Sunday, July 14, 2013

Book Review: The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage (1989) by Clifford Stoll


Executive Summary

This book is a part of the cyber security canon. If you are a cyber security professional, you should have read this by now. Twenty years after it was published, it still has something of value to say on persistent cyber security problems like information sharing, privacy versus security, cyber espionage and the intelligence dilemma. Rereading it after 20 years, I was pleasantly surprised to learn how pertinent that story still is. If you are not a cyber security professional, you will still get a kick out of this book. It reads like a spy novel, and the main characters are quirky, smart, and delightful.



Introduction

The Cuckoo’s Egg is my first love. Clifford Stoll published it in 1989, and the first time I read it, I devoured it over a weekend when I should have been writing my grad school thesis. It was my introduction to the security community and the idea that somebody had to protect these new-fangled gadgets called computers. Back in those days, authors put their email addresses in their books, and when I finished reading it, I sent Mr. Stoll a note explaining how much I enjoyed his book. He answered immediately and forever made me a fan. Ever since, I have considered his book to be part of the cyber security canon,[5] books that every practitioner should read early in his or her educational development. But that was more than 20 years ago. I thought I would reread it to see if that was still true. Amazingly, it is. Besides being a window back through time to the beginning of our modern Internet age, Stoll’s book highlights many of the security problems that still plague us today.


The Story

The story itself reads like an Alfred Hitchcock movie. Joe Average-Man -- in this case, Stoll as a hippie-type systems administrator keeping the computers running at the Lawrence Berkeley National Laboratory just outside San Francisco[6] -- is in the right place at the wrong time. Like Cary Grant[7] and Jimmy Stewart[8] before him, Stoll is minding his own business when he stumbles upon a bit of a mystery that, when it all plays out, is much larger than he is. By tracking down a miniscule computer-accounting error, Stoll unraveled an outsourced, Russian-sponsored, international cyber-espionage ring that leveraged the Berkeley computers to break into US military and government systems across the United States. The book documents Stoll’s journey as he tries to get help from the US and German governments to do something about this serious threat that nobody wants to own. As the story unfolds, the reader also gets a fascinating glimpse at how the Internet looked just before it exploded into the commercial and cultural juggernaut that it has become today. 

But the book is not just about ones and zeros. If it is anything, it is also a love story between Stoll and his long-suffering mate, Martha. I say long-suffering because Stoll is the stereotypical absent-minded professor.[1][4] Martha was often annoyed with him as he traipsed off to his lab to see what was going on after one of his alarms or traps fired signifying hacker activity. But Stoll is so charming and the two of them are so sweet together that when they end up getting married at the end of the book, I could not help but cheer. Besides, he shared his not-so-secret chocolate-chip-cookie recipe. 

The interesting dichotomy at play in the book though is how Stoll deals with government authorities. In the book, he describes himself as a “mixed-bag of new-left, harmless non-ideology,” yet he routinely called, cajoled, and coordinated leaders and administrators in the NSA, the CIA, the FBI, and other government and military organizations--bastions of the near and far right. How Stoll gets his head around those two philosophies is fun to read.

It is these interactions with the government that Stoll runs squarely into one of those persistent problems that we still have in the security community today: The government does not like to share. Stoll consistently ran into government bureaucracy: human-government vacuum cleaners who were eager to take any and all information that Stoll had in regard to his investigation but who were also unwilling to share anything that they knew in return. To be fair, the US government today is getting better at this information-sharing thing, but leaders are a long way from implementing a free-flowing information exchange. I am not sure it will ever get there.[9] The government’s reluctance to share is why it is important for like-minded organizations, like the federally encouraged Information Sharing and Analysis Centers (ISACs)[11] and the Defense Industrial Base (DIB),[12] to find ways to share information between members without having to rely on the government.

Which brings us to the second persistent problem. As Stoll is wrapping up the book, he concludes, 
“After sliding down this Alice-in-Wonderland hole, I find the political left and right reconciled in their mutual dependency on computers. The right sees computer security as necessary to protect national secrets; my leftie friends worry about an invasion of their privacy.” 
If that is not the perfect summation of what is going on now with the Edward Snowden investigation, I don’t know what is.[10] The Snowden case is just the last one in a series of privacy-versus-security trade-off debates that the United States and other countries have made in the past twenty years.[16][17][18] As Bruce Schneier points out, this is a false argument: 
“The debate isn't security versus privacy. It's liberty versus control.”[16] 
He and other pundits highlight the fact that this is not an either-or decision. You can have security and privacy at the same time, but you have to work for it. In this book, Stoll was the first one I can remember who raised the issue. He struggled with it back then as we are all doing today.

