Computer underground Digest Sun Sep 20, 1992 Volume 4 : Issue 44 Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivist: Dan Carosone Copy Editor: Etaion Shrdleau, Srr. CONTENTS, #4.44 (Sep 20, 1992) File 1--The Cuckoo's Egg Revisited File 2--The Egg, Over Easy File 3--Cuckoo's Egg and Life File 4--The Egg Hatches File 5--The Cuckoo's Egg and I File 6--Comments on Cuckoo's Egg Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM; on Genie in the PF*NPC RT libraries; from America Online in the PC Telecom forum under "computing newsletters;" on the PC-EXEC BBS at (414) 789-4210; and by anonymous ftp from ftp.eff.org (192.88.144.4) and ftp.ee.mu.oz.au For bitnet users, back issues may be obtained from the mail server at mailserv@batpad.lgb.ca.us European distributor: ComNet in Luxembourg BBS (++352) 466893. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Wed, 29 Jul 92 21:17:34 EST From: Gene Spafford <spaf@CS.PURDUE.EDU> Subject: File 1--The Cuckoo's Egg Revisited Cuckoo's Egg Revisited by Gene Spafford When I first read Cliff's book, in draft manuscript form (Cliff sent me an advance copy), I found it gripping. So did my wife. We each found that when we started it, we couldn't put it down until we finished it -- both of us staying up past 3am on a weeknight to read through to the end. We weren't the only ones. When the book was published, I bought copies for some friends, several of whom don't use computers. Almost all of them had the same reaction: they found the book engrossing, entertaining, and informative. Several of them also reported spending late nights (and early mornings!) reading to the end. It wasn't that Cliff set down particularly elegant and engrossing prose that made the book so captivating, although his writing is certainly better than many others evidence. It wasn't because Cliff recounted some high-tech adventure either -- many of the readers (myself included) already had experience with computer security incidents. So why was the book so interesting to us, and to so many other people? It wasn't until a few weeks ago, when Jim Thomas asked if I would do a short retrospective on the "Cuckoo's Egg" that I thought about this question. I even went back and skimmed through parts of the book again. Now that I've thought about it, I believe I know why "Cuckoo's Egg" had such an impact: it was a honest sincere, personal accounting of one person's internal struggle with right and wrong, as well as being a challenging mystery story. Cliff's writing portrayed, for many of us, some interesting conflicts and value judgments. For instance, having strong opinions about some governmental and commercial entities, but finding that they are composed of many well-meaning, genuinely nice people. Or discovering that not every "harmless" act is really harmless when multiplied many-fold. Heroic tales often involve journeys of self-discovery and the loss of innocence; we saw Cliff undergo both. To give a more concrete example of this, I consider the anecdote about how Cliff "liberated" several printing terminals to track the logins a perfect example of how rules, particularly property rules, may sometimes be ignored by someone hot on a clever "hack," as Cliff was. As the story unfolded, he made choices that I know he would have reconsidered later on. I also think that Cliff's account of keeping his system open, and observing the cracker break in to other machines through his, is a perfect example of how difficult some choices are to make, and how they must be reevaluated as time goes on. Was Cliff partially responsible for those break-ins? Was his notification of the sites sufficient to counter the harm he had done? Is the argument that "the bad guys would have used some other route" a valid argument? Seeing those conflicts, even if indirectly, made the book something more than just entertaining. Cliff started as a well-meaning academic with strong views (almost anarchistic, perhaps), and through the course of his personal experience became someone with a different view of society. He underwent a transformation, on the pages before us, from a happy-go-lucky scientist, to someone obsessed with a problem. As he recounted his growing awareness of the vast vulnerability our increasing reliability on computers and networks presents, he made us aware. And with this new awareness, we read about the change in Cliff and his view of the world...and how those around him changed their view of him. Cliff admits that he second-guesses some of his decisions made during the time of his pursuit. He's not sure he did the right thing at every step, and he has paid a high price for doing what he felt was right -- losing many things he treasured before and after the publication of the book. I think that's in the book, too, although maybe not explicitly. Or perhaps its because I know Cliff and have talked to him about being thrust into the spotlight that makes me see those things when I reread parts of the book. He lost some cherished possessions in the midst of battling for his principles, and that is always a gripping theme. So, is "Cuckoo's Egg" still worth reading today? I think so. I didn't find it so gripping this time as the first time I read it, but I saw more of the internal struggle Cliff went through as he pursued his investigation. I also saw how little some things have changed in the our world of networks. The book is still entertaining, too. Cliff's account of drying his sneakers in the microwave oven sounds like something I'd do, and his recipe for cookies is still a bonus. If nothing else, "Cuckoo's Egg" is still a good way to expose the uninitiated to some of the problems with computer security and investigation. For that one reason alone, I think the book will continue to have value to us -- as a place to get dialog started, if nothing else. I reflect on the world in Cliff's book, where sites were regularly broken into without sys administrators knowing about it, where security information was difficult to find, and where it was almost impossible to get law enforcement to care about what was happening. Then I think back over the past few weeks: * I have given several continuing education courses in Unix security, here in the US and in Europe, this summer, and turnout has been good * I've spoken on the phone with people in the FBI and US Attorney's office whose full-time job is devoted solely to computer crime issues * I've read in the paper about several arrests on computer crime charges, in the US and in Europe * I've corresponded with representatives of several security response teams, charged with helping to deal with computer security incidents * I've received court papers identifying me as a witness in an upcoming trial on computer abuse * I've been talking with some law enforcement agents in a (unnamed) nearby state who are concerned about how to define laws that help them stop the "bad guys" yet don't hurt innocent third parties. How different the world is now from when Cliff began his adventure and wrote his book! Although we still have sites run with a cavalier attitude towards security, and although there are still people who try to penetrate whatever systems they can, the situation is not the same. We now have dedicated security officers, a growing security industry, new laws and law enforcement efforts, and coordinated responses to unauthorized access and malicious behavior. It's far from ideal, but awareness is growing. Perhaps "Cuckoo's Egg" has had something to do with those changes? If so, we should be grateful, perhaps, that this catalyst was crafted by someone whose vision is that computers are useful if only we can maintain sufficient trust in each other, and not someone with an urge to legislate tight controls. In a way, that is one of the most enduring aspects of Cliff's writing. It is clear that he loved some aspects of computing. The challenge of tracking his intruder was clearly an element of gamesmanship as well as duty. Cliff, like many of us, came to realize that the world came to his workstation through the magic of networks and computers. That world view, however, is based on a foundation of 1's and 0's that bear no definitive stamp of who sent them. The network provides freedoms to be free of stereotypes, and to express your thoughts to millions. Your thoughts come through, and the reader need never know if you are young or old, tall or short, fat or thin, black or red or oriental or hispanic or mongrel, male or female, hale or crippled. That same freedom, however, requires responsibility to not abuse it, and trust that the 1's and 0's aren't carrying lies. It was Cliff's anger at the end of the book -- that his trust in what came across his computer was violated -- that really brought home the change. His anger, about how the abuse of trust by a few threatens the many, clearly came through to me. His concern for our reliance on computers also was clear. And the irony of the epilogue, tugging at him again, after he said he was giving it all up; "I'm returning to astronomy" are his final words in the last chapter. You can't go back Cliff. Sadly, none of us can. ------------------------------ Date: 24 Aug 92 23:27:31 EDT From: Gordon Meyer <72307.1502@COMPUSERVE.COM> Subject: File 2--The Egg, Over Easy The Egg, Over Easy. Gordon R. Meyer, CuD co-moderator It's Thursday, August 20, 1992 and I'm watching the President of the U.S. address his loyal minions. "Fall of communism...I did that," "The reunification of Germany...did that too," "Kuwait is free..thanks to me," "Events in our country?...blame Congress. It's not my fault". The telephone suddenly rings...though semi-catatonic I know, just know, it's the Thought Police. Shit, what will I tell them? I was listening to the President...honest! You must have me confused with someone else. My palms are sweating. The phone is still ringing. I pick it up... "Guten abend" I say, in my best German accent, hoping it will throw them off the track. "Hey Gordon" Jim says without hesitation. "Jim! It's you!" Thank God. I breath easier knowing that it's only Jim Thomas, co-founder and Keeper-Of-CuD on the line. I guess I only thought it was 1984. Or maybe not. Before I know it Jim is asking me to write a review of 'The Cuckoo's Egg' for the next issue of CuD. I check my watch...it's still ticking. A quick glance at the calendar on the wall...'1992'. Hmmmm. Maybe Jim is still in his own RNC-induced trance. "Didn't we review Cliff's book about..oh...two and half years ago?," I ask quietly, trying not to wake him too abruptly. "Yeah." (It's a full sentence for Jim, trust me, he can say a lot in one word.) Admitting my confusion, I ask him to explain. "There has been a lot of water under the bridge since Cliff's book, it'd be good to take another look at it and see what it has to offer now. Besides," he added, "we already have retrospectives from lots of other folks." "Nothing like good old fashioned peer pressure" I mumble, trying to sound enthusiastic. I ask him when he needs the article, knowing the answer won't be as far in the future as I'd like, say eight or nine months from now. "Wednesday latest, tuesday if you can." Great, so I've got around five days to find, then re-read, then review the book. How will I convince him it can't be done? I start to voice my objections, starting with "I don't have time to read...," when he cuts me off before I can finish. "So don't read it again, just review it." Huh? No, wait, oddly enough it starts to make some sense. Or least more sense than what I could hear coming from