Review: The Cuckoo’s Egg by Cliff Stoll

The Cuckoo’s Egg (1989) is probably THE classic true computer security incident response story. Cliff Stoll, a man with a doctorate in astronomy, gets a job maintaining the computer systems at an astronomy lab. He is charged with explaining a 75-cent discrepancy in the accounts and finds that someone has broken into the network. The intruder jumps from the lab computer to military computers around the United States and turns out to be a foreign spy.

The year was 1986. Computer firewalls had not yet been invented. Laws barely existed that covered computer crime. People who hacked unauthorised into computer networks had been charged with “stealing electricity”. The three-letter agencies in the United States had not yet figured out the scale of computer insecurity or the possibilities and were not interested to investigate cases. This backdrop makes The Cuckoo’s Egg fascinating.

If the book were written today, it would not be called The Cuckoo’s Egg. Today we would just call it a backdoor into the system. Information security was such a new discipline in the ’80s that Cliff got to invent his own phrase to describe what is standard terminology known to the layman today. (Unfortunately we do not use Cliff’s choice of words today.)

Cliff painstakingly sets up a monitoring mechanism to detect the intruder and track his activities in a manner that the intruder will not recognise. The intruder uses dictionary words such as “Hunter” and “Hedges” for his passwords. Cliff’s monitoring system calls him at all sorts of hours to watch the intruder in action. Cliff makes contact with people all over the US to trace the intruder. Only after months of monitoring and meetings with the agencies do they finally get around to moving to catch the perpetrator.

Throughout, Cliff struggles with his politics. As a long-haired hippie, he probably has more in common with the hacker than with the suited g-men of the agencies. Cliff’s interaction with the spooks and character such as Robert “Bob” Morris of the cybersecurity command make for good reading. Along with his investigation, he finds that his politics also change as he realises that the intruder is destroying the trust needed for the internet to be the medium for sharing information that he expects it to be. An astronomer, Cliff is an unlikely person to be considered a computer expert. He was in the right place at the right time and he made the most of his opportunity, leading to arrests in an international investigation. A bonus is thrown in at the end: Cliff is one of the experts called in to deal with the Morris Worm – a computer worm that brought down a large number of internet-connected UNIX servers.

The book is written with a great sense of humour. Cliff, despite being a PhD, successfully plays the ‘little guy’ making his little dent in the information security universe, in fact making it profoundly better. It is a nice read for the layman about information security (or cybersecurity) as a discipline finding its feet and making baby steps. We all use computers and we need to know what can be done with them. Importantly, the book describes the ‘security guys’ as ordinary, relatable human beings with ordinary lives and ordinary motivations.

The Cuckoo’s Egg is a must read for information security practitioners, especially incident responders. The trade craft and dedication shown by Cliff and the initially surprising revelation about the hacker being a spy should motivate incident responders and other security professionals in their jobs.

Review: Ghost in the wires

‘Ghost in the wires’ is the autobiography of Kevin Mitnick, the “world’s most wanted hacker”. The book came out in 2011. Mitnick now claims to be reformed and has his own security consulting company.

Kevin Mitnick, as a teenager, was curious about breaking into computer systems. He did so, explains in the book how broke in mainly by using social engineering methods, and eventually got caught and was sent to a juvenile correctional facility. With this began a cycle that would repeat itself many times over the book.

The book is best in the early parts when Kevin describes one of his hacks. He understood that any system has weaknesses, technical or human. He would find a weakness and exploit it. He would persist if initially unsuccessful. The hacker mindset on display as he attempts to break into something just for the fun of it is something that people would do well to understand. Also, the ease with which systems built by hundreds of people can be subverted using very low-tech methods is something to know about.

As a person with some technical knowledge, I was able to follow a great deal of the technical hacking described in the book. A lot of what is described (“getting root”, “exploit [noun]”, etc.) is incomprehensible for the layman – my father gave the book a try. Surprisingly, the book gets boring after a while. Within the first hundred pages, one learns everything there is to know about Kevin’s non-technical social engineering skills. What follows is a repetition of what already happened: Kevin decides to break into something; he calls someone pretending to be someone else, elicits and easily gets required information from them; he breaks in; he learns that law enforcement may have gotten wind of it; he tries to cover his tracks and breaks into something else to get more information. The cycle continues, occasionally punctuated by visits from the police.

The discussion regarding law enforcement becomes complicated by the fact that they (and criminal prosecution) do not appear to have a good grasp on what Kevin has actually done (according to him), accuse him of crimes that he did not commit (according to Kevin) and prosecute him for the same. This is another interesting thing about the book that everyone trying to stay on the right side of the law in a fully internet-connected world should appreciate.

A serious problem with the book is Kevin’s lack of contrition. He is repeatedly sorry for the harm he did to his loved ones, but has no feelings whatsoever for the companies that he broke into, their employees, or for the people whom he insults with snide remarks in his book. His language, as a man in his forties (when the book was written), shows an immaturity that should have ended with teenage. Kevin repeatedly refers to the man who caught him, Tsutomu Shimomura, as “Shimmy”; he calls people “bastards”; he unnecessarily names and shames a colleague who may have wanted to have sex with him; etc.

The casual reader would learn much about the vulnerability of the devices and infrastructure that we use from going through about 100 pages of the book. 300+ pages is way too much to read about one egoistic hacker who may not have learned his lessons.