The Cybersecurity Canon: The Cuckoo’s Egg

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage (1989) by Clifford Stoll

If you are a cybersecurity professional, you should have read this by now. More than 20 years after it was published, it still has something of value to say on persistent cybersecurity problems like information sharing, privacy versus security, cyber espionage and the intelligence dilemma. Rereading it after 20 years, I was pleasantly surprised to learn how pertinent that story still is. And even if you are not a cybersecurity professional, you will still get a kick out of this book. It reads like a spy novel, and the main characters are quirky, smart, and delightful.

Looking Back

The Cuckoo’s Egg is my first love. Clifford Stoll published it in 1989, and the first time I read it, I devoured it over a weekend when I should have been writing my grad school thesis. It was my introduction to the security community and the idea that somebody had to protect these new-fangled gadgets called computers. Back in those days, authors put their email addresses in their books, and when I finished reading it, I sent Mr. Stoll a note explaining how much I enjoyed his book. He answered immediately and that forever made me a fan. But besides being a window back through time to the beginning of our modern Internet age, Stoll’s book highlights many of the security problems that still plague us today.

The story itself reads like an Alfred Hitchcock movie. Joe Average-Man -- in this case, Stoll as a hippie-type systems administrator keeping the computers running at the Lawrence Berkeley National Laboratory just outside San Francisco -- is in the right place at the wrong time. Like Cary Grant and Jimmy Stewart before him, Stoll is minding his own business when he stumbles upon a bit of a mystery that, when it all plays out, is much larger than he is. By tracking down a miniscule computer-accounting error, Stoll unraveled an outsourced, Russian-sponsored, international cyber-espionage ring that leveraged the Berkeley computers to break into US military and government systems across the United States.

The book documents Stoll’s journey as he tries to get help from the US and German governments to do something about this serious threat that nobody wants to own. As the story unfolds, the reader also gets a fascinating glimpse at how the Internet looked just before it exploded into the commercial, informational and cultural juggernaut that it has become today.

The interesting dichotomy at play in the book though is how Stoll deals with government authorities. In the book, he describes himself as a “mixed-bag of new-left, harmless non-ideology,” yet he routinely called, cajoled, and coordinated leaders and administrators in the NSA, the CIA, the FBI, and other government and military organizations--bastions of the near and far right. How Stoll gets his head around those two philosophies is fun to read.

It is these interactions with the government that Stoll runs squarely into one of those persistent problems that we still have in the security community today, and one we still talk about at each and every cybersecurity conference I attend.

The government does not like to share.

Stoll consistently ran into government bureaucracy: human-government vacuum cleaners who were eager to take any and all information that Stoll had in regard to his investigation but who were also unwilling to share anything that they knew in return. To be fair, the US government today is getting better at this information-sharing thing, but leaders are a long way from implementing a free-flowing information exchange. I am not sure it will ever get there. And as we’ve been discussing for months now here at Palo Alto Networks, what we’ve learned about what the government will share versus what data they will collect is going to continue to be a source of hand-wringing and also a catalyst for the increased use of techniques such as SSL/encryption.

There’s also the second persistent problem. As Stoll is wrapping up the book, he concludes, “After sliding down this Alice-in-Wonderland hole, I find the political left and right reconciled in their mutual dependency on computers. The right sees computer security as necessary to protect national secrets; my leftie friends worry about an invasion of their privacy.”

If that is not the perfect summation of the fallout from the Edward Snowden investigation, I don’t know what is. The Snowden case is just the last one in a series of privacy-versus-security trade-off debates that the United States and other countries have made in the past twenty years. As Bruce Schneier points out, this is a false argument: “The debate isn't security versus privacy. It's liberty versus control.”

He and other pundits highlight the fact that this is not an either-or decision. You can have security and privacy at the same time, but you have to work for it. In this book, Stoll was the first one I can remember who raised the issue. He struggled with it back then as we are all doing today.