the television in the other room. We discuss the idea a bit more and hang up with me promising to send the article by wednesday, and Jim making me say "By wednesday the 24th of August 1992 anno Domini, cross my heart and hope to die." Sheesh, what a slave driver... I'm determined *not* to refer to my copy of The Cuckoo's Egg (The Egg) for this exercise. I really do know where it is though, I can see it on the shelf about ten feet away as I write this, but I'm not going to cheat and look at it. I don't need to. Well, except to see how the hell to spell "Cuckoo," but that doesn't count. There's no need for me to tell you what the book says, you know that...or at least you should. If you don't know then you haven't read it. Do so. Now. End of review. (And if you choose to ignore this advice, and not read it, I swear to God you will regret it because the very first non-computer person you meet, who finds out about your interest in security/hackers, will regale you with an enthusiastic 20-minute summation of 'that one hacker book'. So either read it, or never _ever_ admit you haven't. Trust me.) Let's look at The Cuckoo's Egg not as a book, but as a landmark...A cultural/historical icon that escaped from cyberspace into the 'real' world. The Egg, for the most part, was the first to introduce to mainstream (i.e., Non-cyberspace) society the concepts, magic, implications, and yes, possible dangers, of the networked world. The Egg uses popular and familiar "Hollywood" elements (espionage, government agents, goofy liberal scientists) , and melds them with the unfamiliar and obtuse (networks, Unix). Classical elements, fascinating story...It'll sell a zillion copies! And it did. The Egg has been in paperback, on Nova, in Congressional hearings, featured on the Wily Hacker Trading Cards, retold in JPL Comics, selected as a Book-of-the-Month Club Alternate Selection, and the ultimate in mainstream acceptance and recognition...condensed for Readers Digest. No, The Egg is certainly not just a book. I want to liken it to _Hell's Angels_ by Hunter S. Thompson. But I'm not old enough to do so with any credibility. Thompson introduced people to the outlaw motorcycle gangs, and showed their lifestyle and organization in a way that outsiders had never before seen. We share with HST as he learns about the Angels, and we wince when gets beat-up at the end. In The Egg, we mock Cliff's obsession with the teeny tiny accounting error that leads to the discovery of The Intruder. Then, after enticing us with a Brownie Recipe, he gets us caught up in the chase until we cheer when the Bundepost gets a trace on the hacker's line. _Hell's Angels_ is every bit as much as a 'must read' to be able to converse about motorcycle outlaw gangs, as The Egg is to talk about the problems of computer security. Only more so, as I don't think Readers Digest has ever heard of Hunter Thompson. (Note to Jim: Don't worry, I've deleted the discussion of the phallic symbolism of pistols and yo-yo's.) The Egg is also important as it documents an era when the FBI, SS, CIA, Telco Security, and everyone else would laugh off hackers and/or espionage. Those days have ended. In fact, the pendulum has swung so far in the other direction that Stoll's experience with the laise- faire authorities seems quaint. For researchers, The Egg marks somewhat of a transition between Esquire's Cap'n Crunch article, Bill Landreth's confessional book, and the ill-directed Operation Sun Devil. To my knowledge we've never really heard about the 'national defense' impact any of the information Stoll's hacker may have passed on to the Soviets. This is regrettable as The Egg has almost certainly had an effect on concern about computer espionage. It would be interesting to know how this 'classic case' (and oft cited) harmed, or failed to harm, our "National Security." Regardless of the affect, it's a reasonable assumption that Stoll's work has been used as justification for more than one corporate security program sales pitch. The Egg is destined to be a part of Bibliography's and "suggested reading" lists for many years. Finally The Egg has also given us its author, Cliff Stoll. If it wasn't for his book, and his willingness to share it with the world (quite literally, I understand, though haven't confirmed, that it has been translated into many languages) Stoll might well be known only to his fellow Astronomers. That would be a shame, for although I don't always agree with Stoll's suggested solutions or characterizations of the Computer Underground, I think the computer security community would be a bit more boring without him. So there you have it, The Cuckoo's Egg thus far. I'll be interested in seeing how the book holds up over the next two or three years. I predict it will do just fine, joining the ranks of _Hackers_ and _Soul of a New Machine_, as dog-eared after dog-eared copy gets passed from one computer enthusiast to another. Postscript: For those who just can't get enough of the saga of the egg, a book published in Germany, _Hacker for Moscow_, tells the tale as seen from the other side of the terminal. If you were hungry for more information about the German/East German connection, and you want a more detailed description of the actual methods used to gain access, as only the intruder himself can give, check it out. Unfortunately, as far as I know, it hasn't been translated into english...outside of Langley, VA of course. ------------------------------ Date: Sun, 2 Aug 92 18:51:50 PDT From: brendan@CYGNUS.COM(Brendan Kehoe) Subject: File 3--Cuckoo's Egg and Life Life can take you in any number of directions, some of which may bring you through Andy Warhol's proverbial fifteen minutes of fame. Cliff Stoll found himself propelled into that limelight, caught