The third persistent problem is the cyber espionage threat. The commercial world only really became aware of the issue when the Chinese government compromised Google at the end of 2009.[13] The US military had been dealing with the Chinese cyber espionage threat, back then known as TITAN RAIN, for at least the decade before that.[14] But on CPAN’s Book TV program, Stoll claims that his book describes the first public case where spies used computers to conduct espionage, this time sponsored by the Russians.[4] The events in The Cuckoo’s Egg started happening in August 1986,[2][3] almost 15 years before TITAN RAIN, and some of the government characters that Stoll deals with in the book hint that they know about other nonpublic espionage activity that happened earlier than that. The point is that the cyber espionage threat has been around for some 30 years and shows no sign of going away any time soon.

The Chinese government is infamous for its willingness to outsource some of its low-level hacker intelligence-gathering activities to nongovernmental hacking groups. Chinese leaders tend to use semiprofessional hacker groups within their own country for these activities and they have had a lot of success with that model. One reason for that success is that leadership does not appear to be overly concerned if these outsourced hacker groups get caught. There is enough plausible deniability between the government and the outsourced hackers, at least to this point, that the risk to the Chinese government is very small. No other countries overtly follow this cyber espionage model--not the United States, not Israel, not France, and not Russia. From Stoll’s book though, it is obvious that the Russians tried it at least once as far back as the late 1980s. They contracted with some German hackers to collect passwords and interesting research on US government systems.

The fourth and final persistent problem is really not a cyber problem at all but an intelligence discipline problem. Throughout the book, Stoll struggles with the idea of whether or not to publish his findings. He describes the problem like this:
“If you describe how to make a pipe bomb, the next kid that finds some charcoal and saltpeter will become a terrorist. Yet if you suppress the information, people won’t know the danger.”
That is the classic intelligence dilemma. It goes directly to the Snowden issue today wherein the lefties are concerned about privacy and want transparency for all security matters. The righties value security over privacy and worry that transparency will give too much information away to the bad guys. In my heart, I think there is some middle ground that could be reached. Since 9/11, the United States has swung in the direction of security over transparency. I do not see that changing anytime soon. Stoll definitely comes down on the side of transparency though, but like I said, he is a self-described “mixed-bag of new-left, harmless non-ideology.”

A Side Note

On 3 November 1988, 34 minutes after midnight and almost a year after Stoll concluded his forensics investigation on the Russian-sponsored cyber espionage ring, Robert Morris Jr. brought the Internet to its knees.[15] He launched the first ever Internet worm, and for at least some days after, the Internet ceased to function as UNIX wizards of all stripes worked to eradicate the worm from their systems. Aside from the coincidental timing of the worm, the reason this is significant to this book is that Robert Morris’ father, Bob Morris Sr., was Stoll’s contact at the NSA during the investigation. He was one of those human vacuum cleaners taking in information but not giving any out. By all accounts, Bob Morris Sr. was a computer wizard in his own right,[2] and I have often speculated about how much his son picked up at the dinner table from his dad about the theoretical ways one might attack the Internet.

The Tech

The egg in The Cuckoo’s Egg title refers to how the hacker group compromised many of its victims. In turns out that the real-life cuckoo bird does not lay its eggs in its own nest. Instead, she waits for any kind of other bird to leave its nest unattended. The mother cuckoo then sneaks in, lays her egg in the unoccupied nest, and sneaks out, leaving her egg to be hatched by another mother. Similar to the cuckoo bird, Stoll’s hackers took advantage of a security vulnerability in the powerful and extensible GNU Emacs text-editor system that Berkeley had installed on all of its UNIX machines. At the time, Emacs allowed any user to copy any file anywhere in the system without asking for permission. The hackers used Emacs to overwrite the standard system command atrun with an altered version, a version that did everything that the standard version did but also elevated the hacker’s stolen user account to have system administrator privileges. Back then, the atrun command typically ran every five minutes to perform maintenance tasks on the system. Once the hackers laid the egg with Emacs, they just sat back and waited five minutes for the system to grant system administrator privileges to their user account. The spies performed a similar attack within the X-Preserve functionality in the VI Editor. It was a known security hole that, unpatched, copied files to any location on the system. Stoll had patched the hole, but many other government system administrators had not. The hacker’s survival depended on the ignorance of the system administrators who did not know about the Emacs and VI security hole. As Stoll said, 
“The survival of cuckoo chicks depends on the ignorance of other species.”
On their own, Stoll, Martha, and their roommate devised a fairly decent counter-intelligence program. They needed a way to keep the hackers online so that the authorities in the United States and Germany could trace the phone connections to the origin point. The problem was that the hackers tended to get in and get out. Stoll and company needed a way to keep the hackers online longer. Stoll decided that they would create volumes of phony documents laced with official-sounding topics that dealt with “classified” information. It worked. The hackers could not help themselves and eventually tried to download the entire cache, staying online for hours.

