Book Review: The Cuckoo's Egg
The Cuckoo's Egg – Tracking a Spy Through the Maze of Computer Espionage, by Clifford Stoll (Doubleday, 1989, hardcopy ISBN 0-385-24946-2; 2015 paperback ISBN 0-7434-1146-3 – inexpensive used copies available at Amazon.com).
I've been re-reading Cliff Stoll's The Cuckoo's Egg, as an enjoyable holidays diversion and a real trip in the way-back machine! I don't recall exactly when I first read this book – must have been in the early 1990s – but re-reading it from the distance of almost 30 years (New Year's 2019) has been a whole new experience.
This is Cliff Stoll's chronicle about chasing an early black-hat hacker (a system cracker, a bad-guy, a proto-cyber-criminal) in the early days of networked computers, with primitive trans-Atlantic connections, Tymnet, early Ethernet/LAN, and a nascent Internet with only a few hundred thousand [!!] computers connected overall, mostly in universities, the military and some businesses.
In the mid-1980s, Stoll was an astronomer at Lawrence Berkeley Labs who got displaced (reassigned?) to computer system management duties, on DEC VAX computer systems (he spells 'em as “Vax”, as a proper noun, not the acronym that it is) running both VMS and Unix (the “enlightened” Berkeley flavor, of course). The LBL user community included astronomers, physicists, and plenty of other scientific-academic types. Attitudes were informal, open, sharing, and security-naïve; Stoll's world-view, like most of his colleagues, was idealistic, a bit socialist, hippie-soaked, fully distrustful of authority, “the man,” and of government in general. Yet he had to turn to members in the usual TLA (three-letter-acronym) organizations for help in his pursuit.
Researching a 75¢ computer time accounting error (yes, they “charged for computer time” in those days), he discovered a black-hat cracker in the LBL computer systems – he then spent the next months trying to chase the interloper down. The story is all about Cliff's persistence, frustrations, and the learning he earned in the pursuit: networks, hardware, telecomm, OOP, Unix and VMS, and more. Spoiler alert… He caught the bad guy – actually, a whole spy ring; not surprising, given the KGB's sponsorship of early break-in activities during the last years of the Cold War. Stoll was, temporarily at least, acclaimed as a national hero. Actually, quite an intriguing detective and espionage story.
The author's narrative includes a few peculiarities, even an occasional technical error, such as his persistence in using the typography “Vax” rather than VAX. In some places, his explanation of technology or methods is, well… quaint. A real VMS technical howler occurs in the first couple of pages of Chapter 37 (page 185 of the original hardback edition), in a replica of VMS output – can you spot it?
But what struck me most, from this perspective of 30-odd years later, is just how innocent and naïve everyone was about computer security in those days. Especially in academe and the research labs, passwords were viewed as an anti-social obstacle, and were treated cavalierly at most military installations. The bad-guy “broke into” several military VMS systems just by “guessing” the default passwords for the privileged
SYSTEM (default password
SERVICE) sys-admin accounts – fortunately, secure VMS system installation has progressed considerably beyond those defaults today. The bad-guy also broke numerous Unix systems, trying and succeeding with privileged
root account passwords (including
root and even “none,” no password!). Several government contractors (major defense-industry corporations) were “wide open” and available for the bad-guy to leap-frog through to other systems; all while the defense contractors' system managers were professing that “our systems are totally secure and impenetrable!” Stoll showed them all a new, emerging reality.
In the intervening 30 years, we've seen not only the rise to domination of today's Internet (remember, it was immature when Stoll wrote this book), and the eclipse or transformation of the ad-hoc point-to-point networks, Tymnet, and the dedicated MilNet. The U.S. Armed Forces made a big noise about “security” and “classified/top-secret,” but were largely clueless about its implementation on actual computer systems. The TLA-organizations, including the FBI and CIA, were similarly clueless, both about the technology and about the application of then-available cyber-crime laws. The NSA was no help at all, although it's tiny new offshoot organization, the NCSC (National Computer Security Center), became an interested ally. Since the bad-guys were ultimately tracked to Germany, jurisdictional issues and “not my bailiwick” tied Stoll's hands right down to the end of the chase.
In the 21st Century, we have of course seen the true rise of computer crime (along with terrorism), and the popularization – so often misunderstood and misrepresented in the mass media and the corporate boardroom – of computer security. Our societal response has been corporate security policies, password complexity rules, firewalls and anit-virus software. And yet, corporate and government computer system break-ins and data theft has only escalated. It would seem that the bad-guys have improved their learning, methods and technology much faster than their victims have…
Why am I recommending that you read a 30+ year-old book? Well, partly because I'm not only an old VMS and computer geek, but also a computing history geek. Both VAX/VMS and Unix are featured players in this story, a perfect fit for PARSEC and its customers and friends. At three decades remove, Stoll's tale of computer crime, and of the adjunct security naïvety, is as relevant today as it was then.
Yet it's one thing to smile and smirk at the innocence, the immature understanding of computer technology, and of technology's impact on business, governance and society. But it makes you wonder: Are we any more sophisticated, or wise, about computer security issues and practice today?
Read this book… and decide for yourself.