quite unawares. The tale of a six-bit accounting discrepancy leading to spies and intrigue took the world by storm. His life has apparently calmed down now, but the results of his experience are still being realized by the computing community. Advances in technology, groups like CERT and companies with full-time security alert personnel are all, in part, testament to the work represented by his book. The cosmopolitan appeal of The Cuckoo's Egg cannot be ignored, however. Fully half the importance of a message is its capacity to be conveyed to as many people as possible. Cliff accomplished this, in spades. Rather than limit the audience to technophiles who would eat up the juicy details, The Cuckoo's Egg offered readers an insight into how a "diamond in the rough" might go about dealing with what amounted to an impossible situation. Following Cliff as he was knocked about from pillar to post, finding no help at all from those we would assume are paid to investigate such things, made for truly fascinating and, sometimes, disturbing reading. Just over two years ago, I spent Christmas with a friend and his family, the cost of returning to my native Maine proving prohibitively high. While browsing a North Pennsylvania mall, we happened upon The Cuckoo's Egg in a bookstore, and my friend chose to buy it as a gift for his father. Someone I consider to be the perfect example of a not terribly advanced, but quite comfortable, computer user, his dad was instantly captured by the engaging story. He literally inhaled it, along with dozens of cigarettes, over the course of not more than two days. Chapter One on Tuesday, "THE END?" on Thursday evening. A flurry of questions hit over the weekend: was the network used at Widener University, where we were Computer Science majors, capable of these things? had we ever seen anything like what had happened to "that astronomer"? wouldn't it be cool to have it happen to us? The notoriety Cliff Stoll gained from what could be termed an ordeal was not, in my opinion, the reason The Cuckoo's Egg had to happen. Rather, it accomplished precisely what it set out to do: bring the concerns of information security into the thoughts and conversations of thousands of people. People who would otherwise not have ever encountered what may well prove to be one of the most decisive factors in our world's future as we fast approach the new millennium. ------------------------------ Date: Mon, 14 Sep 92 11:14:49 CDT From: Jim Thomas <cudigest@mindvox.phantom.com> Subject: File 4--An Ideal(istic) Egg Cliff Stoll, the hippy, might appreciate the irony of The Cuckoo's Egg (TCE) symbolizing for the "hacker generation" what Altamont did for the counter-culture of the sixties. Cliff Stoll, the socially committed astronomer would take little pleasure in the prophetic power of his observations. For those of the sixties, the free Rolling Stones concert at Altamont was seen as a west-coast version of Woodstock--a chance to frolic, engage in the excesses of "freedom from responsibility," and live out a fantasy inspired by a romantic image of the flower-power culture. A beating death by the Hell's Angels "peace keepers," seemingly high numbers of drug overdoses, and spiritual rain darkened the event. Altamont itself did not kill the "hippy dream" any more than TCE had a terminal effect on the hacker counterculture. Nonetheless, the experiences recounted in TCE provided an icon for the passing of a romantic era of hacking into one in which personal responsibility (or lack of it), personal excesses, and increasing abuse without concern for the consequences were eroding a culture from within. Like the decay of the sixties' culture, the hacker culture of the 1980s was invaded by newcomers who lacked the romantic idealism of those who had come before them. As access to computers increased, a hoard of newcomers moved in, bringing with them the problems that face any community in a population explosion. In TCE, Cliff only documents one slice of the problem by describing one incident that symbolized the problems of a new society when trust and respect for the rights of others breaks down. In long-lost correspondence, Eric Smith once suggested that TCE represented a turning point for Cliff, for the "hacker community," and for computer users who who lived outside the pale of exploratory computer use. Cliff's work raised consciousness, a few hackles (including my own), praise, and criticism. It was written before Operation Sun Devil, but was read by many of us in the context of the Legion of Doom and Phrack indictments. It was cited by some law enforcement agents in documents and other media as a means of exaggerating the "Hacker Menace" as a national security threat to justify their excesses in early 1990. As a consequence, it was not a work that received many neutral readings. Ironically, much of the criticism directed at Cliff and his work reflected the same passion that prompted Cliff to write it: Betrayal of trust and opposition to injustice and predatory behavior. The metaphors of betrayal and loss permeate TCE. Openness, whether in our personal relationships or on computer systems, require trust. When that trust is violated, we lose. Cliff's persona seeps continually out of the book. One can picture him with keyboard in one hand, yoyo in the other, chocolate chip cookie crumbs scattered about, and sneakers steaming in the microwave, sharing each chapter with the woman he loves with joy and anticipation. The intellectual and other rewards he reaped from his labor also carried a burden. The nearly three years' experience and corresponding time to reflect on events since then cannot but make a re-reading of The Cuckoo's Egg a somewhat sad experience. Cliff has written elsewhere of his personal