The astronomers had a different opinion: for two days, they couldn’t work. Their secretaries and grad students weren’t working. Proposals and papers weren’t being written. We pay for their network connections out of our pockets—and this caper made it even more difficult to expand their astronomy networks.
Some programmers see this virus as a useful exercise in raising consciousness about computer security. The virus writer should be thanked. Yeah, sure. Like going into a small town and breaking into people’s homes, so as to impress upon the townsfolk the need to buy strong locks.
Once, I too, would have seen no mischief in this virus. But over the past two years, my interest changed from a micro-problem (a 75-cent discrepancy) to macro-issues: the welfare of our networks, a sense of common fair play, legal implications of hacking, the security of defense contractors, commonweal ethics in computing …
Omigod! Listening to myself talk like this, I realize that I’ve become a grown-up (sob!)—a person who really has a stake. My graduate student mentality of earlier days let me think of the world as just a research project: to be studied, data extracted, patterns noted. Suddenly there are conclusions to be drawn; conclusions that carry moral weight.
I guess I’ve come of age.
The greatest B-movie of all time, The Blob, finishes off with the malignant monster being towed off to Antarctica: it’s harmless when frozen. Then, the words “The End” flash across the screen, but at the last minute, a blob-shaped question mark appears. The monster isn’t dead, only sleeping.
That is how I felt when I finally dismantled my monitors, made the last entry in my logbook, and said good-bye to midnight chases after Markus Hess.
The monster is still out there, ready to come alive again. Whenever someone, tempted by money, power, or simple curiosity, steals a password and prowls the networks. Whenever someone forgets that the networks she loves to play on are fragile, and can only exist when people trust each other. Whenever a fun-loving student breaks into systems as a game (as I might once have done), and forgets that he’s invading people’s privacy, endangering data that others have sweated over, sowing distrust and paranoia.
Networks aren’t made of printed circuits, but of people. Right now, as I type, through my keyboard I can touch countless others: friends, strangers, enemies. I can talk to a physicist in Japan, an astronomer in England, a spy in Washington. I might gossip with a buddy in Silicon Valley or some professor at Berkeley.
My terminal is a door to countless, intricate pathways, leading to untold numbers of neighbors. Thousands of people trust each other enough to tie their systems together. Hundreds of thousands of people use those systems, never realizing the delicate networks that link their separate worlds.
Like the innocent small town invaded in a monster movie, all those people work and play, unaware of how fragile and vulnerable their community is. It could be destroyed outright by a virus, or, worse, it could consume itself with mutual suspicion, tangle itself up in locks, security checkpoints, and surveillance; wither away by becoming so inaccessible and bureaucratic that nobody would want it anymore.
But maybe, if Hess was an exception, if enough of us work together to keep the networks safe and free, this will all be over. I can finally get back to astronomy and have time to spend with my long-suffering bride. I don’t want to be a computer cop. I don’t want our networks to need cops.
The phone’s ringing. It’s Lawrence Livermore Laboratory—a place I’ve stayed away from because they design nuclear bombs. A hacker’s breaking into their computer. They want my help. They think I’m a wizard.
If you’d like the technical details behind this book, read my article, “Stalking the Wily Hacker,” in the May 1988 issue of the Communications of the ACM. It’s a dry, academic paper which highlights the techniques that the hacker used to break into computers.
In addition, I described how to track hackers in “What Do You Feed a Trojan Horse?”—found in the Proceedings of the 10th National Computer Security Conference (September 1987). Because I wrote that paper while the hacker was still actively breaking into computers, it’s about how to trace networks and doesn’t mention our problems.
For more details about the NSA and a bit about their computer security problems, read The Puzzle Palace by James Bamford. Bamford describes the tug of war between the code makers and code breakers—he must have had fun prying those details out of the super-secret agency. David Kahn’s book, The Codebreakers, is a fascinating description and history of ciphers, which suggests how computers use cryptography to protect their data. In Deep Black William E. Burrows writes mostly about secret observations from spy satellites, but also hints at the use of computers in espionage.
For more mundane, yet valuable descriptions of the problems and techniques of computer security, read Defending Secrets, Sharing Data, available from the U.S. Congress, Office of Technology Assessment, OTA-CIT-310. For a still more technical discussion, try Cryptography and Data Security by Dorothy Denning. The hacker probably wouldn’t have broken into our system had we read (and applied) Unix System Security by Wood and Kochan.
Computer security problems are usually heard first on Internet and Usenet network conferences. These are worldwide electronic bulletin boards—this is often where first rumors of trouble show up. To hear about the latest computer security problems, watch the Unix-wizards, Info-vax, Security, TCP-IP, and Virus-L conferences. There’s a lively, moderated discussion on the Risks-forum conference, where participants discuss social issues relating to computers. There are a few private security conferences as well; their “invitation only” membership is indicative of the paranoia surrounding the field. There are also anonymous and pirate bulletin boards; these seldom have much useful information—but they do tell you what one segment of the population is thinking.
Clifford Stoll is an astronomer by training and a computer security expert by accident. Since catching the “Hannover Hacker,” he has become a leading authority on computer security, delivering more lectures on the subject than he cares to admit. He’s given talks at the CIA and NSA, and has appeared before the U.S. Senate. Stoll is now building software for the Harvard-Smithsonian Center for Astrophysics, and lives in Cambridge with his wife, Martha Matthews, and two cats he pretends to dislike.
Cuckoo's Egg Page 39