Date: 29 Jun 92 06:11:10 GMT From: stoll@ocf.berkeley.edu (Cliff Stoll) Subject: File 6--Hatching the Cuckoo's Egg HATCHING THE CUCKOO'S EGG Copyright (c) 1992 by Cliff Stoll This version is posted to Usenet; ask me before you repost or reprint it. Resend it across networks or archive it on servers, but don't include in any digests, publications, or on-line forums. Ask me first, and I'll probably say OK. Yes, I'm active on the Usenet, often reading, seldom posting. I keep a low profile partly because I'm busy (writing a book about astronomy) and because I worry that my opinions are given too much attention due to my notoriety. You'll find my e-mail address in the front page of every copy of Cuckoo's Egg. I read and reply to all my mail. However, because of the huge number (about 18,000 in 3 years), I seldom write more than a short answer. Often I get 3 weeks behind in replying to my mail. Letters astonish me with their diversity: some say I'm a villain, others a hero. I see myself as neither, but as an astronomer who got mixed up in a bizarre computer mystery. I'm now back in Berkeley/Oakland/San Francisco. I've cut down on public speaking, mainly because it's exhausting. I'm a member of the EFF, ACM, CSPR, BMUG, AAS, ARRL, NSS, pay all my shareware fees, and floss nightly. # Point of the book: I started out by writing a technical summary in the Communications of the ACM, 5/88. This article, "Stalking the Wily Hacker" was for computer techies ... I wrote it in an academic style, and with more technical detail than Cuckoo. *** Before asking for more information *** *** about Cuckoo's Egg, please read *** *** Stalking the Wily Hacker *** Throughout that article, as well as the book, I emphasized the many mistakes I made, the difficult choices I worried about, and the need for communities to be built upon trust. I began writing a book about the fundamentals of computer security in a networked environment. This was the logical expansion of my CACM article. My friend, Guy Consolmagno, read the first 5 chapters and said, "Nobody will read this book --it's just about computers and bytes. Don't write about things. Write about people." I'd never given it much thought, so I tried writing in first person. You know, using "I" and "me". Weird ... kinda like walking around nude. It's a lot safer hiding behind the third person passive voice. Since I'd never written anything before, I just followed instinct. I began weaving in different threads: a textbook, a mystery, a bit of romance, and with my sister's suggestion, a coming of age story. Kinda fun to jump from one subject to another. Although I strongly object to anyone breaking into another's system, I didn't wish to write a treatise against hackers, crackers, or phone phreaks. Rather, I wanted to tell what happened to me and how my opinions developed. I wrote the book for fun, not money or fame. These have no value to me. # What's happened since then: A year after Cuckoo's Egg was published, operation Sun Devil was carried out, Steve Jackson Games was busted by the Secret Service, and Craig Neidorff arrested. I knew nothing about these events, and was astounded to hear of them. The Cuckoo's Egg has been misused to justify busts of innocuous bulletin boards, restrictive new laws, investigations into networked activity, and who knows what kind of monitoring by big brother. It's also been misused as a cookbook and justification by bd guys to break into computers. I disagree with all of these. Strongly disagree. I've repeatedly testified before congress and state legislatures: I don't want to lose the friendly sandbox that our usenet has become. Our civil rights -- including free speech and privacy -- must be preserved on the electronic frontier. At the same time, we must respect each others rights to privacy and free speech. This means not writing viruses, breaking into another's computer, or posting messages certain to cause flame wars. Just as important, it means treating each other with civility, respect, and tolerance. # On being notorious: This incident has been good to me in a few ways: 1) My folks are proud of me. Nothing makes me feel better. 2) I've made many friends, over networks, at meetings, and by mail. 3) Several old friends have looked me up. And there's a downside: 1) Alas, but the most important person in my life has left. Deep sadness and hurt. 2) I've become a target of phone phreaks and crackers. 3) No privacy. 4) I'm stereotyped and pigeonholed. 5) Some people become jealous. 6) Several old friends have hit me up for money. # Answers to specific questions: 1) Did Cliff violate Mitre's computers? As written in Cuckoo's Egg, chapter 25, I logged into Mitre Washington Computer Centre and demonstrated the insecurity of their system. Immediately afterwards, I called Mitre and described the problem to them. Up to that point, they (and I) didn't know where the problem was coming from. For a week prior to touching their system, I was in contact with several Mitre officers; we had a working arrangement to try to solve our mutual problem. Moreover, I contacted the CEO of Mitre (James Schlessinger) who questioned me at length and thanked me. 2) Did Cliff run off on his own? At the very start, I contacted three attorneys: our general counsel, my local district attorney, and a friend at the ACLU. Additionally, I asked several professors of law at Boalt Hall and a number of law students. My boss, my lab director, and my colleagues knew what was happening. I contacted systems managers at Stanford, UC/Berkeley, and military sites. I did my best to keep these people in the loop. 3) Was Cliff some kind of sheriff of the west, trampling over rights? Uh, I never thought of myself that way. Indeed, much of the time, I felt this was a chance to do science -- apply simple physics to a curious phenomenon and learn about the environment around me. As much as possible, I wished to remain invisible to the person breaking into my computer, while prodding others to take action. As a system manager, I did my best to monitor only the intruder, to keep him from hurting others, and to find out why he was in our system. 4) Did Cliff track these people to support a political position? No. 5) Am I happy at the sentences meted out to the German defendants? They received 1-2 years of probation and stiff fines. I don't take joy in wrecking another's life -- rather, I'm sad that this entire incident happened. I am glad that they did not end up in prison, glad that at least one of them has said that he will never again break into computers. Downloaded From P-80 International Information Systems 304-744-2253