In their book Cyberpunk, authors
It’s not just a story of a coming of age for computer intrusion awareness, but it’s also the story of astronomer Stoll’s coming to reconcile his naive world view. Not much is told of the author’s formative years, but by the time he was a 36-year-old post doc at UC Berkeley, his saw things through a short-focus lens that constricted his vision to preconceived notions born of political rhetoric. The Berkeley campus has since the 1960s epitomized radical, left-wing politics, and Stoll, when he came there from a Ph.D. program in Arizona, was apparently already shaped to fit in.
A post doc (post doctoral) position is a non-teaching job for a Ph.D. needing to do advanced work. The positions are typically not permanent, and when Stoll’s grant money ran out he retreated into a position managing the LBL computer system. As it turned out, scant hours into his new job, events launched Stoll into a career-bending trek through the underworld of cyber crime.
Directed to track down a $0.75 discrepancy in computer charges, Stoll lurched into the financial side of machine computation. In a facility such as LBL, computers are a service sold to users of the lab. Various research projects use lab facilities, and their research grants pay the costs of running the computers. center. Billings are apportioned for computer cycles, memory space disk space, and printing services used. Each billing cycle, projects that have accounts on the system are sent a bill. Only in this case, it appeared one user was shorting the system.
When Stoll investigated he discovered a user without an active account, and that user, sventek, was in the name of a researcher who had not been at LBL for a year. Some person was using computer facilities without authorization.
Astronomer turned system manager turned cyber sleuth Cliff Stoll documented his months-long quest for the elusive intruder, tracing him all the way back to Hannover, Germany. Along the way he learned the ins and outs of computer security, computer networking, data communications, governmental bureaucracy, and international law.
He set up a means to monitor the intruder’s actions without, himself, being detected by the intruder, and he watched the person’s activities. Alarmed, he observed the intruder using the LBL computer as a base for breaking into other computers at other locations, some as far away as Fort Buckner in Okinawa. Aghast, he observed the intruder penetrating computers operated by the secretive NSA.
Against his personal prejudices, he felt compelled to bring the case before the local office of the FBI. Surprise, they weren’t interested. They had bigger fish to fry. Their cutoff level was a $500,000 crime. Stoll ultimately found himself talking to, and involved with, the FBI, the CIA, the NSA, and military security services. Toward the end of his quest he’s was giving presentations at the highest levels of these offices at their Washington area headquarters.
Along the way Cliff Stoll pulled back the covers on some ugly truths about early computer security, some of which truths likely remain today. One is a method his intruder used to gain privileged use of the system.
GNU-Emacs is a file editor still in use and still popular with computer programmers. A feature of GNU-Emacs allows the user editing a file to forward a file by mail to another user. Once received, it would place the file in a specified directory without verifying the user had the privilege to write to that directory. The intruder used this mechanism to transfer a bogus atrun program file to a region giving it super user privilege. Once the transfer was accomplished, the UNIX operating system would execute the program, which was set to grant super user privileges to sventek. Super user privileges in a UNIX system place no restrictions on what an account can do.
Another thing Stoll observed was the intruder cracking passwords to log into other systems. This was made possible by users who selected account passwords found in an English dictionary. The intruder did this:
Using super user privilege, copy the password file to the intruder’s own computer. The password file looked something like this:
And so on. There is a list of user names followed by encrypted passwords. When a user logs in he sees something like this:
The user supplies the login name and the password, shown in italics here. The password, purple, goes to the computer. The computer executes the encryption process against the password and compares the result with its encrypted copy. It does not save the bare password, so nobody can come back later and find the bare password on the computer.
The problem is, with a copy of the password file on the intruder’s computer, the intruder can at his leisure, compute the encryption of each word from an English dictionary and match the result against the encrypted password in the file. Once he finds an English word that produces a match, the intruder saves the clear code password for later use. The process can be automated, requiring about one second to encrypt each password for a VAX computer of those days. Guess what, today’s PCs are about 1000 times as fast as those VAXes. To shorten the turn around time, the intruder would likely execute the encryption algorithm once for a dictionary (about 100,000 words) and save the result for later use.
