Review: The Cuckoo’s Egg by Cliff Stoll

The Cuckoo’s Egg (1989) is probably THE classic true computer security incident response story. Cliff Stoll, a man with a doctorate in astronomy, gets a job maintaining the computer systems at an astronomy lab. He is charged with explaining a 75-cent discrepancy in the accounts and finds that someone has broken into the network. The intruder jumps from the lab computer to military computers around the United States and turns out to be a foreign spy.

The year was 1986. Computer firewalls had not yet been invented. Laws barely existed that covered computer crime. People who hacked unauthorised into computer networks had been charged with “stealing electricity”. The three-letter agencies in the United States had not yet figured out the scale of computer insecurity or the possibilities and were not interested to investigate cases. This backdrop makes The Cuckoo’s Egg fascinating.

If the book were written today, it would not be called The Cuckoo’s Egg. Today we would just call it a backdoor into the system. Information security was such a new discipline in the ’80s that Cliff got to invent his own phrase to describe what is standard terminology known to the layman today. (Unfortunately we do not use Cliff’s choice of words today.)

Cliff painstakingly sets up a monitoring mechanism to detect the intruder and track his activities in a manner that the intruder will not recognise. The intruder uses dictionary words such as “Hunter” and “Hedges” for his passwords. Cliff’s monitoring system calls him at all sorts of hours to watch the intruder in action. Cliff makes contact with people all over the US to trace the intruder. Only after months of monitoring and meetings with the agencies do they finally get around to moving to catch the perpetrator.

Throughout, Cliff struggles with his politics. As a long-haired hippie, he probably has more in common with the hacker than with the suited g-men of the agencies. Cliff’s interaction with the spooks and character such as Robert “Bob” Morris of the cybersecurity command make for good reading. Along with his investigation, he finds that his politics also change as he realises that the intruder is destroying the trust needed for the internet to be the medium for sharing information that he expects it to be. An astronomer, Cliff is an unlikely person to be considered a computer expert. He was in the right place at the right time and he made the most of his opportunity, leading to arrests in an international investigation. A bonus is thrown in at the end: Cliff is one of the experts called in to deal with the Morris Worm – a computer worm that brought down a large number of internet-connected UNIX servers.

The book is written with a great sense of humour. Cliff, despite being a PhD, successfully plays the ‘little guy’ making his little dent in the information security universe, in fact making it profoundly better. It is a nice read for the layman about information security (or cybersecurity) as a discipline finding its feet and making baby steps. We all use computers and we need to know what can be done with them. Importantly, the book describes the ‘security guys’ as ordinary, relatable human beings with ordinary lives and ordinary motivations.

The Cuckoo’s Egg is a must read for information security practitioners, especially incident responders. The trade craft and dedication shown by Cliff and the initially surprising revelation about the hacker being a spy should motivate incident responders and other security professionals in their jobs.

Review: No place to hide – Edward Snowden, the NSA, and the US surveillance state

Glenn Greenwald is the reporter who, along with Laura Poitras, broke Edward Snowden’s leaks about the NSA’s mass-surveillance program in 2013. In “No place to hide” Greenwald tells the story of how the leak happened, from the first contacts with Snowden to the aftermath in the next year. Greenwald also devotes a chapter to explaining why the ordinary person should care about mass government surveillance.

The big story is about the content of Snowden’s leaks, but the reader also gets to understand and appreciate Edward Snowden. Snowden’s motivations for putting his entire future at risk is probably the significant reveal of the book. Snowden has no significant character flaws that suggest that he might want to bring down the establishment. He is a person who might be considered to have a “decent middle-class” upbringing and was working highly-paid jobs when he stole the classified documents. He even created a manifesto that includes “While I pray that public awareness and debate will lead to reform, bear in mind that the policies of men change in time, and even the Constitution is subverted when the appetites of power demand it. In words from history: Let us speak no more of faith in man, but bind him down from mischief by the chains of cryptography.” – paraphrasing Thomas Jefferson who said “In questions of power then, let no more be heard of confidence in man, but bind him down from mischief by the chains of the Constitution.”

Many pages of the book are spent on the details, the illegality, the implications and the lack of necessity of the bulk data collection of the NSA. This data is collected from and shared with the partners in the five eyes: UK, Australia, New Zealand and Canada. Greenwald argues that targeted data collection of specific individuals is adequate and effective and that bulk data collection has been useless in preventing terrorist attacks. Also, despite the stated goal being terrorism prevention, surveillance has been put to use for economic and diplomatic advantage of the United States. This is precisely what the US has hypocritically asked China to stop doing. And “who watches the watchers?” The FISA court, created to oversee covert operations, is nothing more than a rubber stamp that has not denied a single surveillance request.

