As his Ted Talk biography states, “When Clifford Stoll speaks, you can’t help but listen.” This video of his keynote address at the recent CrowdStrike Fal.Con Unite 2017 cybersecurity conference proves how true that assessment is. His rousing presentation captivated the audience from the minute he took the stage.
As an astronomer, teacher and author of the popular book, “The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage,” Stoll has been mesmerizing his students and other audiences for decades with his lively antics, insights, droll wit and fascinating life experiences. An authentic pioneer in the field of cybersecurity, he is responsible for inventing some of the essential tools still in use today by security professionals all over the world.
CrowdStrike CTO and Co-Founder Dmitri Alperovitch, who introduced Stoll’s keynote address at the conference, said, “Cliff Stoll is the man who discovered a nation-state hack way back in the 1980’s when he was the administrator of a network at the university (Berkeley). He really invented most of the capabilities we now rely on. For instance, Cliff invented the original honey pots; he invented computer forensics systems; he invented attribution back in the day — some 30 years ago. We couldn’t think of a better speaker to have at our initial conference.”
Clifford Stoll graduated from the University of Arizona with a PhD and has had a variety of roles from engineer at a New York radio station to teacher to administrator at the Lawrence Berkeley National Laboratory. His incredible story of discovering and foiling an unprecedented and brazen cyberattack by nation-state-sponsored agents against what was then known as the ARPANET, predecessor of the internet, has inspired generations of cryptologists and cybersecurity professionals.
Learn more about the first CrowdStrike Fal.Con Unite Cybersecurity Conference, which was held November, 2017.
Renowned Author Cyber Pioneer Cliff Stoll Mesmerizes at CrowdStrike Conference
And now it’s my great pleasure to introduce a true legend in this field. When we were thinking about who we can bring on as a keynote speaker to this event, this person, Cliff Stoll, is the man that discovered the original Russia hack back in the 1980s when he was an administrator of a network in the university. And stumbled upon an intrusion from hackers working on behalf of the KGB. And really invented most of the capabilities that we now rely on.
I talked about honeypots. Cliff did the original honeypots. He invented intrusion detection systems. He invented original forensics systems. He invented original attribution back in the day, 30 years ago.
So we couldn’t think of a better speaker to have to talk about that original incident. And I’m told that he even has some of the original materials that he prepared back in day as he was tracking that adversary. So Cliff, come on up here. Thank you.
Many, many thanks. Some of you realize for the past couple of years I’ve been doing mathematics. I’ve been tickled and honored to– when Dmitri invited me up here. Amongst other things I do the mathematics of typologies. I’m honored to pass along a Klein bottle to you, Dmitri.
Thank you so much.
The cool thing about a Klein bottle in Fal.Con of course is that a Klein bottle is a mathematical structure whose inside is the same as the outside. That has zero volume, mathematically, but physically, has volume. And it appears to be one thing while being something far more than that. And so I pass this along to you with a smile from Berkeley, as well as my appreciation for the next half hour or so.
Many, many thanks. You’re asking me questions– come on, who cares? When I was invited up here, I said, oh hot damn, this is cool. And as some of you realize, I’m allergic to PowerPoint. And so I rousted around in my attic and found a bunch of view graphs.
These are view graphs. And a few of you graybeards have seen them before. Most of you have not. These particular view graphs come from a talk that I gave in 1987 at Fort Meade, at the NSA.
They invited me to give a talk about some computer problems that we had in the ’80s. And they said look, you can’t bring your own view graphs. We have to make them for you because, remember, we’re the NSA in Fort Meade. You could come along and rub this acetate against the cat, charge it up electrostatically, put it on something secret, walk away with it, and then put powder on it so you’d be able to figure out the secret document. And all of a sudden I’m thinking, yeah.
So these are original NSA view graphs that go back to– so oh, doesn’t work. Cool. So when I was at Harvard-Smithsonian Center for Astrophysics– and I assume this is invisible to most of you. Sooner or later, perhaps it’ll show up. But when it made this I was at Lawrence Berkeley laboratories up in the northern part of the state.
And up in Berkeley the rules and then was that every view graph and every piece of AV material had to have a logo on it. So now on the average you’ve seen the logo on every one of these. So my question was, hey look, what do you do when somebody is breaking into your system? What’s the logical thing?