The third persistent problem is the cyber espionage threat. The commercial world only really became aware of the issue when the Chinese government compromised Google at the end of 2009. The US military had been dealing with the Chinese cyber espionage threat, back then known as TITAN RAIN, for at least the decade before that. But Stoll claims that his book describes the first public case where spies used computers to conduct espionage, this time sponsored by the Russians. The events in The Cuckoo’s Egg started happening in August 1986, almost 15 years before TITAN RAIN, and some of the government characters that Stoll deals with in the book hint that they know about other nonpublic espionage activity that happened earlier than that. The point is that the cyber espionage threat has been around for some 30 years and shows no sign of going away any time soon.

The fourth and final persistent problem is really not a cyber problem at all but an intelligence discipline problem. Throughout the book, Stoll struggles with the idea of whether or not to publish his findings. He describes the problem like this:

“If you describe how to make a pipe bomb, the next kid that finds some charcoal and saltpeter will become a terrorist. Yet if you suppress the information, people won’t know the danger.”

That is the classic intelligence dilemma. It goes directly to the Snowden issue today wherein the lefties are concerned about privacy and want transparency for all security matters. The righties value security over privacy and worry that transparency will give too much information away to the bad guys. In my heart, I think there is some middle ground that could be reached. Since 9/11, the United States has swung in the direction of security over transparency. I do not see that changing anytime soon. Stoll definitely comes down on the side of transparency though, but like I said, he is a self-described “mixed-bag of new-left, harmless non-ideology.”

A Side Note

On 3 November 1988, 34 minutes after midnight and almost a year after Stoll concluded his forensics investigation on the Russian-sponsored cyber espionage ring, Robert Morris Jr. brought the Internet to its knees. He launched the first ever Internet worm, and for at least some days after, the Internet ceased to function as UNIX wizards of all stripes worked to eradicate the worm from their systems. Aside from the coincidental timing of the worm, the reason this is significant to this book is that Robert Morris’ father, Bob Morris Sr., was Stoll’s contact at the NSA during the investigation. He was one of those human vacuum cleaners taking in information but not giving any out. By all accounts, Bob Morris Sr. was a computer wizard in his own right and I have often speculated about how much his son picked up at the dinner table from his dad about the theoretical ways one might attack the Internet.

The Tech

The egg in The Cuckoo’s Egg title refers to how the hacker group compromised many of its victims. In turns out that the real-life cuckoo bird does not lay its eggs in its own nest. Instead, she waits for any kind of other bird to leave its nest unattended. The mother cuckoo then sneaks in, lays her egg in the unoccupied nest, and sneaks out, leaving her egg to be hatched by another mother. Similar to the cuckoo bird, Stoll’s hackers took advantage of a security vulnerability in the powerful and extensible GNU EMACs text-editor system that Berkeley had installed on all of its UNIX machines. As Stoll said, “The survival of cuckoo chicks depends on the ignorance of other species.”

The spy ring spent a lot of time trying to take over regular user accounts so that they could log in as those users and review the system without causing alarm. In one instant, after becoming a system administrator with the EMACs attack, one hacker opened up the system’s password file. He still did not know what the passwords were to all the users on the system because they were encrypted. Instead of trying to break them, he just erased one of them. He picked a specific user and erased the user’s password. When he logged in as that user later, the system would grant access since there was no password guarding the account.

After a while, the hacker started downloading the entire password file to his home computer. Stoll later discovered that the hacker executed a brilliant new attack. He encrypted every word in the dictionary with the same algorithm that encrypted passwords and compared the encrypted passwords in the downloaded password file with the encrypted dictionary words. If he found any that matched, he could now log in as a legitimate user. Brute-force dictionary attacks are standard today, but back then, this was a new idea.

Decades Later

I can’t tell you how pleased I am that The Cuckoo’s Egg still holds up after 20 years. Being my first love and all, the old girl has aged quite well. Instead of playing Jimmy Stewart or Cary Grant in an old black-and-white favorite movie, Stoll fits quite nicely in a modern setting. The book still has something of value to say on persistent cyber security problems like information sharing, privacy versus security or liberty versus control,cyber espionage, and the intelligence dilemma. This book is part of the canon for the cyber security professional. You should have read this by now.