Most people who are habituated to living in the society where they think allowing the government to read their emails (or pancake recipes) is harmless. “I am too boring to be worth surveillance.” Greenwald has a reply to people holding these attitudes. He explains that most people who would do nothing to challenge the establishment would not feel threatened, but when something that the establishment prefers to keep hidden is in one’s possession, one becomes a target. This has nothing to do with threats to national security; just having opinions or publishing facts that disagree with the establishment can cause a person under such a government much difficulty. In a democracy the ability to criticise the establishment is a freedom that we have that is being eroded by having your privacy taken away from us. A response for the “boring” people who will never criticise the establishment: they will be impelled to change their normal behaviour if they felt that they were being watched. Our conversations and whom we talk to are being recorded. Does that not affect what we write about? Also: one closes one’s doors before having sex. This has nothing to do with sex being illegal or immoral and everything to do with humans needing privacy for some activities. We should expect privacy in what we write about in private communications.

The book’s last chapter describes how the American news media have become pliant – willing allies serving the needs of the political establishment instead of the public’s. It is a fascinating read and enlightens the reader to be more politically aware and aware of how precious one’s privacy is.

This book informs us that we need to take conscious political choices in order to protect personal privacy as a fundamental right. Snowden and other whistleblowers before and after him have faced prosecution from the “liberal” administration of Obama. The choice is between a world where no one has privacy and one where the NSA can abuse their surveillance powers at will. It is a must-read to understand the political and technological abuses of power that go on in our modern world and why conscious usage of technology such as encryption can be a political statement and not just a privacy tool.

Review: Ghost in the wires

‘Ghost in the wires’ is the autobiography of Kevin Mitnick, the “world’s most wanted hacker”. The book came out in 2011. Mitnick now claims to be reformed and has his own security consulting company.

Kevin Mitnick, as a teenager, was curious about breaking into computer systems. He did so, explains in the book how broke in mainly by using social engineering methods, and eventually got caught and was sent to a juvenile correctional facility. With this began a cycle that would repeat itself many times over the book.

The book is best in the early parts when Kevin describes one of his hacks. He understood that any system has weaknesses, technical or human. He would find a weakness and exploit it. He would persist if initially unsuccessful. The hacker mindset on display as he attempts to break into something just for the fun of it is something that people would do well to understand. Also, the ease with which systems built by hundreds of people can be subverted using very low-tech methods is something to know about.

As a person with some technical knowledge, I was able to follow a great deal of the technical hacking described in the book. A lot of what is described (“getting root”, “exploit [noun]”, etc.) is incomprehensible for the layman – my father gave the book a try. Surprisingly, the book gets boring after a while. Within the first hundred pages, one learns everything there is to know about Kevin’s non-technical social engineering skills. What follows is a repetition of what already happened: Kevin decides to break into something; he calls someone pretending to be someone else, elicits and easily gets required information from them; he breaks in; he learns that law enforcement may have gotten wind of it; he tries to cover his tracks and breaks into something else to get more information. The cycle continues, occasionally punctuated by visits from the police.

The discussion regarding law enforcement becomes complicated by the fact that they (and criminal prosecution) do not appear to have a good grasp on what Kevin has actually done (according to him), accuse him of crimes that he did not commit (according to Kevin) and prosecute him for the same. This is another interesting thing about the book that everyone trying to stay on the right side of the law in a fully internet-connected world should appreciate.

A serious problem with the book is Kevin’s lack of contrition. He is repeatedly sorry for the harm he did to his loved ones, but has no feelings whatsoever for the companies that he broke into, their employees, or for the people whom he insults with snide remarks in his book. His language, as a man in his forties (when the book was written), shows an immaturity that should have ended with teenage. Kevin repeatedly refers to the man who caught him, Tsutomu Shimomura, as “Shimmy”; he calls people “bastards”; he unnecessarily names and shames a colleague who may have wanted to have sex with him; etc.

The casual reader would learn much about the vulnerability of the devices and infrastructure that we use from going through about 100 pages of the book. 300+ pages is way too much to read about one egoistic hacker who may not have learned his lessons.