Remember all of this is from the mid-1980s. And seems to me it’s pretty obvious. When you find somebody breaking into your system, you disable his access. You lock the door. Keep out. Your cork up whatever security holes there are.
You tell the people who are your SIS admins, the people in charge your computer, but you don’t publicize it. You keep it quiet. However, nobody told me these things. So when I find somebody breaking into my computer, I let the bastard in. And I keep the hole wide open.
On the other end, I want to monitor everything. I want to hold this guy in my hand. I want to know every keystroke that is coming in and every piece of data that’s going out. Meanwhile, I want to trace things backwards. I want to find out what the connectivity is from over here to over there. And I want to know just how do you get from here to there.
We know that it’s physically possible, but what is that physics? Meanwhile, I want to make noise. I want to tell people that I think are the right people. Turns out that Fort Meade, the NSA, was the wrong people for various reasons.
But possibly, Dmitri, possibly. It might be today. Some of you may be the right people. So all of which comes down to a point that I think is obvious.
I’m an academic. I’m allergic to money. I’m allergic to corporate everything, but it seems to me that when you don’t understand something, when something weird is happening, and you can’t figure it out, it’s an opportunity to do research. It’s a chance for you to get out and figure things out.
This means do freshman physics. Do the kind of physics that you know you learned long ago. Keep a notebook. Write things down. Do your own homework.
Don’t let somebody else do your work for you because they won’t do as good of a job as you will. They’ll misunderstand what you’re doing. Find new methodologies. The cool thing about computing is there’s thirty ways to do the same thing, most of which will waste your time.
Compile statistics and keep track of what’s happening, but only trust what you can prove. Yesterday, a delightful talk some of you were sitting in on, by Paul Moon, on where he’s developing chains and saying, well, it can go in this way or this way. And there’s an overlap here, but I believe– it was just warming my heart to hear somebody actually saying, oh yeah we can prove this much, we could suspect this much, and we can sort of wave our hands and say over there it’s possible.
Publish your results. A rule of thumb at the observatory is when you go observing, at a telescope, if you don’t write it down, it didn’t happen. If you don’t publish it, you don’t tell people about it, it’s going to happen again to somebody else only worse.
Finally, and this I think is perhaps one of the few carry home things that I have to say is, don’t give up. You know when you’re doing the right thing. You know when you’re on a trail that’s interesting.
Lots of people will say, oh, are we OK? Are things getting by? Then just do that. And don’t waste your time on things that don’t concern us. You know when you’re doing something important. Do it. Don’t give up.
Geez. Here’s a paper I published in 1988. This is really antiquity. Oh, this is memory lane. So I remember all of this happened in 1986, so more than a quarter century. This is like 30 years ago.
During this time, Lawrence Berkeley labs had one– For all of computer security for a laboratory of 5,000 people, our entire computer security budget was one quarter of an FTE. Our entire budget for the project was $0.00, corrected for inflation, that’s $0 million. All the funding came out of our overhead.
I’d rather be doing physics. I’d rather be doing astronomy. I might add, if you had been here 30 years ago, I’d still be doing astronomy today. I blame plenty of problems that I had in chasing down this hacker on the lack of Fal.Con 30 years ago. So put Alex on to making a way back machine.
OK, so we don’t have any money. We also have no expertise. This was 1986. We have no experience in what to look for. We can’t publicize. We can’t go to what was then UUNET
We couldn’t publicize this, because we’d tip our hand. We don’t know what other people are doing. Then we have no mandate. Nobody said, hey, it’s your job to chase these people. Nobody said, oh, you’re on to something cool. Do it. Quite the opposite.
Our funding agency, the Department of Energy said, whatever you do, don’t let anybody find out that there is a hacker in your system. We will cut your budget because that’s a bad thing to happen. So what do you do when you’re broke, when you’re stupid, and when you’re discouraged? Well you come up with primitive tools and cheap methodologies.
You take a screwdriver and you use it as a chisel. You can take a crescent wrench and you use it as a hammer. You come up with creative solutions, out of which grew what today is the field of cybersecurity. The phrase had no meaning during this time.