The spy ring spent a lot of time trying to take over regular user accounts so that they could log in as those users and review the system without causing alarm. In one instant, after becoming a system administrator with the EMACs attack, one hacker opened up the system’s password file. He still did not know what the passwords were to all the users on the system because they were encrypted. Instead of trying to break them, he just erased one of them. He picked a specific user and erased the user’s password. When he logged in as that user later, the system would grant access since there was no password guarding the account. After a while, the hacker started downloading the entire password file to his home computer. Stoll later discovered that the hacker executed a brilliant new attack. He encrypted every word in the dictionary with the same algorithm that encrypted passwords and compared the encrypted passwords in the downloaded password file with the encrypted dictionary words. If he found any that matched, he could now log in as a legitimate user. Brute-force dictionary attacks are standard today, but back then, it was a new idea.


Conclusion

I can’t tell you how pleased I am that The Cuckoo’s Egg still holds up after 20 years. Being my first love and all, the old girl has aged quite well. Instead of playing Jimmy Stewart or Cary Grant in an old black-and-white favorite movie, Stoll fits quite nicely in a modern setting. The book still has something of value to say on persistent cyber security problems like information sharing, privacy versus security (if you are a rightie), or liberty versus control (if you are a leftie), cyber espionage, and the intelligence dilemma. This book is part of the canon for the cyber security professional. You should have read this by now.


Sources
[1] Speakers Clifford Stoll: Astronomer, educator, skeptic, by Ted: Ideas Worth Spreading, Last Visited June 19, 2013,

[2] Comment: Re: Stoll's "Cuckoo's Egg" has some great anecdotes, by Cliff Stoll, June 30, 2011, Last Visited Jun 19, 2013,

[3] STALKING THE WILY HACKER, by Clifford Stoll, Communications of the ACM. May 1988, Volume 31, Number 5, Last Visited June 19, 2013,

[4] Book Discussion on The Cuckoo's Egg, by C-SPAN, October 1989, Last Visited June 19, 2013,

[5] Canon, by Dictionary.com, Last Visited June 19, 2013,

[6] Berkeley Lab: Lawrence Berkeley National Laboratory, U.S. Department of Energy, Last Visited June 19, 2013,

[7] North by Northwest, IMDb, Last Visited June 19, 2013,

[8] Rear Window, IMDb, Last Visited June 19, 2013,

[9] Edward Snowden: the whistleblower behind the NSA surveillance revelations, by Glenn Greenwald, The Guardian, 9 June 2013, Last Visited 23 June 2013,

[10] Help Me Obi Wan – You’re My only Hope: Three Cyber Security Innovations to Give You Courage, by Rick Howard, Terebrate, 10 June 2013, Last Visited 23 June 2013,

[11] Executive Order on Cybersecurity ... PDD 63 Deja Vu, by Warren Axelrod, BlogInfoSec.com, Information Security Magazine, 9 April 2013, Last Visited 6 June 2013,

[12] Defense Industrial Base (DIB) Cyber Security/Information Assurance (CS/IA) Activities, Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer, 19 January 2010, Last Visited 6 June 2013,

[13] Google attack part of vast campaign, by Ariana Eunjung Cha and Ellen Nakashima, The Washington Post, 14 January 2010, Last Visited 23 June 2013, 

[14] Inside the Chinese Hack Attack, By Nathan Thornburgh, Time, 25 August 2005, Last Visited 23 June 2013,

[15] The What, Why, and How of the 1988 Internet Worm, By Charles Schmidt and Tom Darby, July 2001, Last Visited 23 June 2013,

[16] Security vs. Privacy, by Bruce Schneier, Schneier on Security, 29 January 2008, Last Visited 24 June 2013, 

[17] Nothing to Hide: the False Tradeoff between Privacy and Security, By Daniel Solov, Yale University Press, 2011, Last Visited 24 June 2013,

[18] Security vs. Privacy: The Rematch, by Jennifer Granick, Wired, 24 May 2006, Last Visited 24 June 2013,


References
Deep Black, by William E. Burrows, published by Berkley Books, 1986

GNU Emacs, GNU Operating System, Last Visited June 19, 2013,

The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet, by David Kahn, published by Scribner, 5 December 1996

The KGB, the Computer, and Me, PBS Nova, Last Visited June 19, 2013,

The Puzzle Palace: Inside the National Security Agency, America's Most Secret Intelligence Organization, by James Bamford, published by Penguin Books, 23 September 1982

Unix System Security, by Patrick H. Wood, Stephen G. Kochan, published by Hayden Books, 1985

West Germans Raid Spy Ring That Violated U.S. Computers, by John Markoff, The New York Times, March 3, 1989, Last Visited June 19, 2013,

3 comments:

  1. I just would like to give a huge thumbs up for the great info you have here on this post. Very nice post, i certainly love this website, keep on it.

    ReplyDelete
  2. I saw Clifford on Larry King Live - twice and couldn't wait to get the book - it is a page-turner! With everything hard-wired back then, I can't imagine where all our enemies are spying on us "in the clouds". To me this is a good book, even if it was fiction, but it is a must read for all who want to keep up with cyber security (and their own security!).

    ReplyDelete
    Replies
    1. One point of order: This is not a fiction book. It all happened.

      Delete