losses: Some friends abandoned him, he was unfairly criticized, his relationship dissolved, and he found himself at the center of controversy not of his own making. What was the cause of all this? By now, most know that TCE was about tracking an intruder into UC/Berkeley's computer system who was noticed as the result of a miniscule accounting error. Cliff discovered that his system was being used by the hacker to access other systems, and, like a cyber-bloodhound, followed the intruder into other systems and then retraced the steps and ultimately located him on a system in Germany. The narrative made a fascinating detective story, and when read from the protagonist's perspective, one couldn't help root for the detective. Methodologically, patiently, painstakingly, the narrator pursued his quarry. Guided by the same passion for solving a puzzle that motivates hackers (and researchers) and by the feeling that if things are not quite right they should be fixed, Cliff combined curiosity and technology in a way that one might argue celebrates the original hacker ethos while adamantly opposing its excesses. When I first read the Cuckoo's Egg in early 1990, the Legion of Doom, Phrack, and Len Rose were facing legal problems. Sun Devil was still a few months away. Prosecutors, the media, and others alluded to the work to demonstrate the "hacker menace," to raise the spectre of threats to national security through espionage or disrupting the social fabric, and to generally justify the need to bring the full weight of law enforcement down upon teenage joyriders. Although Cliff has taken a strong and unequivocal stand on civil liberties and has publicly denounced excesses that violate Constitutional rights, he had no power of the use of the images that some took from the book. This led some at that time, myself included, to associate him with the excesses. Ironically he was in a sense victimized by the same law enforcement excesses as others in early 1990. By attempting to alert us to a problem, he was unwittingly caught up in it, and the messenger was mistaken for the message. As a series of posts on comp.org.eff.talk indicated this past summer, the mistake lingers. And what *IS* Cliff's message? In TCE and elsewhere, he has made it quite clear: Cyberspace must be based on trust. The sixties' idealism of a better world through cooperation and respect for others' rights is not simply a "PC" perspective, but an ethos that is essential if computer technology and its benefits are to be widely shared. Those who intrude on others subvert this trust, and virus-planters are akin to putting razor blades in the sand at the beach. The attitude of some that it's a right to try to hack into systems with impunity subverts the freedom of others, and when trust dissolves, so does freedom. In some ways, Cliff Stoll *is* The Cuckoo's Egg. His persona has been planted in our psyche, his images have become part of our lore, and his non-compromising insistance on establishing a culture of trust and mutual respect provide a model for teaching young computer users that responsibility comes with knowledge. Gordon Meyer provides the best summary for the legacy of The Cuckoo's Egg: It has hatched and his given us Cliff Stoll and an image of curiosity, decency, and class that can help civilize the cyber-frontier. And there aren't many books or authors about which that can be said. ------------------------------ Date: Thu, 17 Sep 92 23:23:46 EDT From: Mike Godwin <mnemonic@EFF.ORG> Subject: File 5--The Cuckoo's Egg and I THE CUCKOO'S EGG and I By Mike Godwin Copyright (c) 1992, Mike Godwin I won't say that THE CUCKOO'S EGG is *the* book that changed my life, but it's certainly *one* of those books. Here's how it happened: In the middle of my last year of law school (1989-90), I was getting bored with the local BBS scene in Austin, Texas. So, I decided it was finally time to do what I'd been planning for a few years--getting an account on a University of Texas system and participating in the huge, distributed, free-floating conference system called Usenet. By sheer chance, this decision came at a time when the Net was particularly hungry for information about hackers and the law. Usenet was still abuzz with discussion about the Internet Worm case, and there was also a lot of talk about the so-called "Legion of Doom" searches and seizures, which focused on three alleged hackers in Atlanta. (As a third-year law student preparing to become a Texas prosecutor, I had plenty of answers to the legal questions that flooded Usenet newsgroups like misc.legal and comp.dcom.telecom.) And, of course, there were lots of references to a book by some guy named Stoll, who apparently had caught some hacker spies. A fellow Austin BBSer named Al Evans told me he'd been enthralled by the book, and when I saw it listed in the new acquisitions at my law school's library, I decided to check it out. The book was a revelation, and it kept me up half the night--I ended up reading it in one sitting. The mystery of the Hannover Hacker was only part of what fascinated me--the book, almost incidentally, included the first *interesting* discussion I'd come across of the structure and dynamics of the Internet. The image I formed of the Hacker's leaping from network to network helped me begin to appreciate the vast, complicated, deeply connected computer and telephone networks that crossed the oceans and pierced national borders without a pause. I found Cliff's story also to fit well with what I knew, from my own associations with researchers, what life can be like for working scientists. There is a point in the book where Cliff's curiosity and desire to find "the answer" kicks into overdrive--it's then that you see why he became an astronomer. For me, one