And oh, cool. For those of you in the front row, here’s my talk. And last night over some Coca-Colas, a new friend of mine named [INAUDIBLE] said would you talk about [GIBBERISH]. And I said, yes I will. And I’ll save that till the last five minutes. Would you be so kind, as five minutes before the end, just say, shut up, Cliff. Great, thank you. Thank you, Hope.
I had been doing astronomy, developing aff-axes hyperboloid mirrors on a bunch of SUN workstations and WAX VMS computers and any hardware I could get. And our project was no longer designing the telescope. We were building the telescope in Hawaii, that would become the Keck 10-meter telescope. So I’m doing physics and things.
And our grants ran out, so I went down to the basement of building 50 of Lawrence Berkeley lab in Berkeley, California. And I’d been there for three or four days and a computer sort of went belly up. In short, what can I say, we had some ether– something called a Cisco router, which was two or three rack panels. And every three or four weeks, engineers from Cisco would come and visit because it was a really cool thing.
And nobody had thought about it. It was Cisco’s number three router that they’d ever made. These are net connected, a bunch of UNIX systems, SUN workstations, and various things like this. Local typology had about 50 serial lines using things called modems. I’m sorry, for those of you under 40, a modem was a little box that did cool things.
And our idea was we could collect money. We could pick the pockets of various physics and mathematics and astronomy people by charging money every time they used one of these workstations. Instead of having personal workstations, we’d buy for [INAUDIBLE].
So we hire a freshman computer science major at UC-Berkeley to write a program that did accounting, so that every time somebody used one of these machines, a little ticket would come out over the ether into the accounting program. And it would debit the department at the end of every month. We’d say, oh, physics department owes us $100. So and so owes us $125. Standard, easy stuff to do.
I had just started to work there and this piece of software in the accounting program was floating dead in the water. And people said, hey, figure it out. So I started poking around.
It didn’t take long to realize that somehow or another, some usage had occurred on one of our UNIX boxes from a guy named Sventek that didn’t have an accompanying entry in the database down here. In other words, there was a user in /etc/passwd who had /etc/passwd entry in on this UNIX box, but didn’t have an accounting entry. And this was odd because anybody who would ever add an account would know to add an account there and there and do them simultaneously. In fact, we had a script to do this.
And so sitting in the back of a lecture hall, it didn’t take long to figure out what the root cause of our troubles was. This accounting program did not check for bad data. They don’t teach you error correction until you’re a sophomore at UC-Berkeley. And so I’m looking at this and saying, oh, that’s cool. We fix it and patch it.
And then in the back of a lecture on gravity waves, I remember sitting there being bored to death. There’s all these integrals on the front board. And I’m thinking about this. How could somebody add a user to this account? How is that possible?
I’m thinking, I wouldn’t do it, so and so wouldn’t do it. It seems to me you’d have to have root access to add a new user to the /etc/passwd file. It can’t be possible. The more I thought about it, the more possible it became. So I decided clearly whoever added a new user here, is not an insider.
Everybody who works at the lab would also add a new user to the accounting system. So I said, oh, let me see what’s going on. Just poke around and look– something you mentioned before, Dmitri– detection. Let me just see if there’s something worth detecting, worth looking over my shoulder. So how would I do this.
Well, I’m too stupid to rewrite the UNIX kernel and maybe I’m too clever to rewrite it. So anyways, it would be visible. So I figure the smart money is to take these RS-232– boy, another thing that doesn’t exist anymore. I’ll multi-drop them into little printers, so that every time somebody comes in on one of these serial lines, I’ll split it, so that I’ll be able to see keystrokes coming in along here. And it’ll go normally like here, but I’ll get a print out of it.
And to do this, I’m going to need 40 to 50 printers and PCs and things that can record data, that have serial lines. So the first thing, of course, is the Macintosh that’s sitting on my desk. Next thing is a little Teletype that’s left over in the closet. Next thing is go to the cubicle next to mine, borrow somebody else’s PC, and get some clip leads and clip them up.
But after about four or five or six, you run out of friends to borrow from. And at that point, I remember one of the very few things that I learned in grad school, namely, it’s easier to apologize afterwards, than to get permission in advance. So I waited around till about 5:30 or 6:00 on a Friday afternoon. And sort of took one of these lab push carts and just went around from office to office, liberating people’s PCs and computer hardware and bring them down to the basement of building 50. And getting some clip leads to clip lead the received data across here.
