Date: Thu, 17 Sep 92 23:23:46 EDT From: Mike Godwin Subject: File 5--The Cuckoo's Egg and I THE CUCKOO'S EGG and I By Mike Godwin Copyright (c) 1992, Mike Godwin I won't say that THE CUCKOO'S EGG is *the* book that changed my life, but it's certainly *one* of those books. Here's how it happened: In the middle of my last year of law school (1989-90), I was getting bored with the local BBS scene in Austin, Texas. So, I decided it was finally time to do what I'd been planning for a few years--getting an account on a University of Texas system and participating in the huge, distributed, free-floating conference system called Usenet. By sheer chance, this decision came at a time when the Net was particularly hungry for information about hackers and the law. Usenet was still abuzz with discussion about the Internet Worm case, and there was also a lot of talk about the so-called "Legion of Doom" searches and seizures, which focused on three alleged hackers in Atlanta. (As a third-year law student preparing to become a Texas prosecutor, I had plenty of answers to the legal questions that flooded Usenet newsgroups like misc.legal and comp.dcom.telecom.) And, of course, there were lots of references to a book by some guy named Stoll, who apparently had caught some hacker spies. A fellow Austin BBSer named Al Evans told me he'd been enthralled by the book, and when I saw it listed in the new acquisitions at my law school's library, I decided to check it out. The book was a revelation, and it kept me up half the night--I ended up reading it in one sitting. The mystery of the Hannover Hacker was only part of what fascinated me--the book, almost incidentally, included the first *interesting* discussion I'd come across of the structure and dynamics of the Internet. The image I formed of the Hacker's leaping from network to network helped me begin to appreciate the vast, complicated, deeply connected computer and telephone networks that crossed the oceans and pierced national borders without a pause. I found Cliff's story also to fit well with what I knew, from my own associations with researchers, what life can be like for working scientists. There is a point in the book where Cliff's curiosity and desire to find "the answer" kicks into overdrive--it's then that you see why he became an astronomer. For me, one of the most inspiring passages in the book is Cliff's account of his discussing the Hacker with Nobel Prize-winner Luis Alvarez: "Permission, bah. Funding, forget it. Nobody will pay for research; they're only interested in results," Luie said. "Sure, you could write a detailed proposal to chase this hacker. In fifty pages, you'll describe what you knew, what you expected, how much money it would take. Include the names of three qualified referees, cost benefit ratios, and what papers you've written before. Oh, and don't forget the theoretical justification. "Or you could just chase the bastard. Run faster than him. Faster than the lab's management. Don't wait for someone else, do it yourself. Keep your boss happy, but don't let him tie you down. Don't give them a standing target." That's why Luie won the Nobel Prize.... And yet, the same singleminded approach that Cliff (and I) found so inspiring in Alvarez also inspired a lot of the criticism that Cliff has faced from some quarters since the book was published. (More about this later.) At the time I read the book, it had not yet come out in paperback. When I finished CUCKOO'S EGG, I looked again at the forward and discovered that the author had left an e-mail address. Although not always swift on the uptake, I managed to deduce from this that Cliff wanted feedback from his readers, so, after some hesitation, I sent him a letter in e-mail, giving him my reactions, and making a joke about a humorous grammar error in Chapter 45 (for the curious, it's in the top two lines on page 255 in the Pocket Books paperback). To my surprise, I had mail back from Cliff the next day! He was interested to hear my reactions, and was surprised to discover that I was a law student--his wife, Martha, had been a Berkeley law student during the events chronicled in the book, and was now a clerk for Supreme Court Justice Harry Blackmun! We discussed the need for more people on the Net with genuine knowledge of the law--few people had had more experience than Cliff in running up against the "two cultures" division between those representing the legal system (not just lawyers, but also the FBI and the Secret Service) on the one side, and the programmers, scientists, and students who populated the Net on the other. And as our correspondence progressed, we found ourselves talking from time to time about the "hacker cases" that were being reported on Usenet and in the news media. Cliff had seen what happened when well-meaning and informed law-enforcement agents, like Mike Gibbons of the FBI, took on a case in which a computer intruder clearly sought to steal military secrets and sell them to Eastern Bloc spies. What we both were seeing now were cases in which law-enforcement agents and prosecutors were making obvious mistakes and damaging people's rights in the process. The "Legion of Doom" hackers, for example, were accused of stealing the source code for the Emergency 911 System from a BellSouth computer--yet to anyone with even basic knowledge of what a computer program looks like, the E911 "source code" was nothing more than a bureaucratic memorandum of some sort, with a few definitions and acronyms thrown in. (The myth that the Legion of Doom defendants had access to the E911 source code persists to this very day: columnist "Robert Cringely" of INFOWORLD once reported the "fact" that the AT&T crash of 1990 was due to Legion of Doom sabotage, and that same "fact" appears, along with numerous other egregious errors, in the diskette-based press kit for the new movie "Sneakers.") My growing interest in these hacker prosecutions, my discussions with Cliff and others, and my reflections on THE CUCKOO'S EGG started changing my postings on Usenet. Whereas before, I'd limited myself to fairly dry and academic dispositions in answer to abstract legal questions, I found myself getting emotional about some of these cases. The more I learned about how the seizures and prosecutions were hurting individuals and chilling free discussion on the Net (I even lost an account myself as one sysadmin ended public access to his system in order to minimize risk of having his system seized), the more I found