of the most inspiring passages in the book is Cliff's account of his discussing the Hacker with Nobel Prize-winner Luis Alvarez: "Permission, bah. Funding, forget it. Nobody will pay for research; they're only interested in results," Luie said. "Sure, you could write a detailed proposal to chase this hacker. In fifty pages, you'll describe what you knew, what you expected, how much money it would take. Include the names of three qualified referees, cost benefit ratios, and what papers you've written before. Oh, and don't forget the theoretical justification. "Or you could just chase the bastard. Run faster than him. Faster than the lab's management. Don't wait for someone else, do it yourself. Keep your boss happy, but don't let him tie you down. Don't give them a standing target." That's why Luie won the Nobel Prize.... And yet, the same singleminded approach that Cliff (and I) found so inspiring in Alvarez also inspired a lot of the criticism that Cliff has faced from some quarters since the book was published. (More about this later.) At the time I read the book, it had not yet come out in paperback. When I finished CUCKOO'S EGG, I looked again at the forward and discovered that the author had left an e-mail address. Although not always swift on the uptake, I managed to deduce from this that Cliff wanted feedback from his readers, so, after some hesitation, I sent him a letter in e-mail, giving him my reactions, and making a joke about a humorous grammar error in Chapter 45 (for the curious, it's in the top two lines on page 255 in the Pocket Books paperback). To my surprise, I had mail back from Cliff the next day! He was interested to hear my reactions, and was surprised to discover that I was a law student--his wife, Martha, had been a Berkeley law student during the events chronicled in the book, and was now a clerk for Supreme Court Justice Harry Blackmun! We discussed the need for more people on the Net with genuine knowledge of the law--few people had had more experience than Cliff in running up against the "two cultures" division between those representing the legal system (not just lawyers, but also the FBI and the Secret Service) on the one side, and the programmers, scientists, and students who populated the Net on the other. And as our correspondence progressed, we found ourselves talking from time to time about the "hacker cases" that were being reported on Usenet and in the news media. Cliff had seen what happened when well-meaning and informed law-enforcement agents, like Mike Gibbons of the FBI, took on a case in which a computer intruder clearly sought to steal military secrets and sell them to Eastern Bloc spies. What we both were seeing now were cases in which law-enforcement agents and prosecutors were making obvious mistakes and damaging people's rights in the process. The "Legion of Doom" hackers, for example, were accused of stealing the source code for the Emergency 911 System from a BellSouth computer--yet to anyone with even basic knowledge of what a computer program looks like, the E911 "source code" was nothing more than a bureaucratic memorandum of some sort, with a few definitions and acronyms thrown in. (The myth that the Legion of Doom defendants had access to the E911 source code persists to this very day: columnist "Robert Cringely" of INFOWORLD once reported the "fact" that the AT&T crash of 1990 was due to Legion of Doom sabotage, and that same "fact" appears, along with numerous other egregious errors, in the diskette-based press kit for the new movie "Sneakers.") My growing interest in these hacker prosecutions, my discussions with Cliff and others, and my reflections on THE CUCKOO'S EGG started changing my postings on Usenet. Whereas before, I'd limited myself to fairly dry and academic dispositions in answer to abstract legal questions, I found myself getting emotional about some of these cases. The more I learned about how the seizures and prosecutions were hurting individuals and chilling free discussion on the Net (I even lost an account myself as one sysadmin ended public access to his system in order to minimize risk of having his system seized), the more I found myself arguing with those whose justified anger at computer intruders led them to justify, uncritically, any and all overreaching by law enforcement. And then this War On Hackers struck closer to home. On March 1, 1990, an Austin BBS, run by the nationally famous role-playing-game publisher Steve Jackson Games was seized by the United States Secret Service. Although neither Jackson nor his company turned out to be the targets of the Secret Service's criminal investigation, Jackson was told that the manual for a role-playing game they were about to publish (called GURPS Cyberpunk and stored on the hard disk of the company's BBS computer) was a "handbook for computer crime." The seizure, which shocked Austin's BBS community, had the potential to put Jackson, an innocent third party, out of business. The sheer magnitude of the effect on Jackson and his business outraged the members of an Austin BBS called "Flight," which numbered both me and Jackson among its users. Even more outrageous was the failure of the media to pick up on the injustice that had occurred--one Flight user pontificated that this was because the mainstream press had no interest in BBSs, which publishers saw as nothing more than potential competition. I thought this theory was crazy. I had worked as a newspaper journalist before I went to law school, and I'd even taken time off from law school to edit my university's newspaper. I started arguing on Flight that the media hadn't covered the story because they didn't know about it. Or, at least, they didn't understand the issues. Then it hit me. Why was I sitting at my