And got a sleeping bag out and a thermos of vegetarian minestrone soup for myself. Unrolled the sleeping bag next to this old VAX 780 that had nice warm fans to keep me warm at night. And I was surrounded by 40 or 50 printers and PCs and MAX and anything that could record serial line data and all’s happy.
And I wake up the next morning. It’s Saturday morning. And the director of the physics group, my boss, comes by and kicks me out of the sleeping bag and says, there’s been a number of complaints saying that there’s some missing equipment from around the lab. And I naturally say, I don’t know anything about it. I’m surrounded by all this stuff. And he says it would be a right, neighborly thing if all of this were returned to the various places. So I say OK and salute and get out the lab cart and start rolling everything back.
And from one of these printers, there are like 10, 20, 30 meters of paper scrolling out. It’s an impact printer. Again, something else that’s obsolete. And I’m looking at it. This was in the days before Splunk, mind you. And Splunk doesn’t work very well on paper.
So I’m looking at the stuff and watching somebody come in on one of my lines. And all the stuff is coming out here. They come in. They use a set user ID to root program, that has a hole in the Post Office Protocol, a mail server, on a old UNIX box. And they fire a crontab that every five minutes would execute it.
They discovered a hole in our system. And after five minutes, they get SIS manager privileges. They disable the accounting. And OK, that much I can sort of understand.
The weird thing is, they turn around– I’m watching this– I’m looking at this– they go out over our ether, through the router of all things, out into something that I’ve never heard of before, called the ARPANET. And they start going out, trying to break into MILNET machines, which were, at the time, 10.7.– something– something– and just methodically typing in MILNET addresses of the Air Force and the army. I’m like, absolutely weird. And as sort of an aside, Berkeley is on the far left of the continent. I mean you’d expect somebody in Berkeley to be searching for words like “granola”.
But instead these are people searching for “atomic bomb secrets” and “strategic defense initiative” and things like this. Absolutely weirdness. And I’m seeing this. You can’t come in. And I’m seeing all the stuff and I’m like weirded out. This is like bizarre.
So Monday morning, we get together and the laboratory director is there. He has a beard and a tie. I mean he’s really important.
And we have a meeting. He says, look someone’s breaking into our system. They have root access. They’re coming in from someplace else. Their holding us hostage, essentially. Look I want you to catch the guy. Take all the time, all the resources, or anything you need. Catch the guy. Take three weeks if you have to. Catch the guy.
Sorry I’m sort of either getting ahead or behind myself or to the side of myself. So I had a little bit of permission of scurry around and do this kind of thing. So I printed out every keystroke and every bit of data that came in and went out from this SOB. Over the next 11 months, and we watched him over this time, Sventek tried to break into about 40 or 50 machines.
Remember, this at the time was a huge number. Today most of you are running enterprises where 40, 50 computers are in one department. But this is a long time ago.
Look at this. Check this out. I made this slide when the FBI wouldn’t let me say where he was coming from. They said don’t say anything, even to a classified organization. So I couldn’t say they’re coming from Hanover, West Germany but I had to say H period Europe. We were able to trace things back.
Meanwhile, we had contacted anybody that we thought would be willing to help out. The Department of Energy who essentially said, don’t do anything. Shut it off. And that didn’t seem like fun.
I should point out to you– what happened here was these tickets that were coming through were for relatively small amounts of money. We were charging our people $10, $20, $50, or $100 a month. And the amount of money that we’d actually lost on this was $0.50 to $0.75 worth of computing time on one of our SUN workstations.
So I call up the FBI and say, hey FBI, somebody’s breaking my computer– this is the FBI Oakland field office– somebody’s breaking my computer. They’re screwing around. They’re going over the ARPANET. And they’re breaking in. They’re becoming root and Telnet. And they’re going go across here and there.
And the guy at the FBI says, oh my god, that’s serious. How much money have you lost? I say well we’ve lost about $0.75. And the guy at the FBI says call back when you’ve lost half a million dollars or million dollars.
So along the way we called the Air Force Office of Special Investigations. AFOSI, at the time, was in charge of the military side of ARPANET, which would eventually become the internet. And we had a serious problem because what in physics or electrical engineering might be called an impedance mismatch, their language in the Air Force was significantly different from the academic language that we spoke. They talked about people like colonels and lieutenants and things like this while we talked about professors and grad students. It was difficult to talk to them.
