All computer professionals interested in some realistic examples of systems security should read astronomer-cum-wizard Clifford Stoll’s book about his pursuit of the person he once characterized as the “wily hacker” [1]. They, and the lay public as well, will be rewarded with much entertainment in addition to enlightenment, because Stoll, whose writing if not inspired is at least adequate to the book’s purpose, makes his story accessible and interesting to anyone.
Along the way, Stoll does an excellent job of making two very important points:
(1) Those who make unauthorized use of systems burden all of society with the restrictions, inconveniences, and other costs of the defenses needed to safeguard well-behaved and productive users’ access to those systems, and
(2) Today, at least on certain popular and vital systems, those defenses have begun to be burdensome without achieving the desired effectiveness.
Stoll makes an important point about effectiveness when he quotes National Computer Security Center (NCSC) Chief Scientist Bob Morris: “Any system can be insecure. All you have to do is stupidly manage it” (p. 240). The unauthorized use Stoll details was possible because people executed insecure software with system privileges, “[left] accounts protected by obvious passwords . . . [mailed] passwords to each other . . . [and failed to monitor] audit trails” (p. 275). The first of these lapses gave rise to the book’s title: the hacker used a privileged utility to lay in the system’s “nest” an “egg,” that is, a program that would give him privileges when the system executed it, just as other birds adopt the hatchlings of the cuckoos who lay eggs in their nests. Much of the book concerns the author’s interactions with agencies whose acronyms have three or four letters. His accounts of how he tried and usually failed to enlist them in his hunt are the most interesting parts of the book.
In criticizing systems’ vulnerabilities, the author confines his remarks to the systems actually involved, a well-advised departure from the generalizing approach of his previous paper [1], in which he referred categorically to “vendors.” On a key UNIX-related point, chosen-plaintext attacks on irreversibly encrypted passwords, Stoll refers to Morris and the National Security Agency’s NCSC when he asks rhetorically “if NSA had known of this for ten years, why hadn’t they publicized it already?” (p. 252). Morris detailed the exposure in two papers [2,3], but neither is in Stoll’s bibliography, and he may well have failed to encounter the point in reading the works that are.
The bulk of the text seems designed to build suspense up to the dramatic denouement of the hacker’s exposure. The book’s dust jacket, the author’s subsequent public interviews, and stories in the major media in March 1989 limit the possibilities for suspense on many points, however. Opinions will differ on how the story is enlivened by allusions to the author’s personal life, but computer professionals are likely to find them more of a distraction than a diversion. Two genuinely amusing anecdotes concern microwaved sneakers and Stoll’s interaction with Morris, including Stoll’s near-suffocation by Morris’s chain-smoking in an airtight Volvo.
The book appears to have been very competently edited except for one garbled sentence on page 251 and the use of “who” for “whom” throughout. Readers may wish to know that “NTISSIC” is the National Telecommunications and Information Systems Security Committee, not “a governmental organization whose acronym has never been decoded” (p. 254).
All in all, the book is must reading for all who think that their network-linked computers are invulnerable to unauthorized use, and recommended reading for everyone else.
