User Tools

Site Tools


the_cuckoos_egg

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Last revision Both sides next revision
the_cuckoos_egg [2019/01/02 01:53]
lricker wip
the_cuckoos_egg [2019/01/02 02:38]
lricker final version
Line 5: Line 5:
 This is Cliff Stoll'​s chronicle about chasing an early black-hat hacker (a system cracker) in the early days of networked computers, with primitive trans-Atlantic connections,​ Tymnet, early LAN/​Ethernet,​ and a nascent Internet with only a few hundred thousand [!!] computers connected overall, mostly in universities,​ some businesses and the military. This is Cliff Stoll'​s chronicle about chasing an early black-hat hacker (a system cracker) in the early days of networked computers, with primitive trans-Atlantic connections,​ Tymnet, early LAN/​Ethernet,​ and a nascent Internet with only a few hundred thousand [!!] computers connected overall, mostly in universities,​ some businesses and the military.
  
-In the mid-1980s, Stoll was an astronomer at Lawrence Berkeley Labs who got displaced (reassigned?​) to computer system management duties, on DEC VAX computer systems (he spells 'em as "​Vax",​ as a proper noun, not the acronym that it is) running both VMS and Unix.  The LBL user community included astronomers,​ physicists, and plenty of other scientific-academic types. ​ Attitudes were open, sharing, and security-naïve;​ Stoll'​s world-view, like most of his colleagues, was hippie-derived and fully distrustful of authority, "the man," and of government in general. ​ Yet he had to turn to members in the usual three-letter-acronym organizations for help in his chase.+In the mid-1980s, Stoll was an astronomer at Lawrence Berkeley Labs who got displaced (reassigned?​) to computer system management duties, on DEC VAX computer systems (he spells 'em as "​Vax",​ as a proper noun, not the acronym that it is) running both VMS and Unix (the Berkeley flavor, of course).  The LBL user community included astronomers,​ physicists, and plenty of other scientific-academic types. ​ Attitudes were open, sharing, and security-naïve;​ Stoll'​s world-view, like most of his colleagues, was hippie-soaked, ​fully distrustful of authority, "the man," and of government in general. ​ Yet he had to turn to members in the usual TLA (three-letter-acronymorganizations for help in his chase.
  
-Researching a 75¢ computer time accounting error (yes, they "​charged for computer time" in those days), he discovered a black-hat cracker in the LBL computer systems -- he then spent the next months trying to chase the interloper down.  The story is all about Cliff'​s persistence,​ frustrations,​ and the learning he earned in the pursuit: networks, hardware, telecomm, OOP, Unix and VMS, and more.  Spoiler alert... He caught the bad guy -- Actually, a whole spy ring, not surprising, given the KGB's sponsorship during the last years of the Cold War. Stoll was, temporarily at least, acclaimed as a national hero.  Actually, quite an intriguing detective story.+Researching a 75¢ computer time accounting error (yes, they "​charged for computer time" in those days), he discovered a black-hat cracker in the LBL computer systems -- he then spent the next months trying to chase the interloper down.  The story is all about Cliff'​s persistence,​ frustrations,​ and the learning he earned in the pursuit: networks, hardware, telecomm, OOP, Unix and VMS, and more.  Spoiler alert... He caught the bad guy -- actually, a whole spy ring, not surprising, given the KGB's sponsorship ​of early break-in activities ​during the last years of the Cold War.  Stoll was, temporarily at least, acclaimed as a national hero.  Actually, quite an intriguing detective ​and espionage ​story.
  
 But what struck me most, from this perspective of 30-odd years later, is just how innocent and naïve everyone was about computer security in those days.  Especially in academe and the research labs, passwords were viewed as an anti-social obstacle, and were treated cavalierly at most military installations. ​ The bad-guy "broke into" several military VMS systems just by "​guessing"​ the default passwords for the privileged ''​SYSTEM''​ (default password ''​MANAGER''​) and ''​FIELD''​ (''​SERVICE''​) -- Fortunately,​ VMS system installation has progressed considerably beyond those defaults today. ​ The bad-guy also hit numerous Unix systems, quickly trying and succeeding with common ''​root''​ account passwords (including ''​admin'',​ ''​root''​ and ''​1234''​). ​ Several government contractors (major defense-industry corporations) were "wide open" and available for the bad-guy to leap-frog through to other systems, all while the defense contractors'​ system managers were professing that "our systems are totally secure and impenetrable!" ​ Stoll showed them all a new, emerging reality. But what struck me most, from this perspective of 30-odd years later, is just how innocent and naïve everyone was about computer security in those days.  Especially in academe and the research labs, passwords were viewed as an anti-social obstacle, and were treated cavalierly at most military installations. ​ The bad-guy "broke into" several military VMS systems just by "​guessing"​ the default passwords for the privileged ''​SYSTEM''​ (default password ''​MANAGER''​) and ''​FIELD''​ (''​SERVICE''​) -- Fortunately,​ VMS system installation has progressed considerably beyond those defaults today. ​ The bad-guy also hit numerous Unix systems, quickly trying and succeeding with common ''​root''​ account passwords (including ''​admin'',​ ''​root''​ and ''​1234''​). ​ Several government contractors (major defense-industry corporations) were "wide open" and available for the bad-guy to leap-frog through to other systems, all while the defense contractors'​ system managers were professing that "our systems are totally secure and impenetrable!" ​ Stoll showed them all a new, emerging reality.
  
-In the intervening 30 years, we've seen not only the rise and domination of today'​s Internet (remember, it was immature when Stoll wrote this book), and the eclipse or transformation of the ad-hoc point-to-point networks, Tymnet, and the dedicated ​milnet.  The U.S. Armed Forces made a big noise about "​security"​ and "​classified/​top-secret,"​ but were largely clueless about its implementation on actual computer systems. ​ The TLA-organizations,​ including the FBI and CIA, were similarly clueless, both about the technology and about the application of then-available cyber-crime laws.  The NSA was no help at all, although it's tiny new offshoot organization,​ the NCSC (National Computer Security Center), became an interested ally.   Since the bad-guys were ultimately tracked to Germany, jurisdictional issues and "not my bailiwick"​ tied Stoll'​s hands right down to the end of the chase.+In the intervening 30 years, we've seen not only the rise and domination of today'​s Internet (remember, it was immature when Stoll wrote this book), and the eclipse or transformation of the ad-hoc point-to-point networks, Tymnet, and the dedicated ​MilNet.  The U.S. Armed Forces made a big noise about "​security"​ and "​classified/​top-secret,"​ but were largely clueless about its implementation on actual computer systems. ​ The TLA-organizations,​ including the FBI and CIA, were similarly clueless, both about the technology and about the application of then-available cyber-crime laws.  The NSA was no help at all, although it's tiny new offshoot organization,​ the NCSC (National Computer Security Center), became an interested ally.   Since the bad-guys were ultimately tracked to Germany, jurisdictional issues and "not my bailiwick"​ tied Stoll'​s hands right down to the end of the chase
 + 
 +Why am I recommending that you read a 30+ year-old book?  Well, partly because I'm not only an old VMS and computer geek, but I'm a computer //history// geek.  At three decades remove, Stoll'​s tale of computer crime, and of the adjoining security naïvety, is as relevant today as it was then.  It's one thing to smile and smirk at the innocence, the immature understanding of computer technology, and of technology'​s impact on business, governance and society. ​ But it makes you wonder: ​ Are we any more sophisticated,​ or wise, about computer security issues and practices today? 
 + 
 +Read this book... and decide for yourself.
the_cuckoos_egg.txt · Last modified: 2019/01/02 04:05 by lricker