THE CUCKOO'S EGG

Reviewed 6/27/2014

The Cuckoo's Egg, by Clifford Stoll

THE CUCKOO'S EGG
Tracking a Spy through the Maze of Computer espionage
Clifford Stoll
New York: Doubleday, October 1989

Rating:

5.0

High
ISBN-13 978-0-385-24946-0
ISBN 0-385-24946-2 326pp. HC/GSI $19.95

What a remarkable testament is this first book by Clifford Stoll! There he was, a UC Berkeley astronomer, skillful with computers but hardly the type who seemed likely to plunge into a dogged cyber-search for whoever had run up a $0.75 billing discrepancy in the University's online time accounting.

But that is how it went down. Stoll ended up tracing his hacker into and through various military computer networks, marvelling at how easily the hacker gained access in some cases. Soon Stoll was dealing with the "spooks" — FBI, CIA, NSA — a collaboration which called for some suspension of distrust on both sides. In the end, his information was instrumental to the capture and conviction of somebody using the handle "Jaeger" (which is a clue or two) working on behalf of— Nah, I won't spoil your fun. Read the book; it's entertaining as well as worthwhile.

I first read it soon after it came out, and I was cheering Stoll every step of the way. But then, I'm one of those types that other people tend to call a security prick. At one company, I logged a department's network admin off her terminal after I got fed up with the way she walked off and left it open. She was not pleased. Of course, most people couldn't care less about computer security. They pick passwords that are easily guessed, they use one password on multiple systems, they write passwords down and share them around, and they don't know from password managers. Also they don't back up their data, install software security patches, or update their malware protection.

To keep people from guessing passwords into their supercomputer, Livermore also used random computer-generated passwords, like agnitform or ngagh. Naturally, nobody can remember these passwords. Result? Some people save their passwords in computer files. What good is a combination lock when the combination's scribbled on the wall?

– Page 83

Stoll tackles his self-chosen mission with ingenuity and a sly sense of humor. Among the techniques he uses are a sort of "honey pot" with faux defense information and "Barbara Sherwin", a sock puppet who seems to be a clueless department secretary. Dedication is also required, for his initial contacts with the spooks don't elicit any interest. Fortunately, he has a good teammate in Martha. He writes in a casual, conversational style that will have you turning pages. The text is enhanced at intervals by snatches reproduced from printouts, his primary means of recording the hacker's activities. Mistakes are few. I recomend this highly, but due to its lack of an index, I don't consider it a keeper.

1 I recall an incident from about 1995 when the W.E.L.L. (an early bulletin board system) hired a consultant to test the passwords of their users. In a fairly short time, he had gotten access to something like 96% of the accounts he probed, simply because their passwords were easy to guess.
The tendency to pick weak passwords is the reason random character strings are now mandatory in many places. However, companies are often equally lax. When you read you will find several examples: operating systems installed without changing the default passwords used by the vendor. One example is Username: Field; Password: Service. (See pp. 184-5.) Another is (or was then) the Ingres database system described on p. 224.
2 In this regard, the advice given by Luis Alvarez (pp. 86-7) is very interesting.
Errata for The Cuckoo's Egg
Valid CSS! Valid HTML 4.01 Strict To contact Chris Winter, send email to this address.
Copyright © 2001-2024 Christopher P. Winter. All rights reserved.
This page was created in 2001. Its contents were last modified on 16 July 2024.