This only works if a user selects an English word. Any variation, random combinations of letters, mixed upper and lower case, the inclusion of numbers and special characters, would defeat this approach by making the search intractable. The sad fact, as Stoll discovered, is many users stuck with easy to remember English words, and the intruder sailed right into their accounts.
Worse yet, many system managers either retained default passwords for privileged accounts when they set up computer systems, or else they left privileged accounts wide open, requiring no password for access. A sample session recorded by Stoll shows the intruder breaking into a military computer by using the default password of a privileged account running on VMS:
WELCOME TO THE AIR FORCE SYSTEM COMMAND— SPACE DIVISION VAX/ VMS 4.4
Computer System problems should be directed to the Information Systems
Customer Service Section located in building 130, room 2359.
Phone 643-2177/ AV 833-2177.
Last interactive login on Thursday, 11-DEC-1986 19: 11
Last non-interactive login on Tuesday, 2-DEC-1986 17: 30
WARNING— Your password has expired; update immediately with SET PASSWORD
Stoll, Clifford. CUCKOO’S EGG (p. 228). Knopf Doubleday Publishing Group. Kindle Edition.
The message indicates the field service account has not been used since 11 December and that the password has expired. Many systems have the feature to expire passwords, hopefully forcing users to change them periodically. In this case, the intruder was so bent on going after something on this system that he forgot to renew the password before logging off. Once he logged off he was unable to log back on. The irony is that Stoll contacted the Air Force System Command about the intrusion and was promised the matter would be taken care of. How the matter was handled was that word was passed down to system administrators that the field service password had expired. The manager of this system then reset the password: to SERVICE! The intruder was subsequently able to log onto the system at a later date! This kind of mindless system management was observed throughout Stoll’s adventure with the German intruder.
The story includes comedy as well as drama. Stoll set himself up with a pager to notify him whenever the intruder logged onto his computer. The pager barged in at the most inopportune times:
In the shower, I felt revived. Martha sudsed my back while I basked in hot water. Maybe the wholesome rustic life wasn’t so bad after all.
Martha was in the midst of shampooing my hair when the nasty whine of my beeper, buried in a pile of clothing, destroyed our peace. Martha groaned and started to protest: “Don’t you dare.…”
Too late. I jumped out of the shower and ran to the living room, switched on my Macintosh, and called the lab computer. Sventek.
A second later, I’m talking to Steve White at his home. “He’s here, Steve.”
“OK. I’ll trace him and call Frankfurt.”
A moment later, Steve’s back on the line.
“He’s gone. The hacker was here a moment ago, but he’s disconnected already. No use calling Germany now.”
Damn. I stood there in utter frustration; stark naked, wet and shivering, standing in a puddle in our dining room, dripping blobs of shampoo onto my computer’s keyboard.
Claudia had been practicing Beethoven, but startled by the sight of her roommate charging, naked, into the living room, she’d put down her violin and stared. Then she laughed and played a few bars of a burlesque tune. I tried to respond with a bump and grind, but was too obsessed with the hacker to pull it off.
I wandered sheepishly back into the bathroom. Martha glowered at me, then relented and pulled me into the shower again, under the hot water.
Stoll, Clifford. CUCKOO’S EGG (p. 255). Knopf Doubleday Publishing Group. Kindle Edition.
The shower incident inspired a suggestion from their roommate Claudia. Why not set a trap for the intruder. The trap involved creating a large amount of phony documentation on Stoll’s computer, documentation that alluded to SDI, the Strategic Defense Initiative popular with the Reagan administration at the time.
The intruder bought into it completely and downloaded massive quantities of useless data, requiring him to stay on line for hours while his connection back to Hannover was traced. Additionally, the documentation included a notice to contact the phony “Barbara Sherwin” at LBL for additional information. Weeks later, after Markus Hess had been arrested, Laszlo Balogh of Pittsburgh, Pennsylvania, sent a letter to “Barbara Sherwin,” requesting additional documentation. The trap was well and truly sprung. The intruder was the only person in the outside world who knew about “Barbara Sherwin.”
In all this Cliff Stoll was constantly stymied by lack of support from government agencies. Even after the FBI, CIA, NSA, and military security became involved in the case, no government funds were forthcoming to support the investigative activities at LBL. The government Department of Energy, which had taken over production of nuclear weapons and nuclear power following World War Two, funded LBL, and Stoll was, from time to time, cleared to continue working nearly full time on the project.
