Date: Wed, 29 Jul 92 21:17:34 EST
From: Gene Spafford <[email protected]>
Subject: File 1--The Cuckoo's Egg Revisited

Cuckoo's Egg Revisited
by Gene Spafford

When I first read Cliff's book, in draft manuscript form (Cliff sent
me an advance copy), I found it gripping.  So did my wife.  We each
found that when we started it, we couldn't put it down until we
finished it -- both of us staying up past 3am on a weeknight to read
through to the end.  We weren't the only ones.  When the book was
published, I bought copies for some friends, several of whom don't use
computers.  Almost all of them had the same reaction: they found the
book engrossing, entertaining, and informative.  Several of them also
reported spending late nights (and early mornings!) reading to the end.

It wasn't that Cliff set down particularly elegant and engrossing
prose that made the book so captivating, although his writing is
certainly better than many others evidence.  It wasn't because Cliff
recounted some high-tech adventure either -- many of the readers
(myself included) already had experience with computer security
incidents.  So why was the book so interesting to us, and to so many
other people?

It wasn't until a few weeks ago, when Jim Thomas asked if I would do a
short retrospective on the "Cuckoo's Egg" that I thought about this
question.  I even went back and skimmed through parts of the book
again.  Now that I've thought about it, I believe I know why "Cuckoo's
Egg" had such an impact: it was a honest sincere, personal accounting
of one person's internal struggle with right and wrong, as well as
being a challenging mystery story.

Cliff's writing portrayed, for many of us, some interesting conflicts
and value judgments. For instance, having strong opinions about some
governmental and commercial entities, but finding that they are
composed of many well-meaning, genuinely nice people. Or discovering
that not every "harmless" act is really harmless when multiplied
many-fold.  Heroic tales often involve journeys of self-discovery and
the loss of innocence; we saw Cliff undergo both.

To give a more concrete example of this, I consider the anecdote about
how Cliff "liberated" several printing terminals to track the logins a
perfect example of how rules, particularly property rules, may
sometimes be ignored by someone hot on a clever "hack," as Cliff was.
As the story unfolded, he made choices that I know he would have
reconsidered later on.

I also think that Cliff's account of keeping his system open, and
observing the cracker break in to other machines through his, is a
perfect example of how difficult some choices are to make, and how
they must be reevaluated as time goes on.  Was Cliff partially
responsible for those break-ins?  Was his notification of the sites
sufficient to counter the harm he had done?  Is the argument that "the
bad guys would have used some other route" a valid argument?  Seeing
those conflicts, even if indirectly, made the book something more than
just entertaining.

Cliff started as a well-meaning academic with strong views (almost
anarchistic, perhaps), and through the course of his personal
experience became someone with a different view of society.  He
underwent a transformation, on the pages before us, from a
happy-go-lucky scientist, to someone obsessed with a problem.  As he
recounted his growing awareness of the vast vulnerability our
increasing reliability on computers and networks presents, he made us
aware.  And with this new awareness, we read about the change in Cliff
and his view of the world...and how those around him changed their
view of him.

Cliff admits that he second-guesses some of his decisions made during
the time of his pursuit.  He's not sure he did the right thing at
every step, and he has paid a high price for doing what he felt was
right -- losing many things he treasured before and after the
publication of the book.  I think that's in the book, too, although
maybe not explicitly.  Or perhaps its because I know Cliff and have
talked to him about being thrust into the spotlight that makes me see
those things when I reread parts of the book.  He lost some cherished
possessions in the midst of battling for his principles, and that is
always a gripping theme.


So, is "Cuckoo's Egg" still worth reading today?  I think so.  I
didn't find it so gripping this time as the first time I read it, but
I saw more of the internal struggle Cliff went through as he pursued
his investigation.  I also saw how little some things have changed in
the our world of networks.

The book is still entertaining, too.  Cliff's account of drying his
sneakers in the microwave oven sounds like something I'd do, and his
recipe for cookies is still a bonus.

If nothing else, "Cuckoo's Egg" is still a good way to expose the
uninitiated to some of the problems with computer security and
investigation.  For that one reason alone, I think the book will
continue to have value to us -- as a place to get dialog started, if
nothing else.

I reflect on the world in Cliff's book, where sites were regularly
broken into without sys administrators knowing about it, where
security information was difficult to find, and where it was almost
impossible to get law enforcement to care about what was happening.

Then I think back over the past few weeks:
  * I have given several continuing education courses in Unix
    security, here in the US and in Europe, this summer, and turnout
    has been good
  * I've spoken on the phone with people in the FBI and US Attorney's
    office whose full-time job is devoted solely to computer crime issues
  * I've read in the paper about several arrests on computer crime
    charges, in the US and in Europe
  * I've corresponded with representatives of several security
    response teams, charged with helping to deal with computer
    security incidents
  * I've received court papers identifying me as a witness in
    an upcoming trial on computer abuse
  * I've been talking with some law enforcement agents in a (unnamed)
    nearby state who are concerned about how to define laws that help
    them stop the "bad guys" yet don't hurt innocent third parties.

How different the world is now from when Cliff began his adventure and
wrote his book!  Although we still have sites run with a cavalier
attitude towards security, and although there are still people who try
to penetrate whatever systems they can, the situation is not the same.
We now have dedicated security officers, a growing security industry,
new laws and law enforcement efforts, and coordinated responses to
unauthorized access and malicious behavior.  It's far from ideal, but
awareness is growing.

Perhaps "Cuckoo's Egg" has had something to do with those changes?  If
so, we should be grateful, perhaps, that this catalyst was crafted by
someone whose vision is that computers are useful if only we can
maintain sufficient trust in each other, and not someone with an urge
to legislate tight controls.  In a way, that is one of the most
enduring aspects of Cliff's writing.  It is clear that he loved some
aspects of computing.  The challenge of tracking his intruder was
clearly an element of gamesmanship  as well as duty.

Cliff, like many of us, came to realize that the world came to his
workstation through the magic of networks and computers.  That world
view, however, is based on a foundation of 1's and 0's that bear no
definitive stamp of who sent them.  The network provides freedoms to
be free of stereotypes, and to express your thoughts to millions.
Your thoughts come through, and the reader need never know if you are
young or old, tall or short, fat or thin, black or red or oriental or
hispanic or mongrel, male or female, hale or crippled.  That same
freedom, however, requires responsibility to not abuse it, and trust
that the 1's and 0's aren't carrying lies.

It was Cliff's anger at the end of the book -- that his trust in what
came across his computer was violated -- that really brought home the
change.  His anger, about how the abuse of trust by a few threatens the
many, clearly came through to me.  His concern for our reliance on
computers also was clear.  And the irony of the epilogue, tugging at
him again, after he said he was giving it all up; "I'm returning to
astronomy" are his final words in the last chapter.  You can't go back
Cliff.  Sadly, none of us can.

Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.