did the Bad Guy use? Ninja moves? Ninth-level black belt exploits? No - guessing bad passwords:
He was a burglar, patiently visiting each house. He'd twist the front doorknob to see if it was unlocked, then walk around and try the back door. Maybe try lifting a window or two.

Most of the time, he found the doors and windows locked. After a minute pushing them, he'd move on to the next place. Nothing sophisticated: he wasn't picking locks or digging under foundations. Just taking advantage of people who left their doors open.

One after another, he tried military computers: Army Ballistics Research Lab; U.S. Naval Academy; Naval Research Lab; Air Force Information Services Group; and places with bizarre acronyms, like WWMCCS and Cincusnaveur. (Cincus? Or was it Circus? I never found out.)


Is it easy to break into computers?
Elementary, my dear Watson. Elementary, and tediously dull.
But they were his computers, and he gathered evidence until he was able to get the CIA, NSA, FBI, and German Bundespost interested. And suddenly found himself seemingly on the other side of the counter-culture divide:
This experiment, and a lot of more subtle things about his way of operating, convinced me that he was no idealist. This hacker was a spy.

But I couldn't exactly prove that, and even after I explained my experiment to Laurie, she wasn't convinced. She still thought of anyone working against the military as one of "us," and in her eyes I was persecuting someone on "our own" side.

How do I explain that, having been mixed up in this thing so long, I had stopped seeing clear political boundaries? All of us had common interests: myself, my lab, the FBI, the CIA, NSA, military groups, and yes, even Laurie. Each of us desired security and privacy.
I remember when I was back at Three Letter Intelligence Agency, and he came to talk in Friedman Auditorium. The entire front row was nothing but uniformed Generals, there to see the long-haired anarchist from Berkeley. I remember the room being so quiet you could hear a pin drop when he pointed to the generals and said (paraphrasing from memory after 20 years):
You know why I hated working with you guys? You'd always talk about "the adversary". "The adversary did this," "the adversary is doing that." He's not the adversary - he's breaking into my computers! He's a bastard!
The generals gave him a standing ovation at the end. They didn't care that he didn't own socks. They cheered his passion for protecting security and privacy. Strange bedfellows, indeed.

Stoll set things up so he could monitor every move the hacker made. What he learned was that almost nobody detected the intrusions:
The hacker had tried to chisel into eighty computers. Two system managers had detected him.


A few of his targets weren't sleeping. The day after he tried to pry their doors open, two of them called me. Grant Kerr, of the Hill Air Force Base in Utah, phoned. He was annoyed that one of my users, Sventek, had tried to break into his computer over the past weekend. And Chris McDonald of White Sands Missile Range reported the same.

Super! Some of our military bases keep their eyes open. Thirty-nine in forty are asleep. But there are a few system managers who vigilantly analyze their audit trails.
A few, but not many. Audit trails (or logs, as they're more often called) are boring, with nothing interesting to see - until there's something interesting.  Marcus Ranum sums the situation up with his typical wit:

And it wasn't just the military, who you'd think would be interested in security. Other folks were hit - folks you'd think were best positioned to defend themselves:
Wait a second. What other defense contractors had been hit? I scribbled a list on a pad of paper:

Unisys. Makers of secure computers.

TRW. They make military and space computers.

SRI. They've got military contracts to design computer security systems.

Mitre. They design high-security computers for the military. They're the people that test NSA's secure computers.

BBN. The builders of the Milnet.

What's wrong with this picture? These are the very people that are designing, building, and testing secure systems. Yet hackers traipse freely through their computers.
Finally, Stoll's evidence was overwhelming, and his new-found friends in the Defense Department started to close in on the hacker. But he was still in the thick of things:
"I just got a message from Wolfgang Hoffman at the German Bundespost. He says that there'll be a full-time policeman outside the hacker's apartment on Monday through Wednesday of next week. They'll keep watch continually, and they'll rush in to make an arrest as soon as he connects to Berkeley."

"How will the cop know when to bust in?"

"You'll give the signal, Cliff."
The book reads like a spy novel, and in a sense it is - only this really happened. It's an entertaining read, and along the way you'll pick up some solid Unix security tips. Painlessly.

I gave this to mom to read, in the 1990s, to give her a better idea of the sort of work I do. She liked it. I also gave it to #1 Son when he was 13, for the same reason. He liked it, too. If you're remotely interested in computer security, you'll like it, too.


Peter B said...

Thanks for the reminder. It's a very good book. Despite his not having the research job he wanted because the funding had run out and the systems administration job was very much Plan B, Clifford Stoll owned his job, applied his considerable intelligence to doing it well and was dead honest, all of which the generals recognized and admired.

It began with billing discrepancies for email, back when each email was billable. Fractions of pennies here and there. But Stoll realized that if pennies were doing weird things, there was no reason at all that a lot of money couldn't do weird things too. He determined to find out why, and one thing led to another.

Anonymous said...

I agree; if this isn't required reading in every course even remotely related to sysyem security it should be.

Two things jumped out at me from Stoll's book: how incredibly fragmented and uncoordinated security was across the industry, especially in organizations which one would expect to have extreme concern about data confidentiality, and; the lack of concern any one organization had about what was obviously not just "a 'roaming' intruder" but highly likely the SAME intruder penetrating systems belonging to similar, and in some cases, affiliated, organizations (some of which were, shall we say, "somewhat familiar to me").

Reminded me of the old joke about 2 guys in a boat that starts leaking; guy 1 is bailing and asks guy 2 if he's going to help. Guy 2 responds with "Why? The leak isn't in my end of the boat."

The book dates back to - IIRC, 1989 (I need to re-read it); I wonder if there have been any significant organizational - and cognitive - improvements since.

The Lab Manager said...

I remember reading that one years ago in college. Impressive story though Stoll is a bit of a weirdo you have to give him credit here for doing something when no one else would.

waepnedmann said...

I have an older friend and a Millenial family member who do IT and by default are responsible for the computer security of their firms.
My friend will patiently listens to me when I begin a sentence with," Borepatch sez..." To which he replies,"Yep".
The Millenial just ignores me. I have sent him books in the past and get no acknowledgement that he received them..The only reason I am tempted to share your nuggets of wisdom with him is so that one day I can say,"I told you so."

Borepatch said...

Waepnedmann, thanks. Your experience with your young family member reminds me of Mark Twain's saying that when he was 15 his father was so ignorant that he couldn't stand it. He was amazed at how much his father had learned in the next 5 years