Patrick Chen

INLS 187

4/9/03

 

Book Review: The Cuckoo’s Egg

By Clifford Stoll  Doubleday 1989

 

            Initially, I decided to read this book expressly  because Schneier had referenced it as a book about a gang of hackers gathering information for the KGB for cash and cocaine.  Finally! I thought, a group of hackers that lived up to the image of the cool, against-the-system rebel.  Just a couple of dudes making the rules up as they go.  Unfortunately or perhaps fortunately this did not turn to be the case.  Instead the book was about a kind-hearted hippie from Berkeley and his travails sniffing out and eventually catching a ragtag band of hacker scum.  Clifford Stoll, a star-gazing hippie and reluctant system administrator for the University of California Berkeley, chronicles his pioneering efforts to foil a group of online hackers from Germany in the employ of the KGB.  Cliff started his career as an security expert by virtue of being an newly unemployed astronomer.  Lucky for him UC Berkeley was in the habit of “recycling its astronomers”, so that when his grant money ran out, Cliff was given a job at one of Berkeley’s computer labs. 

            This lab sold processing time on several systems to various departments and as a training exercise Cliff was given the job of auditing the accounting software.  It seems that the accounting system, a motley composite of home-grown code had made an error totaling about 75 cents.  Despite the mind-numbing prospect of going through tons code written in several ancient tongues, Cliff took the task as a challenge and plunged right in.  When all was said and done however, Cliff came to the realization that in fact the fault lay not in accounting but in administration.  Apparently someone had added a user, Hunter, without going through the proper channels, i.e. without establishing a proper billing profile.  Instead it would seem someone just created a user willy-nilly.  After checking around Cliff found that not only was this not true, but impossible as the whole process was automated.  What could explain this new user who wasn’t billed because he had bogus billing information?  At about this time, the lab also received an email from a system administrator that someone from their lab had tried to break into their system.  The only person online at the time was a user named Sventek, a username that belonged to someone who was at the time living in England.  These are the scents that eventually lead Cliff on a merry chase from California, to Virginia, and eventually ending up in Germany. 

            Rather than simply booting out the hacker, Cliff realizes that due to the lack of security communication in the industry at this  time that the hacker would just go on to break into other systems unmonitored.  In addition Cliff was having a hard time getting any official assistance from the government.  He couldn’t convince the FBI to take this activity seriously since it was so far outside the agency’s traditional boundaries.  Other government agencies were unable to assist since domestic affairs were strictly outside their bailiwick.  In essence Cliff was on his own.  Instead of giving up, he decided to tap into the hacker’s data trail and consequently spent the next year watching the hacker’s methodical attempts to gain access into every computer he could find on Milnet (the military network of non-classified computers) all the while steadily building a case against him.   Eventually Cliff gets enough juice to get the government suits off their duffs and produce warrants which eventually lead to arrests made in a small town in Germany.

            Clearly this short synopsis doesn’t do credit to what I felt was a great book.  Cliff’s writing style is very enjoyable to read and his story is just the right mix of technical detail and real life color.  One of the main points that I think are illustrated in this book is the need in the computing community for constant communication.  One of the main reasons for Cliff tracking the hacker was his inability to warn others of the flaws in their security.  The hackers attempts to gain access boiled down to attempting to use the factory standard passwords that came with the boxes, a very primitive attack that could easily have been prevented with increased awareness.  Once on the system, the hacker exploited a flaw in the GNU-EMACS program in the Unix system that allowed him to place the “cuckoo’s egg” that eventually allowed him to gain root access.  These days information on the latest hacks are available very quickly, back then it was all by word of mouth.

            Another very clear theme of this book is the responsibility we all have to be good online citizens.  By exploiting the trust that is needed to encourage a working online environment, the hackers not only cost thousands of dollars in damages, but they also made it harder for system administrators to have open computing environments.  Now a days, with the increased prevalensce of online mischief, administrators are constantly struggling to balance ease of access against good security.

            I think that this is a very good book for readers who are not very familiar with security issues but understand basic programming.  I don’t know that much about security but found the book very readable and insightful.  The book may be loosing some of its relevance since so much has changed since the late eighties, but I think that at its core its message is still germaine.