We talked to the National Computer Security Center, which is a branch of the NSA. And the NSA was absolutely delighted and happy to hear everything that we had. They wanted to get copies of our logs. They wanted to get copies of my notebooks. They wanted to find out–oh, set user ID. Tell us all about it.
And if there’s enough time later on get me to show the NSA quiz that they gave me, which is cool, but I might not have time for it. But when I said hey can you help out? Can you help us get a trace across the Atlantic? Guy at the NSA says, look we’re from the National Security Agency. We cannot even confirm that we’re talking to you, let alone help you.
It’s an interesting thing that unless you have something completely finished, and in this case essentially all done, nobody’s going to pay any attention to you. And so it’s a chance to learn about how the world works. We call up the CIA, the FBI, the BBC, B.B. King, Doris Day, anybody that we can think that might be willing to help, and everybody wants to hear your story. Nobody wants to help.
So it goes way back to when I said do your own homework. Nobody else will do it for you. Meanwhile, we’re analyzing all the data that’s coming through, and we’re finding that this guy is trying to do military break ins and stuff like this. Absolutely bizarre. And the only people who cared, wouldn’t help.
Meanwhile, this was before spelling, spellcheckers existed, we’re doing the kind of statistics that you guys would do. We find that about one in 20 computers– and this is 1986– are simply, terrifically vulnerable using guest and anonymous passwords. Using trivial holes that even I could figure out how to exploit.
About two years ago, a group did a generalized phishing campaign to see how many people at a place that I worked would respond. And the answer is 10% to 30% of people just regularly click on stuff that they should never click on. So my feeling is not a lot has changed. But everything has changed.
How much time– our reaction– Have a meeting. Try to catch the guy. Ring an alarm. I set up serial line analyzers. This is long ago. Just got a Hewlett-Packard serial line analyzer. Every time a bit pattern went past the serial line that corresponded to either the passwords or the methodology that this person typed in, it would pull a relay.
The relay would cause a dialer to dial a pageboy pocket pager, which would ring me in the middle of the night. It’s sort of a very early, kind of pattern recognition, that of course today is commonplace. We print out whatever he did. We disconnect him if there was danger. My way of disconnecting them was to walk behind the computer, take some keys, and just jangle them on the RS 232 connector so it just emulated noise. That way things just slowed down.
Watching this one guy– And again, this seems trivial today. I apologize for wasting your time on trivialities. We watched somebody try to break into 400-500 MILNET machines, stealing long distance telephone service– and once upon a time it cost money. Stolen network user ideas, kill processes, change data, and export files, killing any auditing processes– the intruder would attempt to become root and shut off any–
We’d watch password cracking via dictionaries. This was utterly astonishing to me. It never occurred to me that encryption could be bypassed so trivially. Password theft by file scavenging, very effective. Just scavenging through files, looking for people who had e-mailed passwords to each other.
Building Trojan horses and things like this. Searching for military keywords like NORAD, North American Air Defenses, and the Strategic Defense Initiative. The guy managed to break into a whole bunch of places. What was curious to me at the time, was that many of these companies, these defense contractors, had specific grants and government contracts to do computer security. So it’s sort of like the shoemaker’s kids are going around barefoot.
Incidentally, feel free to interrupt me with questions. Well I’ve got 10 minutes to talk if I’m– Oh, cool. One of the things you can’t do with PowerPoint, but I can do right now. If you want to leave early, you have now seen all of my slides.
So we traced things over our own local area network, which at the time, was damned hard to do. One of the things that impresses me is how much harder it is to do today. Home networks, with a half dozen routers, are tough to trace. And when you put port scanners on them and start looking at them, it’s really hard to figure out what the actual topology is of trivially simple networks. And you people who are working in the commercial environment, where you have multiple buildings separated by many kilometers, my hat’s off to you. I can’t do what you guys do.
Meanwhile we traced the trouble from our lab back to a x.25 source– another thing that’s obsolete called Tymnet. Tymnet, we tracked to Pacific Bell– Pac Bell is obsolete. It’s long dead– via AT&T long lines– AT&T no longer runs long lines– back to McLean, Virginia. In McLean, Virginia we needed to get a Virginia federal court order. Couldn’t do it.