myself arguing with those whose justified anger at computer intruders led them to justify, uncritically, any and all overreaching by law enforcement. And then this War On Hackers struck closer to home. On March 1, 1990, an Austin BBS, run by the nationally famous role-playing-game publisher Steve Jackson Games was seized by the United States Secret Service. Although neither Jackson nor his company turned out to be the targets of the Secret Service's criminal investigation, Jackson was told that the manual for a role-playing game they were about to publish (called GURPS Cyberpunk and stored on the hard disk of the company's BBS computer) was a "handbook for computer crime." The seizure, which shocked Austin's BBS community, had the potential to put Jackson, an innocent third party, out of business. The sheer magnitude of the effect on Jackson and his business outraged the members of an Austin BBS called "Flight," which numbered both me and Jackson among its users. Even more outrageous was the failure of the media to pick up on the injustice that had occurred--one Flight user pontificated that this was because the mainstream press had no interest in BBSs, which publishers saw as nothing more than potential competition. I thought this theory was crazy. I had worked as a newspaper journalist before I went to law school, and I'd even taken time off from law school to edit my university's newspaper. I started arguing on Flight that the media hadn't covered the story because they didn't know about it. Or, at least, they didn't understand the issues. Then it hit me. Why was I sitting at my terminal *talking* about reaching the media, when what I should be doing is making sure that the story gets publicized? With something of the same singlemindedness I think Alvarez was talking about, I set out to see that the story of the Steve Jackson Games raid, and of the other cases, got reported in the mainstream press. I gathered together several postings from local BBSs and from Usenet, and I drove down to the Austin American-Statesman office to talk to a reporter I'd been referred to by a friend of mine who worked on the newspaper's copy desk. I took with me photocopies of the statutes that give the Secret Service jurisdiction over computer crime and lots of phone numbers of potential sources. At the same time, I called and modemed materials to John Schwartz, a friend and former colleague who was now an editor at Newsweek. The story made the front page of the American-Statesman the following weekend. And John Schwartz's story, which covered the Steve Jackson Games incident as well as the Secret Service's involvement in a nationwide computer-crime "dragnet," appeared in Newsweek's April 30 issue. When the latter story appeared, I realized that (in a much smaller way, of course) I'd managed to do to the media what Markus Hess had done to Lawrence Berkeley Labs, and what Cliff Stoll had done to the puzzle created by Markus Hess: I'd hacked it! And yet, really, I can't take full credit for getting the story of the SJG raid out; if I hadn't read THE CUCKOO'S EGG, I'd never have started a dialog with Cliff, and I'd never have begun to piece together the significance of the wrongheaded hacker prosecutions that we heard so much about it 1989 and 1990. That's why it always strikes me as odd, and even offensive, when some net.yahoo decides that Cliff's book is responsible for all the offenses committed by law-enforcement agents in their efforts to fight computer crime. As Cliff himself has remarked, I've found [the book] used to justify increased security, raids on bulletin boards, and monitoring of network traffic. It's also used to refine legislation, to expand the Internet, to better define what constitutes asocial behavior on the networks. It started out as a good story, but Cliff has seen it become the justification for all sorts of actions, both positive and negative. And yet Cliff, because he actually took the leap and tried to explain to law enforcement what was going on, often gets much of the blame for the negative results, and little of the credit for the positive ones. This shortsighted, "kill the messenger" mentality may explain why a few readers have gone so far as to vilify Cliff and his book, saying things like "Cliff Stoll is just as much amoral a hacker as Markus Hess." Even when those readers are making the criticism in good faith (and I think many of them are simply motivated by the common American vice of Let's Criticize the Famous), I think they're victims of a basic confusion. True, Cliff was as *singleminded* as Markus Hess was. (It takes a singular obsession to start wearing a beeper designed to go off whenever a certain user logs in.) But the moral and philosophical dimension of his actions was far different from those of Hess, Pengo, and their associates. Although a few of them justified their actions in political terms, for the most part the East German hackers cracked systems in order to get money or drugs; in the book Cliff tracks the hackers partly in order to solve what had become to him a "scientific" problem, but also--as he begins to realize himself in the book--in order to restore a community order that has been violated and disrupted. It is this same sense of a need to protect this vast, virtual community that has led Cliff to change the way he talks about the Cuckoo's Egg case over the last few years. I've had the privilege several times of seeing Cliff entertain an auditorium full of rapt listeners with the story of that tiny accounting error on the LBL computer. Nowadays, he ends his presentation on an uncharacteristically sober note: he reminds his audience that the need to keep computers secure and to instill shared values in our online communities *never* justifies the government's violation of the civil liberties of individuals. To me, all this casts Cliff and his book in a different light. Even now, I can't say I necessarily approve of all the actions Cliff took in trying to catch the East German hackers. (It is a measure of how much the world has changed since CUCKOO'S EGG that it seems odd to write the words "East German.") But when I reflect for a moment and try to imagine what kind of people I'd want to share this networked community with, it's hard to think of a person better than Cliff Stoll--ferociously smart, passionately curious, self-doubting, idealistic, and (to his own surprise, perhaps) deeply moral. Downloaded From P-80 International Information Systems 304-744-2253