The Cuckoo's Virus

The hacker. The speed of light. The beauty of constraints. What is about Clifford Stoll that arouses such a need for conversation? Cliff Stoll is a lunatic in the sanest sense of the word. He doesn't so much present an argument as digest it with his mouth open. It's not pretty but somehow it works. My interview with Cliff Stoll remains the most requested of my One on One interviews. It's not hard to fathom why. He has been a prolific speaker and author. In this interview we discuss his first book, The Cuckoo's Egg. He subsequently went on to write Silicon Snake Oil and High Tech Heretic. People often ask me if I know his email address. I don't.

One on One Clifford Stoll
Published, May 1993

I'm wearing a white hat, not a black hat: I don't write viruses.

If your main interest is the identity of the spy, let me get that detail out of the way. The spy was a 27-year old German named Markus Hess whose address at the time he was arrested for espionage was #3A Glocksee Strasse, Hanover, Germany. To Clifford Stoll, the scientist who tracked the computer spy over a three-year period and wrote a best-selling book about it, this piece of information is very much a minor detail.

Stoll is a scientist. Where other people saw a crime, he saw a science project. While some people were outraged, Stoll was fascinated. Sure he wanted to catch the spy, but only as the end product of rigorously tracing the spiderweblike filaments of deception back to their origin and narrowing his hypotheses.

Stoll, an astronomer by inclination, is trained to look at the big picture. In 1988, as recounted in his book, The Cuckoo's Nest, while making ends meet as a systems manager Lawrence Berkeley Laboratory, Stoll encountered an unauthorized computer user. The lab's computer chargeback system had blown up because it could not account for 75 cents of computer time. It took three years for Stoll to prove that a spy was using the computer as a launching pad through Internet to hack at hundreds of military, industrial, and academic computers in search of secrets for the KGB.

An astronomer by training and a computer expert by accident, Stoll has improbably become an expert on computer security. He has given talks to the FBI, CIA, and NSA. The improbable part is that much of Stoll's culture has been, well, antagonistic toward much of what those three-letter agencies represent. He lives in Berkeley, California, a community that often regards itself as a republic separate from the United States.

Let's look at the objective reality. You wear second-hand clothing and beat-up shoes. Your hair is long and not on a first name basis with a comb or brush. You identify with left-leaning types who are, at best, apolitical, and, more often than not, unapologetically anarchist. You live in Berkeley, where the motto on the city seal probably says, "Property is a crime."

[Laughs] Thanks. I love being reduced to a cultural stereotype. Don't forget, my favorite rock group is the Grateful Dead.

I rest my case. Here's my point: You could have ignored the hacker. In fact, in your book you write that many of your friends criticized you for being an agent of the oppressive system by tracking down the spy. When did you decide you had a responsibility here?

I was walking along one of the basement corridors and I happened to glance up. The open ceiling was brimming with wires, pipes, and cables. Most of them were clearly marked: hot water, cold water wastewater, gas, steam, electric conduit. And then I saw a bright orange Ethernet cable. It was unlabeled but I knew what it was. And then it struck me. If the Ethernet cable broke, there'd be a puddle of bits and bytes on the floor and who would I call? If someone was stealing electricity, we had an electrician. If someone was purloining water, there was a plumber on staff. But who is responsible for protecting the Lab's information, which is far more valuable commodity than electricity or water? It came into my head that I was responsible.

How did that moment feel?

It was a transcendent moment for me. Nobody asked me to do this job. I was hopelessly inadequate to handle the situation. I had zero experience and zero resources. It turned out that, fortunately or unfortunately, I happened to be the best person available.

Why did you call your book "The Cuckoo's Egg?

The spy who sneaked into our system behaved like a cuckoo bird. The cuckoo lays her eggs in other birds' nests, hoping that some other bird will unwittingly provide for the care and feeding of her chicks. The survival of cuckoo chicks depends on the ignorance of other species. The spy became a super-user on our system by laying an egg-program into our computer, letting the system hatch it and feed it privileges.The spy found a hole in our system, inserted an egg-program, and eventually assigned himself total privileges.

You set up an elaborate system to alert you when the spy was on your system. After watching the spy steal information from military computers, you called in the Feds. Was that a hard decision?