We’d managed to trace things back to Mitre, Incorporated. Mitre had a modem bank. Call up the guy. And he says absolutely impossible, there’s no way there’s a hacker inside of Mitre. Guy just shuts me down immediately.
And eventually I get through to somebody who says, oh we’ll fix it, we’ll just shut off all of our modems. So nobody can dial in. Nobody can dial out. That solved their problem nicely, but left us hanging.
So working backwards, one MILNET [GIBBERISH], back to Berkeley. We’re tracing things back through Tymnet then, no longer through Mitre. We’re tracking things through an international record carrier, across the Atlantic Ocean to the German Datex-P network, which at that time, Germany was divided in two– East Germany and West Germany. This is all in West Germany.
Public access dial-up modem pads were common in the 80s, through a phone system back to hacker. Again this is sort of boring. Again, utterly obsolete. None of you care about this, but at the time this is eye opening to me.
Over here in Berkeley we’re tracing things backwards through RCA-ITT Global Com– all these places don’t exist anymore– back through a university in Bremen, from the University of Bremen backwards. Somebody is doing a lot of hiding. They’re doing their best to make it challenging and difficult to trace them back. Eventually, by watching very carefully what signatures, what passwords, what accounts were being compromised along the way, we’re able to trace things back eventually, to the city of Hanover, Germany.
Oh, cool. Keep me honest. If you want me to go over, give me time. So Meanwhile we traced things from Lawrence Berkeley labs back to Bremen, from University of Bremen to Hanover. Hanover, could be anyone there. Again, and a few of you have gray hairs, but most of you don’t, so I’ll have to explain this to the younger crowd. Long ago, telephones were not found in people’s pockets.[LAUGHTER]
They were found– no kidding. No, no, I’m serious. This thing that you call a phone was located on desks. And they had this odd thing called a wire, going to a wall, and when you made a telephone call– OK, believe me, you know, you might not know, but he does– when you made a telephone call, you put your finger in this thing called a dial. You went blyzz click click click click click blyz-click-click-click.
And to make a phone trace, you didn’t sit at the keyboard, you had to get a technician with an ohmmeter or a volt meter, go to the central office, and manipulate things. So that when you made your call, blyzz-dit-dit-dit– they’re a solenoid– no really, it would go zitt-dut-dut-dut, zit-doot-doot-doot. And this was how you made a phone trace. And would take an hour because somebody would have to wake up in the middle of the night and drive down to the telephone exchange.
So they needed a signal from Berkeley. Well that’s easy. Every time the guy broke in, I had a pager set up. They needed to do two hours– an hour or two– to complete the call.
Is there some chocolate milk or something here? My throat hurts. No? No chocolate milk.
Oh, wonderful. Wonderful.[CLAPPING]
I got a couple of minutes left. Hope Jones has a noose around my neck that I can’t go over, and pain of death.
But I’ve got to talk about one of my favorite subjects in mathematics, namely game theory. Game theory is extraordinarily powerful. Game theory is a wonderful way to analyze what’s going on in the world. And of course, the most interesting game is chess.
So wouldn’t it be cool to always win at chess? Wouldn’t that be damn wonderful? I’m not talking about getting 1,200 or 1,400 scores, I’m talking about consistently getting 2,000 3,000 ratings. This guy, Arthur Bisguier, is going to teach me and you how to win it chess.
“Ten Tips to Win at Chess”. Arthur Bisguier, he’s not just your ordinary master chess player. He’s a grandmaster. Even beyond that, he’s an international grandmaster.
Turns out, that game theory says that winning chess is homomorphic to– maps directly onto– winning in life and solving hacker problems. And all you need to know is rule number two. More chocolate.
Rule number two is all you need to know because game theory says, if you can win at chess, you can win almost anywhere. When in doubt, when you’re working on any chess problem whatsoever, when you’re there, sweat on your brow, trying to figure out how do I do this, always apply rule number two, namely, “make the best possible move.”
