+

The Cuckoo’s Egg

Ethical and Professional ComputingMichael Heron

+Introduction

The Cuckoo’s Egg is a tremendously interesting book about computer hacking and espionage. Set back in 1986, when network access was rarer.

It is a fascinating look at some of the issues and legalities about computer crime at that period. Although centred on America, there are lessons that are

generalisable to here.

We’ll use it as the launchpad for today’s discussion on the early history of cybercrime. And how we ended up where we are today.

+The Cuckoo’s Egg

Clifford Stoll is a Berkley astronomer/programmer at the Lawrence Berkeley National Laboratory. Astronomers say ‘He’s not much of an astronomer, but man

what a programmer’ Programmers say ‘He’s not much of a programmer, but man

what an astronomer’

When his research project is cancelled, he is reassigned to a sysadmin role within the organisation. His first job:

‘Resolve an accounting error of 75 cents’

Back then, computing time was expensive. Departments were billed by the second.

+The Cuckoo’s Egg

It is technically impossible for this to happen. All users are registered with a department All departments have a billing code All CPU cycles are strictly monitored.

Stoll investigated the existing programs. A patchwork of tools and routines that worked very well

The problem wasn’t in the accounting. Every user was being properly billed.

It wasn’t a rounding error.

It had to be something else.

+The Cuckoo’s Egg

Stoll managed to trace the discrepancy to a nine second allocation of computer time that hadn’t been paid for. But that couldn’t happen, surely. This was a user without a department

The only people who could add accounts would know of the existing routines. And nobody added the account as best they can recall.

The only users who could add ‘raw’ accounts were root users. The superusers on the system.

None of them had done it.

However, an unexpected user was logging into the system. He had left some time ago.

+The Response

Incident was brought to the attention of the division head. They expected the question ‘Why the hell did you leave our

doors wide open?’

Chief system admin wanted to lock the door. Disable the suspect account and then forget about it.

Cliff wanted to send a warning to the hacker. ‘Quit it or we’ll tell your parents’

The division head pointed out the lack of proof. ‘Why are you wasting my time? You don’t know anything

and you haven’t proven a whit. Go back and find out. Show me proof’

+To Catch A Hacker

They set up to catch the hacker. But how do you go about doing this?

‘Eyeballs on the problem’ ineffective They didn’t know when and where the hacker would strike.

They couldn’t add any tracking software. The hacker might notice and quit the system forever.

They just had to wait until he logged in. Which they did Which allowed them to find out the physical wire from

which the connection came.

+To Catch a Hacker

Line lead to a 1200 baud modem. A telephone connection

Stoll planned to watch all command traffic coming over a 1200 baud connection. Ethical implications here should be obvious.

Department had 50 1200 baud lines. The hacker could be using any.

Tracking from the system itself problematic. ‘Hey, if your hacker has any Unix experience, he’s bound to

notice a change in the daemons’

+To Catch A Hacker

Solution(?) Fifty teletypes, all connected to a line. Located between the modems and the computers.

Sourcing equipment is an issue. Where do you get all of that equipment for a 75 cent

intrusion?

Equipment was procured, and Cliff spent a weekend in the lab.

They caught the suspect user logging in. And then they caught him sneaking into the main system

through a hole in the operating system.

+The Cuckoo’s Egg

An unauthorised user had gained access to that account. Bad, but not hugely problematic.

However, that account permitted an escalation. Access to one part of the system allows someone to

leverage it into access to other parts of the system. What is now known as hacking, but what was then

known as cracking. The language has changed a bit since then.

The teletype had caught something not just of interest, but importance.

+The Exploit

Most of the systems of the day were running on Unix. Berkeley had its own particular variant of Unix on its machines.

Most of these systems ran a piece of software called GNU Emacs. This is still around today in an updated form.

In that program is a function called movemail. It could be exploited to move a particular file anywhere in the

computer system. In order to send mail between users on a system.

That could be used to move a file into a privileged directory. Which would allow a file to be executed by the root account.

+The Exploit

In doing this, any user who understood the flaw could become a super-user. With full, unrestricted access to the underlying system. … including adding accounts without going through the auditing

software.

Super users can go anywhere, change anything, and then silently remove all evidence. No-one can spy on a super-user unless from a machine to which

the super user had access.

An exploit in the movemail system permitted full access to the entire machine. The hacker could read sensitive files, explore user mail

messages, and so on.

+Ethical Considerations

In small groups: What are the professional and ethical implications of

someone having superuser access? What are the professional and ethical implications of there

being a security hole like this? What responsibilities lie with the systems administrators for

not knowing the exploit existed? Remember, you couldn’t just google information back

then. What are the ethical and professional implications for

Clifford Stoll who uncovered the hack? What should the systems administrators do next?

+The calls are coming from inside the house!

With access to emails, the hacker was able to locate new accounts to compromise. People would email each other usernames and passwords at

the time.

The hacker watched his tracks carefully. Made sure nothing important had changed. Killed programs that may have caught his activity.

Reading personal files revealed new computers to exploit. And often the passwords.

Hacker exploited trust relationships to access remote computers.

+Trust Relationships

One of the ways in which systems can interact is through whitelists. If this request is coming from this computer, it must be fine.

However, that works on the assumption that computers are secure. Those whitelists permit security violations if compromised.

In many cases, passwords weren’t needed. Superuser access on one system permitted access to

another.

Every new machine yielded new secrets.

+What now?

What should happen now? There is a real risk to the system.

