Clifford Stoll’s “The Cuckoo’s Egg”
This is one of the absolute classics in computer security. It’s the story about how, by coincidence, Stoll becomes the hunter of a new kind of crimminal, with questionable interrests. You simply must read the book. Fun, informational, and exciting.
The book is based upon a true story, but… I’ve gotten some e-emails from germans who claims to be remotely part of the story, who does not think that Stoll present the story correctly. I do not take any responsibilities for correctness in Stoll’s book, I like it though.
It’s the late 80ies. Security is an abstract concept, not fully grasped, by the computing communities. And suddenly, more and more people starts using computers – and some of them gets access to the new data networks.
And suddenly, accross networks such Tymnet and Internet, there’s something new. A cracker, a cracker with most unexpected interrests.
Basicly, Stoll’s not needed by his faculty. There simply are too many scientist astronomy. Since he’s pretty ok with computers, he’s moved to the computer department. Squeezed between a Unix wizzard and a VAX expert fighting the religious war of which operating system being the best, who else would get the assignment of finding out why the mainframe accounting went wrong with 72 cents this month?
After analyzing the weird mix of Cobol, Fortran and Assembly that handles the accounting, Stoll reaches the conclution that the accounting program is correct. So why then are 72 cents lost? Hunter is the answer. Hunter is the new account which no one knows who owns, which isn’t included in the accounting. Stoll disables Hunter’s account.
Then Stoll recieves an email from a computer known as “Dockmaster”, which complains about a cracker attempting to break into Dockmaster — at the time only Joe was logged in. But Joe is in England! And Joe is a member of the computer staff! Why would Joe do that? … unless… unless “Joe” isn’t someone else. Someone, a cracker, with access to an operators account?
So then, what to do? Close the joe account also? … Or, monitor what’s doing? Turns out, the cracker is almost the only one using the tymnet connection. Easily monitored. Stoll installs a printer, printing everything that happends on the tymnet connection. A great way to find out what the cracker is doing.
So, he uses that and that exploit to get operator access on Stoll’s server. And he attempts to crack into those servers – woopsie there he got in. Better phone the adminstrator of that university. “We have great security!” Long talk on the phone before they understand they are cracked.
So, the cracker is breaking into a lot of systems, but why is he targetting scientific and military sites all the time? And wowa, are people actually supposed to be able to browse military scenarious for warefare in Europe?
Stoll and his collegues understands the potential of the cracker activities. They phone the police. Great, they want to help but got even less clues than Stoll about what should be done to stop the fellow. Stoll phones the FBI. Unless a million dollars are stollen, FBI doesn’t want to touch a case. What do you do when the police don’t care about a cracker targetting – and being successfull in retriving – scientific findings and military secrets? Even when it appears the cracker appears to be conducting a kind of electronic espinoage?
Reading a print-out of the crackers activity, Stoll finds the line “/whois cia”, and the line followed by “CIA is …”. Why not call someone from the CIA who’s actually mentioned on the internet?
CIA is interrested. They want to know everything. But they can’t do anything. FBI’s board. FBI doesn’t want to do anything. How about the NSA? Interrested, but they can’t move. Someone elses board. Always someone elses board. Eventually Stoll realizes that it will be he himself who tracks down the spy, or the spy gets away.
Is it possible for a singel man to do what the most powerfull organizations in the united states can’t or won’t do? Can Stoll alone stop an entirely new kind of spy?