Those of you of the female persuasion, at least as important, is rule number four.[LAUGHTER]
So in the immortal words of the Berkeley Daily Tribune, this article comes from the 1987 copy of the Tribune, “Stoll and his sweetheart were in the shower together one day–” we were conserving water up in Berkeley, so that it could be sent down to San Diego “–when they come up with the answer that they called ‘Operation Showerhead’. They’d create a very large file full of completely bogus information about the things that they knew the hacker was interested in. He’d spend a couple hours downloading it. They’d be able to trace him. ‘We tried to make the files look really bureaucratic and boring,’ his girlfriend said, ‘if we had said, look here, it’s classified, he’d have caught on right away.'”
In other words, a classic honeypot. “The trick works. Hacker comes across it. Spends more than hour downloading it. During that time, West Germany police, the bundespost, were able to trace his telephone number, stolen his girlfriend, celebrated the triumph with milkshakes made from homegrown Berkeley strawberries.”
So we created this absolutely fictitious thing called the Strategic Defense Initiative Network. These bogus files created were just simply bureaucratic memos– descriptions– of this phony military network. All you do is take ordinary, boring, bureaucratic memos and letters that you find on everybody’s desk and change things from professor and grad student and dean and just change them all to colonel and general and lieutenant. And all of sudden it sounds military.
January 16, 1987, the intruder breaks in, reads all of these files, he sees them there. I made sure they were not world readable. We’re able to trace things back. And typical of these files– “SDI Network Project, LBL Mail Stop, 50351 Name, Name, Address, City-State, Dear sir, thank you for your inquiry about SDINET. We’re happy to comply with requests for more information. Please state which of these documents you want sent to you–”
Does anybody remember the MORE command in UNIX? You’re old. Now everybody uses LESS, right? But here’s this guy typing in MORE to read all of this stuff. This is a document that says “We have in our library 37.6 SDINET overdue Description Document December 1986. Functional Requirements Document blah blah blah blah blah Sincerely yours, Mrs. Barbara Sherwin, Documents Secretary SDI Network Project. Well this is the kind of boring stuff that you expect anywhere. So we trace this out, we’re dancing around the backyard singing, ding dong the witch is dead, and all this stuff, having the time of our life.
But the bundespost criminal doesn’t arrest anybody. They wait. They wait for a day, a week, a month, three months. Nothing’s happening.
Three months later, I get this letter in the mail, addressed to Mrs. Barbara Sherwin, Documents Secretary. I get a letter, addressed to my mail stop in Berkeley– to here. I get the said thing. And it’s addressed. And I open it up. I say, oh my God, this is from somebody asking about the Strategic Defense Initiative.
This letter arrives. And so I call up Mike Gibbons, FBI Special Agent. And he says, whatever you do, don’t touch that letter. Bah! It’s got fingerprints on it. There’s fingerprints on it. Whatever you do, don’t touch it.
No, you can’t touch it. You have to pick it up. Put on latex gloves and get an eight and a half by 11 glassine envelope, and send it to us over here at the FBI Crime Headquarters. And get it to us right away. Whatever you do, don’t pick it up by the edges. That’s where the fingerprints are. You have to pick it up like this.
So I sort of pick it up like this, wearing gloves. I’m trying to get it into a glassine envelope. And I want to run to downtown Berkeley by the Wells Fargo Bank building. And I’m running over there, to get it over to the FedEx mail drop, when accidentally I bumped into a photocopier. And I made a copy.
Here is this guy, Laszlo Balogh, who calls himself Triam International, 6512 Ventura Dr., Pittsburgh, Pennsylvania, writing to the SDI Network Project. Misspells cyclotron as cyclotrob, Berkeley, misspells Berkeley. “Dear Mrs. Sherwin, I’m interested in the following documents. Please send me a price list and update on the SDI Network Project. Thank you, Laszlo Balogh”. He wants document 37.6, SDI, blehh, bizarre. I’m like, this is weird.
In short, we had stumbled on a group of five computer hackers who were breaking into military computers around the world, but mainly in North America. Stealing passwords, breaking and using whatever exploits they could at the time, and then selling this to the East German Stasi, who in turn, contacted some Eastern European organizations. And the next thing you know, this guy who has connections to the Bulgarian intelligence organizations in North America, writes to us saying, hey, give us some more information. And this is like absolutely weird.
And I’m down to one minute. I’d like to say that’s the end of what I have to say, but I haven’t even started yet.
Take your time
Yeah, take your time. But there’s somebody sitting in the front row with laser beam eyeballs.