They couldn’t just reinstall a base installation if the system was torched.

Backups existed, but were irregular and perhaps unreliable. Endemic at the time.

Closing up shop is ‘easy’ Delete the suspect accounts. Patch the flaw in the operating system.

But…

+Informational Asymmetry

Here we encounter a situation of informational asymmetery. Each parties knows things the others don’t Each party is unaware of things that the others are aware

of.

The hacker knows: What exploits he has made use of in the system. What logic bombs or viruses he may have planted in

previous journeys

The hacker doesn’t know: His intrusions have been noticed He’s being recorded

+Informational Asymmetry

The danger is that closing up shop will allow the hacker to sneak in under other loopholes. If there’s one, it must be assumed there are others.

They don’t know how long the hacker has been active. If it’s been long enough, even the backups held by the

organisation might be tainted by the hacker’s modifications.

The lab’s decision: ‘This is electronic terrorism. Use all the resources you

need. Take all the time you want. Track him down and nail him’

+Ethics

In small groups What are the ethics of surveillance here?

Does a private company have the right to snoop on all conversation in the hope of catching a bad guy?

What are the ethics of shutting up shop? What are the ethics of allowing the hacker to continue to

roam through the system? Should users be warned?

But what if that tips off the hacker? Is this electronic terrorism?

+Shift the Scene

Let’s shift the scene a bit. Modern day United Kingdom.

We have a piece of legislation that is relevant here. The Computer Misuse Act of 1990

Creates three criminal offences: Unauthorised access to computer material,

6 months imprisonment and a £5000 fine Unauthorised access with intent to commit or facilitate

commission of further offensives. 6 months/fine on summary conviction, 5 years on indictment.

Unauthorized modification of computer material. 6 months/fine on summary conviction, 5 years on indictment.

+The Computer Misuse Act

Under what sections is the hacker behaviour now made illegal? Section 1

Access to computer material is unauthorized – he was never given a password to the system.

Section 2 Intent to commit or facilitate commission of further

offences – searching out new systems and recording passwords, as well as killing monitoring.

Section 3 Unauthorized modification of computer material – killing

running processes, modifying user accounts.

+The Computer Misuse Act

The act was amended in 2006 To make it a criminal offence to ‘make, supply or obtain articles for use in

computer misuse offences’ Hacking and cracking tools

Before the act, such activities were not illegal.

In 1985, Robert Scifreen was part of a hack that obtained sysadmin access to the Prestel computer system. This gave him access to 50,000 customers.

Including Prince Phillip

He couldn’t be charged with hacking. It wasn’t an offence.

He was instead charged with forgery. And was acquitted.

+Computer Crime

There is a lot more to the Cuckoo’s Egg scenario than discussed here. I heartily recommend the excellent book on the subject.

However, our discussion so far has highlighted the context within which the computer industry once functioned. Based on trust Little direct legislation Numerous ethical issues in detection.

Security systems have hardened since then.

Legislation has been enacted.

Still, computer crime is rampant.

+Timeline of Computer Crimes(Derived from Parker, SRI)

1960s Hacking (exploratory), specialized fraud, blackmail

1970s Privacy violations, salami slicing violations, phreaking

1980s Software piracy, viruses

1990s IP spoofing, computer espionage

2000s Automated hacking, transnational organised crime and terrorism

+An Escalating Problem

To begin with, computers were relatively rare and localised. A hacker couldn’t do too much damage to a local system.

Some subsets of computer were located on the burgeoning internet. Riskier, but access was more limited.

Computer data is valuable. Often more valuable than the computer equipment.

Understanding the value of data began reasonably early. A programmer who destroyed test data for Concorde

demanded £250k for the return of backups.

+An Escalating Problem

Computers begin to find a niche in economic fraud. Fake insurance policies Shaving pennies off large transactions Falsified earning figures

Employees hired with the purpose of creating programs to institute financial fraud. November 2, 1970 – an employee hired to create a program

that generated fictitious insurance policies. 1971, program extended to reinsure phony policies, and to

create death claims on policies. 1973, program extended to ‘kill off’ enough phantom

policyholders to meet requirements but not raise suspicions of auditors.

+An Escalating Problem

In 1983, Department of Defence computers are penetrated. Sometimes by bedroom hackers Sometimes by foreign intelligence.

Pay per view television channels hacked with the use of fixed ‘decryption’ boxes

Denial of service attacks begin to escalate from ’98 onwards. Now account for 2% of all the traffic on the internet

Napster and Limewire

Pirate Bay and Demonoid

+Categories of Computer Crime

Many categories of computer crime. Spam Fraud Obscene content Harassment and Threats Cyber Espionage Cyber Warfare

In some cases, computers are an incidental tool. Used for their ability to facilitate other kinds of crime.

High level encryption Steganography

+Discussion

Group discussion: Outline several highly prominent incidents of cyber crime

you can recall. What are the ethics of providing high level encryption on

the open market. Used by restrictive governments Used by child pornographers Used by drug traffickers Used by upstanding citizens

Is ‘hacking’ a ‘proper crime’ if it’s done purely for the love of knowledge?

What about white hat versus black hat hacking?

+Conclusion

Computer crime is a growing problem. And was a problem even in the early days of the computer

revolution.

The Cuckoo’s Egg case highlights numerous issues with enforcement. Who watches the watchers? How far can surveillance go? How do you balance user requirements with investigatory

responsibilities?

Can you ever truly protect a system? And if you can, at what cost?