Sure. My friends accused me of being co-opted by the State. But I didn't exactly feel like a tool of the ruling class, unless imperialist running dog puppets breakfasted on stale granola. My guts told me that the CIA should know and I ought to tell them.

Not too long ago, CIA recruiters were demonstrated against on the Berkeley campus. And here you were on the phone with the spooks.

Here's the thing. The CIA miraculously changed its inherent nature the day I called. Before I picked up the phone, the CIA assassinated foreign leaders, killed innocent peasants in Central America, subverted democratically elected countries, and spied on US citizens. The day I called, the CIA happily transformed into a benign organization of potentially inestimable value to me.

Eventually you worked with agents of the FBI, CIA, NSA, etc. Your impressions?

The three letter agencies have a strange vocabulary. When they talk about "bailiwicks," the inevitable three words that come first are "that's not our". When they talk about "turf", they always start it out by saying, "that's our".

As you described them, the Federal agencies seemed driven by paranoia, turf battles, and bureaucratic inertia. How did you keep from getting frustrated and bitter?

Oh no! You don't get bitter. The whole thing for me was learning. You see, I was learning the whole time. Not just about how this guy broke in my computer and how he became super user, and not even learning about to make traces. Of course, I'm learning about that and that's delightful. But I'm also learning about how bureaucracies work. I'm learning about how the government connects with the people it serves. I'm learning about how organizations respond to novel problems. How a secret organization deals with something like this. What an opportunity. Frustrated yes, but bitter, never.

You got such limited cooperation.

Sure. But they really tried. They cooperated as much as they were within their limited scope able to cooperate. They were bound by law and their limited experience. This situation had never happened to them, therefore they did nothing.

This never happened to you, either, but therefore you did as much as you could.

My ethic was research. My ethic was scratch around and figure out what's going on. They're ethic was, "Oh, let's follow our instructions. If there's no instructions there's nothing to follow and they paddle around. For me, it was a chance to learn. It was a chance to figure out what's going and see what bizzareness I could bump into.

Did you ever consider injecting a virus to zap the hacker?

Yes, but I quickly abandoned the idea. I decided, I'm wearing a white hat, not a black hat. I don't write viruses. I don't have any truck with people who do. Besides, I didn't want to take the chance that a virus could get away from me and infect other systems. I don't want to spread bad news even to people who abuse me. It's much better to do it within the system.

Should corporate employees expect privacy rights over their corporate e-mail messages?

If you're in an office and you write a letter, who owns the letter? Who owns the filing cabinet? The paper? The corporation paid for your time to write it and the materials you used. Certainly, the company owns the physical representation of the letter. Yet it would be a rare company that would assert an unlimited right to go through its employee's file cabinets and desk drawers. This is partly because we acknowledge that people have certain privacy. That privacy begins in my mind. It exists around my home. And there is some amount that I carry to my workplace.

What test can we apply to distinguish between non-private work material and material that ought to be private?

Some things obviously belong to the employer, such as a design for a program or specification. But what about the e-mail between you and another employee? That becomes much less public. What about really private communications, such as "Let's go to lunch at 1:30," or "Yes, let's organize a union." There is much more privilege there. I hope we can differentiate because some messages should not be indiscriminately available for cooperate inspection.

Is the speed of light an absolute?

To the extent you accept Einstein's Theory of Relativity, the speed of light is an absolute. If you want to propose non-Einsteinian universes, hey, you can come up with all sorts of warp speeds and stuff like that. The big problem is that you have to demonstrate that the universe we live in is non-Einsteinian. Our universe, by all measurements we can make, says that the speed of light is an absolute.

What can we do about such constraints?

The fun thing about science is working within a constrained universe. Every project I ever worked on had money constraints, time constraints, and intelligence constraints. Well, the question isn't what could we develop if had enough time, enough money, and enough support? The cool question is, watch what we can develop within this envelope.

It's the same thing with science. You can wish for another set of physical laws. You can even try to find them, just like you can go around trying to find a project that offered all the money you need, no deadlines, and great people to work with. You might find these conditions someday, but I'll bet you won't find that project any easier than you will find an alternate universe where you can travel faster than the speed of light. The cool thing is to find some way to take advantage of the existing universe and do neat things in it.

Back to Favorite One on One Columns