Notes from The Cuckoo’s Egg, Clifford Stoll
Cuckoos will lay their eggs in other nests. The title refers to the way a piece of malicious code can be inserted in an OS’s system directory and “raised as its own.”
This is the catch-me-if-you-can story of an astronomer turned computer security advocate. Throughout, he comments how he’s an astronomer spending all his time working on computer issues. I wonder how many of us these days marvel at how much we’re using ‘the computer’ rather than ‘doing our job,’ that is, what we were professionally trained to do. And I wonder if this is a question that only the digital immigrant would ask.
P48 “ …the Trojan horse attack had failed because the operating system wasn’t exactly what he was accustomed to. If everyone used the same version of the same operating system, a single security hole would let hackers into all the computers….Just like genetic diversity, which prevents an epidemic from wiping out a whole species at once, diversity in software is a good thing.” [….only now almost 20 years after this book was published (1989) Microsoft is ubiquitous.]
P59 “…most networks are finite but unbounded. There’s only a certain number of computers attached, yet you never quite reach the edge of the network.” [I remember a discussion in one of the books I read but I can’t remember the book, that made the point that the internet, or the web, is not infinite – it is finite – but with an infinite number of links. Was it Linked, or The Search, or one of Lessig’s books?]
P87 Stoll received advice from Luis Alvarez to find the hacker: “…be a scientist. Research the connections, the techniques, the holes. Apply physical principles. Find new methods to solve problems. Compile statistics, publish your results, and only trust what you can prove. But don’t exclude improbable solutions – keep your mind open….chase the bastard. Run faster than him. Faster than the lab’s management. Don’t wait for someone else, do it yourself. Keep your boss happy, but don’t let him tie you down….”
P193 Speaking of sensitive documents…”Individually, public documents don’t contain classified information. But once you gather many documents together they may reveal secrets….In the past, to pull together information from diverse sources you’d spend weeks in a library. Now, with computers and networks, you can match up data sets in minutes.” ‘Sensitive but unclassified’ as a new classification of information. I hear echoes of Mitnick’s and Schneier’s books.
P252 Stoll learned that some password cracking techniques had been known for years….”system designers needed to know about this problem…computer managers ought to know too. And every person who used a password should be warned. It’s a simple rule: don’t pick passwords that might show up in a dictionary. Why hadn’t anyone told me?” “…by keeping silent about these computer security problems, they hurt us all.” [This is an ongoing problem: publishing security holes warns people but also provides new routes of attack. There is a level of computer security literacy that is required by all these days. Another item to add to the information or life literacy list.]
P325 Other readings: “Stalking the wily Hacker” May 1988, Communications of the ACM. “What do you feed a Trojan Horse” Proc. 10th National Computer Security Conference (September 1987). The Puzzle Palace, Bamford; “The Codebreakers,” Kahn; “Deep black,” Burrows; “Defending Secrets, Sharing Data,” OTA-CIT-310; “Cryptography and Data Security,” Denning; “Unix System Security,” Wood and Kochan.
Entry filed under: information literacy.