terminal *talking* about reaching the media, when what I should be doing is making sure that the story gets publicized? With something of the same singlemindedness I think Alvarez was talking about, I set out to see that the story of the Steve Jackson Games raid, and of the other cases, got reported in the mainstream press. I gathered together several postings from local BBSs and from Usenet, and I drove down to the Austin American-Statesman office to talk to a reporter I'd been referred to by a friend of mine who worked on the newspaper's copy desk. I took with me photocopies of the statutes that give the Secret Service jurisdiction over computer crime and lots of phone numbers of potential sources. At the same time, I called and modemed materials to John Schwartz, a friend and former colleague who was now an editor at Newsweek. The story made the front page of the American-Statesman the following weekend. And John Schwartz's story, which covered the Steve Jackson Games incident as well as the Secret Service's involvement in a nationwide computer-crime "dragnet," appeared in Newsweek's April 30 issue. When the latter story appeared, I realized that (in a much smaller way, of course) I'd managed to do to the media what Markus Hess had done to Lawrence Berkeley Labs, and what Cliff Stoll had done to the puzzle created by Markus Hess: I'd hacked it! And yet, really, I can't take full credit for getting the story of the SJG raid out; if I hadn't read THE CUCKOO'S EGG, I'd never have started a dialog with Cliff, and I'd never have begun to piece together the significance of the wrongheaded hacker prosecutions that we heard so much about it 1989 and 1990. That's why it always strikes me as odd, and even offensive, when some net.yahoo decides that Cliff's book is responsible for all the offenses committed by law-enforcement agents in their efforts to fight computer crime. As Cliff himself has remarked, I've found [the book] used to justify increased security, raids on bulletin boards, and monitoring of network traffic. It's also used to refine legislation, to expand the Internet, to better define what constitutes asocial behavior on the networks. It started out as a good story, but Cliff has seen it become the justification for all sorts of actions, both positive and negative. And yet Cliff, because he actually took the leap and tried to explain to law enforcement what was going on, often gets much of the blame for the negative results, and little of the credit for the positive ones. This shortsighted, "kill the messenger" mentality may explain why a few readers have gone so far as to vilify Cliff and his book, saying things like "Cliff Stoll is just as much amoral a hacker as Markus Hess." Even when those readers are making the criticism in good faith (and I think many of them are simply motivated by the common American vice of Let's Criticize the Famous), I think they're victims of a basic confusion. True, Cliff was as *singleminded* as Markus Hess was. (It takes a singular obsession to start wearing a beeper designed to go off whenever a certain user logs in.) But the moral and philosophical dimension of his actions was far different from those of Hess, Pengo, and their associates. Although a few of them justified their actions in political terms, for the most part the East German hackers cracked systems in order to get money or drugs; in the book Cliff tracks the hackers partly in order to solve what had become to him a "scientific" problem, but also--as he begins to realize himself in the book--in order to restore a community order that has been violated and disrupted. It is this same sense of a need to protect this vast, virtual community that has led Cliff to change the way he talks about the Cuckoo's Egg case over the last few years. I've had the privilege several times of seeing Cliff entertain an auditorium full of rapt listeners with the story of that tiny accounting error on the LBL computer. Nowadays, he ends his presentation on an uncharacteristically sober note: he reminds his audience that the need to keep computers secure and to instill shared values in our online communities *never* justifies the government's violation of the civil liberties of individuals. To me, all this casts Cliff and his book in a different light. Even now, I can't say I necessarily approve of all the actions Cliff took in trying to catch the East German hackers. (It is a measure of how much the world has changed since CUCKOO'S EGG that it seems odd to write the words "East German.") But when I reflect for a moment and try to imagine what kind of people I'd want to share this networked community with, it's hard to think of a person better than Cliff Stoll--ferociously smart, passionately curious, self-doubting, idealistic, and (to his own surprise, perhaps) deeply moral. ------------------------------ Date: 29 Jun 92 06:11:10 GMT From: stoll@ocf.berkeley.edu (Cliff Stoll) Subject: File 6--Hatching the Cuckoo's Egg HATCHING THE CUCKOO'S EGG Copyright (c) 1992 by Cliff Stoll This version is posted to Usenet; ask me before you repost or reprint it. Resend it across networks or archive it on servers, but don't include in any digests, publications, or on-line forums. Ask me first, and I'll probably say OK. Yes, I'm active on the Usenet, often reading, seldom posting. I keep a low profile partly because I'm busy (writing a book about astronomy) and because I worry that my opinions are given too much attention due to my notoriety. You'll find my e-mail address in the front page of every copy of Cuckoo's Egg. I read and reply to all my mail. However, because of the huge number (about 18,000 in 3 years), I seldom write more than a short answer. Often I get 3 weeks behind in replying to my mail. Letters astonish me