Date: Wed, 29 Jul 92 21:17:34 EST From: Gene Spafford Subject: File 1--The Cuckoo's Egg Revisited Cuckoo's Egg Revisited by Gene Spafford When I first read Cliff's book, in draft manuscript form (Cliff sent me an advance copy), I found it gripping. So did my wife. We each found that when we started it, we couldn't put it down until we finished it -- both of us staying up past 3am on a weeknight to read through to the end. We weren't the only ones. When the book was published, I bought copies for some friends, several of whom don't use computers. Almost all of them had the same reaction: they found the book engrossing, entertaining, and informative. Several of them also reported spending late nights (and early mornings!) reading to the end. It wasn't that Cliff set down particularly elegant and engrossing prose that made the book so captivating, although his writing is certainly better than many others evidence. It wasn't because Cliff recounted some high-tech adventure either -- many of the readers (myself included) already had experience with computer security incidents. So why was the book so interesting to us, and to so many other people? It wasn't until a few weeks ago, when Jim Thomas asked if I would do a short retrospective on the "Cuckoo's Egg" that I thought about this question. I even went back and skimmed through parts of the book again. Now that I've thought about it, I believe I know why "Cuckoo's Egg" had such an impact: it was a honest sincere, personal accounting of one person's internal struggle with right and wrong, as well as being a challenging mystery story. Cliff's writing portrayed, for many of us, some interesting conflicts and value judgments. For instance, having strong opinions about some governmental and commercial entities, but finding that they are composed of many well-meaning, genuinely nice people. Or discovering that not every "harmless" act is really harmless when multiplied many-fold. Heroic tales often involve journeys of self-discovery and the loss of innocence; we saw Cliff undergo both. To give a more concrete example of this, I consider the anecdote about how Cliff "liberated" several printing terminals to track the logins a perfect example of how rules, particularly property rules, may sometimes be ignored by someone hot on a clever "hack," as Cliff was. As the story unfolded, he made choices that I know he would have reconsidered later on. I also think that Cliff's account of keeping his system open, and observing the cracker break in to other machines through his, is a perfect example of how difficult some choices are to make, and how they must be reevaluated as time goes on. Was Cliff partially responsible for those break-ins? Was his notification of the sites sufficient to counter the harm he had done? Is the argument that "the bad guys would have used some other route" a valid argument? Seeing those conflicts, even if indirectly, made the book something more than just entertaining. Cliff started as a well-meaning academic with strong views (almost anarchistic, perhaps), and through the course of his personal experience became someone with a different view of society. He underwent a transformation, on the pages before us, from a happy-go-lucky scientist, to someone obsessed with a problem. As he recounted his growing awareness of the vast vulnerability our increasing reliability on computers and networks presents, he made us aware. And with this new awareness, we read about the change in Cliff and his view of the world...and how those around him changed their view of him. Cliff admits that he second-guesses some of his decisions made during the time of his pursuit. He's not sure he did the right thing at every step, and he has paid a high price for doing what he felt was right -- losing many things he treasured before and after the publication of the book. I think that's in the book, too, although maybe not explicitly. Or perhaps its because I know Cliff and have talked to him about being thrust into the spotlight that makes me see those things when I reread parts of the book. He lost some cherished possessions in the midst of battling for his principles, and that is always a gripping theme. So, is "Cuckoo's Egg" still worth reading today? I think so. I didn't find it so gripping this time as the first time I read it, but I saw more of the internal struggle Cliff went through as he pursued his investigation. I also saw how little some things have changed in the our world of networks. The book is still entertaining, too. Cliff's account of drying his sneakers in the microwave oven sounds like something I'd do, and his recipe for cookies is still a bonus. If nothing else, "Cuckoo's Egg" is still a good way to expose the uninitiated to some of the problems with computer security and investigation. For that one reason alone, I think the book will continue to have value to us -- as a place to get dialog started, if nothing else. I reflect on the world in Cliff's book, where sites were regularly broken into without sys administrators knowing about it, where security information was difficult to find, and where it was almost impossible to get law enforcement to care about what was happening. Then I think back over the past few weeks: * I have given several continuing education courses in Unix security, here in the US and in Europe, this summer, and turnout has been good * I've spoken on the phone with people in the FBI and US Attorney's office whose full-time job is devoted solely to computer crime issues * I've read in the paper about several arrests on computer crime charges, in the US and in Europe * I've corresponded with representatives of several security response teams, charged with helping to deal with computer security incidents * I've received court papers identifying me as a witness in an upcoming trial on computer abuse * I've been talking with some law enforcement agents in a (unnamed) nearby state who are concerned about how to define laws that help them stop the "bad guys" yet don't hurt innocent third parties. How different the world is now from when Cliff began his adventure and wrote his book! Although we still have sites run with a cavalier attitude towards security, and although there are still people who try to penetrate whatever systems they can, the situation is not the same. We now have dedicated security officers, a growing security industry, new laws and law enforcement efforts, and coordinated responses to unauthorized access and malicious behavior. It's far from ideal, but awareness is growing. Perhaps "Cuckoo's Egg" has had something to do with those changes? If so, we should be grateful, perhaps, that this catalyst was crafted by someone whose vision is that computers are useful if only we can maintain sufficient trust in each other, and not someone with an urge to legislate tight controls. In a way, that is one of the most enduring aspects of Cliff's writing. It is clear that he loved some aspects of computing. The challenge of tracking his intruder was clearly an element of gamesmanship as well as duty. Cliff, like many of us, came to realize that the world came to his workstation through the magic of networks and computers. That world view, however, is based on a foundation of 1's and 0's that bear no definitive stamp of who sent them. The network provides freedoms to be free of stereotypes, and to express your thoughts to millions. Your thoughts come through, and the reader need never know if you are young or old, tall or short, fat or thin, black or red or oriental or hispanic or mongrel, male or female, hale or crippled. That same freedom, however, requires responsibility to not abuse it, and trust that the 1's and 0's aren't carrying lies. It was Cliff's anger at the end of the book -- that his trust in what came across his computer was violated -- that really brought home the change. His anger, about how the abuse of trust by a few threatens the many, clearly came through to me. His concern for our reliance on computers also was clear. And the irony of the epilogue, tugging at him again, after he said he was giving it all up; "I'm returning to astronomy" are his final words in the last chapter. You can't go back Cliff. Sadly, none of us can. Downloaded From P-80 International Information Systems 304-744-2253