Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
The cuckoo’s egg: tracking a spy through the maze of computer espionage
Stoll C., Doubleday, New York, NY, 1989. Type: Book (9789780385249461)
Date Reviewed: May 1 1990

All computer professionals interested in some realistic examples of systems security should read astronomer-cum-wizard Clifford Stoll’s book about his pursuit of the person he once characterized as the “wily hacker” [1]. They, and the lay public as well, will be rewarded with much entertainment in addition to enlightenment, because Stoll, whose writing if not inspired is at least adequate to the book’s purpose, makes his story accessible and interesting to anyone.

Along the way, Stoll does an excellent job of making two very important points:

  • (1) Those who make unauthorized use of systems burden all of society with the restrictions, inconveniences, and other costs of the defenses needed to safeguard well-behaved and productive users’ access to those systems, and

  • (2) Today, at least on certain popular and vital systems, those defenses have begun to be burdensome without achieving the desired effectiveness.

Stoll makes an important point about effectiveness when he quotes National Computer Security Center (NCSC) Chief Scientist Bob Morris: “Any system can be insecure. All you have to do is stupidly manage it” (p. 240). The unauthorized use Stoll details was possible because people executed insecure software with system privileges, “[left] accounts protected by obvious passwords . . . [mailed] passwords to each other . . . [and failed to monitor] audit trails” (p. 275). The first of these lapses gave rise to the book’s title: the hacker used a privileged utility to lay in the system’s “nest” an “egg,” that is, a program that would give him privileges when the system executed it, just as other birds adopt the hatchlings of the cuckoos who lay eggs in their nests.

Much of the book concerns the author’s interactions with agencies whose acronyms have three or four letters. His accounts of how he tried and usually failed to enlist them in his hunt are the most interesting parts of the book.

In criticizing systems’ vulnerabilities, the author confines his remarks to the systems actually involved, a well-advised departure from the generalizing approach of his previous paper [1], in which he referred categorically to “vendors.” On a key UNIX-related point, chosen-plaintext attacks on irreversibly encrypted passwords, Stoll refers to Morris and the National Security Agency’s NCSC when he asks rhetorically “if NSA had known of this for ten years, why hadn’t they publicized it already?” (p. 252). Morris detailed the exposure in two papers [2,3], but neither is in Stoll’s bibliography, and he may well have failed to encounter the point in reading the works that are.

The bulk of the text seems designed to build suspense up to the dramatic denouement of the hacker’s exposure. The book’s dust jacket, the author’s subsequent public interviews, and stories in the major media in March 1989 limit the possibilities for suspense on many points, however. Opinions will differ on how the story is enlivened by allusions to the author’s personal life, but computer professionals are likely to find them more of a distraction than a diversion. Two genuinely amusing anecdotes concern microwaved sneakers and Stoll’s interaction with Morris, including Stoll’s near-suffocation by Morris’s chain-smoking in an airtight Volvo.

The book appears to have been very competently edited except for one garbled sentence on page 251 and the use of “who” for “whom” throughout. Readers may wish to know that “NTISSIC” is the National Telecommunications and Information Systems Security Committee, not “a governmental organization whose acronym has never been decoded” (p. 254).

All in all, the book is must reading for all who think that their network-linked computers are invulnerable to unauthorized use, and recommended reading for everyone else.

Reviewer:  S. A. Kurzban Review #: CR114096
1) Stoll, C.Stalking the wily hacker. Commun. ACM 31, 5 (May 1988), 484–497.
2) Morris, R. and Thompson, K.Password security: a case history. Computing Science Technical Report #71, AT&T Bell Labs, Murray Hill, NJ, April 3, 1978.
3) Morris, R. and Thompson, K.Password security: a case history. Commun. ACM 22, 11 (Nov. 1979), 594–597.
Bookmark and Share
Would you recommend this review?
Other reviews under "Security": Date
Computer security handbook
Moulton R., Prentice-Hall, Inc., Upper Saddle River, NJ, 1986. Type: Book (9789780131658042)
Aug 1 1987
Identity authentication based on keystroke latencies
Joyce R., Gupta G. Communications of the ACM 33(2): 168-176, 1990. Type: Article
Sep 1 1990
Application of big data for national security: a practitioner’s guide to emerging technologies
Akhgar B., Saathoff G., Arabnia H., Hill R., Staniforth A., Bayerl P., Butterworth-Heinemann, Waltham, MA, 2015.  316, Type: Book (978-0-128019-67-2)
Sep 8 2016

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 2004™
Terms of Use
| Privacy Policy