with their diversity: some say I'm a villain, others a hero. I see myself as neither, but as an astronomer who got mixed up in a bizarre computer mystery. I'm now back in Berkeley/Oakland/San Francisco. I've cut down on public speaking, mainly because it's exhausting. I'm a member of the EFF, ACM, CSPR, BMUG, AAS, ARRL, NSS, pay all my shareware fees, and floss nightly. # Point of the book: I started out by writing a technical summary in the Communications of the ACM, 5/88. This article, "Stalking the Wily Hacker" was for computer techies ... I wrote it in an academic style, and with more technical detail than Cuckoo. *** Before asking for more information *** *** about Cuckoo's Egg, please read *** *** Stalking the Wily Hacker *** Throughout that article, as well as the book, I emphasized the many mistakes I made, the difficult choices I worried about, and the need for communities to be built upon trust. I began writing a book about the fundamentals of computer security in a networked environment. This was the logical expansion of my CACM article. My friend, Guy Consolmagno, read the first 5 chapters and said, "Nobody will read this book --it's just about computers and bytes. Don't write about things. Write about people." I'd never given it much thought, so I tried writing in first person. You know, using "I" and "me". Weird ... kinda like walking around nude. It's a lot safer hiding behind the third person passive voice. Since I'd never written anything before, I just followed instinct. I began weaving in different threads: a textbook, a mystery, a bit of romance, and with my sister's suggestion, a coming of age story. Kinda fun to jump from one subject to another. Although I strongly object to anyone breaking into another's system, I didn't wish to write a treatise against hackers, crackers, or phone phreaks. Rather, I wanted to tell what happened to me and how my opinions developed. I wrote the book for fun, not money or fame. These have no value to me. # What's happened since then: A year after Cuckoo's Egg was published, operation Sun Devil was carried out, Steve Jackson Games was busted by the Secret Service, and Craig Neidorff arrested. I knew nothing about these events, and was astounded to hear of them. The Cuckoo's Egg has been misused to justify busts of innocuous bulletin boards, restrictive new laws, investigations into networked activity, and who knows what kind of monitoring by big brother. It's also been misused as a cookbook and justification by bd guys to break into computers. I disagree with all of these. Strongly disagree. I've repeatedly testified before congress and state legislatures: I don't want to lose the friendly sandbox that our usenet has become. Our civil rights -- including free speech and privacy -- must be preserved on the electronic frontier. At the same time, we must respect each others rights to privacy and free speech. This means not writing viruses, breaking into another's computer, or posting messages certain to cause flame wars. Just as important, it means treating each other with civility, respect, and tolerance. # On being notorious: This incident has been good to me in a few ways: 1) My folks are proud of me. Nothing makes me feel better. 2) I've made many friends, over networks, at meetings, and by mail. 3) Several old friends have looked me up. And there's a downside: 1) Alas, but the most important person in my life has left. Deep sadness and hurt. 2) I've become a target of phone phreaks and crackers. 3) No privacy. 4) I'm stereotyped and pigeonholed. 5) Some people become jealous. 6) Several old friends have hit me up for money. # Answers to specific questions: 1) Did Cliff violate Mitre's computers? As written in Cuckoo's Egg, chapter 25, I logged into Mitre Washington Computer Centre and demonstrated the insecurity of their system. Immediately afterwards, I called Mitre and described the problem to them. Up to that point, they (and I) didn't know where the problem was coming from. For a week prior to touching their system, I was in contact with several Mitre officers; we had a working arrangement to try to solve our mutual problem. Moreover, I contacted the CEO of Mitre (James Schlessinger) who questioned me at length and thanked me. 2) Did Cliff run off on his own? At the very start, I contacted three attorneys: our general counsel, my local district attorney, and a friend at the ACLU. Additionally, I asked several professors of law at Boalt Hall and a number of law students. My boss, my lab director, and my colleagues knew what was happening. I contacted systems managers at Stanford, UC/Berkeley, and military sites. I did my best to keep these people in the loop. 3) Was Cliff some kind of sheriff of the west, trampling over rights? Uh, I never thought of myself that way. Indeed, much of the time, I felt this was a chance to do science -- apply simple physics to a curious phenomenon and learn about the environment around me. As much as possible, I wished to remain invisible to the person breaking into my computer, while prodding others to take action. As a system manager, I did my best to monitor only the intruder, to keep him from hurting others, and to find out why he was in our system. 4) Did Cliff track these people to support a political position? No. 5) Am I happy at the sentences meted out to the German defendants? They received 1-2 years of probation and stiff fines. I don't take joy in wrecking another's life -- rather, I'm sad that this entire incident happened. I am glad that they did not end up in prison, glad that at least one of them has said that he will never again break into computers. -Cliff Stoll 29 June 1992 ------------------------------ End of Computer Underground Digest #4.44 ************************************