As the case wound down, Stoll could get no information about the intruder from government sources. It was as though he were plugging coins into a vending machine and not getting anything out. A visit to Washington to give lectures on the case culminated with a scheduled lecture at CIA headquarters in Langley. It turned out to be a presentation of a different kind:
So this is the meeting. It turns out that the seventh floor is the hide-out for the CIA’s high-muckity-mucks. Hank Mahoney’s the CIA’s deputy director; grinning nearby was Bill Donneley, the assistant director, and a couple others.
“You mean that you’ve heard about this case?”
“We’ve been following it daily. Of course, this case alone may not seem like much. But it represents a serious problem for the future. We appreciate your taking the effort to keep us informed.” They presented me with a certificate of appreciation— wrapped up like a diploma.
I didn’t know what to say, so I stammered out my thanks and looked at Teejay, who was chuckling. Afterward, he said, “We wanted to keep it a surprise.”
Surprise? Jeez— I’d expected to walk into a room of programmers and give a shoptalk on network security. I glanced at the certificate. It was signed by William Webster, director of the CIA.
Stoll, Clifford. CUCKOO’S EGG (pp. 319-320). Knopf Doubleday Publishing Group. Kindle Edition.
The book concludes with an epilogue, with Cliff and Martha, companions and lovers for over eight years, getting married and moving to the Boston area, where Martha obtained a clerkship at federal court. There, Cliff got involved again when the RTM worm of November 1988 hit his and about 2000 other systems on the Internet. One of the people he contacted early on was Bob Morris at the NSA, a computer security expert he had worked with while chasing the German intruder. Ironically, it turned out the person behind the notorious worm attack was Robert T. Morris, Bob Morris’s son, then studying at Cornell.
The book ends without telling of Stoll’s testimony in Germany in the prosecution of Markus Hess, Pengo, and others. In the end it was determined the Project Equalizer gang had only sold worthless information to the Soviets, and they received light sentences. One, Karl Koch, who used the nom de guerre Hagbard, was an mentally disturbed drug addict who apparently killed himself:
Hagbard was last seen alive on May 23, 1989. In an isolated forest outside of Hannover, police found his charred bones next to a melted can of gasoline. A borrowed car was parked nearby, keys still in the ignition.
Stoll, Clifford. CUCKOO’S EGG (p. 369). Knopf Doubleday Publishing Group. Kindle Edition.
One of the tremendous rewards of working at places like LBL is the opportunity to rub shoulders with the brighter lights of human society.
Depressed, I shuffled to lunch. At the LBL cafeteria, Luis Alvarez sat down across from me. Inventor, physicist, and Nobel Laureate, Luie was the twentieth-century Renaissance man. He didn’t waste time on bureaucracy; he demanded results.
“How’s astronomy?” Even from the stratosphere, Alvarez still found time to talk to pipsqueaks like me. “Still building that telescope?”
Stoll, Clifford. CUCKOO’S EGG (p. 105). Knopf Doubleday Publishing Group. Kindle Edition.
Luis Alvarez was awarded the Nobel Prize in Physics in 1968 for his work on particle physics. He is also credited with proposing an asteroid collision as a contributor to the extinction of dinosaurs 65 million years ago. We saw him featured in Richard Rhodes’ book The Making of the Atomic Bomb:
It’s about people who have already won a Nobel Prize getting dirty and carrying blocks of sooty graphite and packages of uranium compound into the lab. It’s (future Nobel winner) Luis Alvarez first learning of induced fission while reading the San Francisco Chronicle in a barber’s chair and rushing off to his lab, with an unfinished hair cut. It’s General Groves putting a tail on Robert Oppenheimer and learning that the married directory of the Manhattan Project science team spent the night with an ex-girlfriend, who was an avowed communist.
In reviewing Kindle editions I sometimes find problems with books that have been transcribed from hard copy. Often transliteration errors, due to failures of the OCR system, show up. That didn’t explain this strange construction I found on page 308:
But according to Marv, this guy less did it in three weeks.