Take your time.
Take your time, but I do have time to talk about all truth?
You got all day.
You got all day, yeah right.
And all day tomorrow.
I’ll try to shut up soon. But seriously, there’s a clock over here.[LAUGHING] [CLAPPING] Very kindly, Dmitri kept to it and I’m not supposed to. I know what to do.
Oh, he’s going red now.
No, no, no, don’t do this.[CLAPPING] [CHEERING]
Oh, oh, far out. Having said this, all of you, go back 30 years. Reset your clocks. Just go to System Manager, reset the clock to June 17, 1987. And then teleport yourself to Fort Meade, the FANEX 3 building. I’m presenting a talk there.
But the guys at the NSA say, look, we can’t tell you what we want to know in advance, because then you’d know what we want you to know, or something like this. So instead, in advance, we’re going to come up with one, two, seven, or eight questions– seven questions– that we’d like you to talk about. Please talk about these things.
Chocolate milk. So they want me to say, can you talk about “how the penetrator was tracked, what auditing features exist, how do you audit somebody with system level privilege. Please provide technical details on how to penetrate computers. How are passwords obtained for the Lawrence Livermore Cray computers?” At the time, a Cray computer was– oh, thank you so much– a Cray computer was a system that had almost the same power as this iPhone does today.
“How were super user privileges obtained and did the penetrator guard against detection?” So these were things that they wanted me to talk about. And I looked at them and said, there’s something offensive about this.
Even today, I look at this and I hope that some, if not many, and perhaps all of you, would look at this, and get a deep sense of there’s something damned wrong with this. And as security professionals, I hope that each of you pick up what’s wrong with each of these questions, as well as all of them together. I’ve looked at them and I said, I had no idea that people would ask such questions. And it pissed me off. And today, I continue to be pissed off whenever I see this.
And so I’m sorry guys, but what’s wrong with this is not the content of the question. I expect, and I want, a national defense organization to ask questions and to be astutely aware of these things. No it’s not the content, per se, rather it’s the grammar.
All these questions are third person passive voice. “How was the penetrator tracked?” Who’s doing the tracking? “What auditing features exist?” Who’s doing the auditing? “How does one audit someone with system level privileges?” Who does that apply to?
Those kinds of questions piss me off. And they piss me off when I go to a vendor’s table out here and people speak in the same kind of neutral language. It pisses me off today as it pisses me off then.
I rewrote these questions in my own language. And I can answer them. “How does this bastard break into computers? Which systems does he slither into? How does this scoundrel become superuser? How did the son of a bitch get those passwords? Did the skunk guard against detection? How do you audit a varmint who’s system manager? And how do you trace an egg sucker back to his roost?”
Now those questions– they speak to me. Because what all of you are doing and what I hope to be doing in my life, is to work for that which is good. And the failure to discriminate between people who are evil, people who are thieves, people who will steal things and wreck things, for not just our community, not just our country, but for our worldwide society as a whole, you make no progress as long as you are asking this kind of question. You ask this kind of question, and you check in at 9:00 in the morning and you check out at 5:00 in the afternoon. You ask those kinds of questions, and you wake up at 3:00 in the morning and you’re chewing on your fingernails during the day.
So I assume and I hope and I trust, that if there’s any message that I have to tell you, it’s this, your job is damned difficult because if you do your work perfectly, indeed– If these people over here have done a good job of designing, building Fal.con– if they have, and I assume you have– no bad things will be happening on your system. [INAUDIBLE] will be fine. You’re going to be happy.
But if things screw up, all hell will break loose in the organization and your name will be on the front page of the New York Times. In other words, you lose in both directions. If everything works perfectly, then nobody ever pats you on the back your neck saying, hey job well done. If things don’t work out and things become muddy, and you’re losing big bucks, then all the blame attaches to you.
So people, I’ve been there. My heart’s with you. I support you deeply. And my claim is if this is the type of work that you’re doing, you’re doing the wrong thing. If that’s your state of mind, then I’m on your side. I’m with you. I’m in your tribe.
Oh, I’d mentioned rule number two. Oh, unite. Oh, I hope in the past five minutes I addressed a comment that I saw up on the screen earlier today, namely unite. Avoid thinking that you’re all alone and oh, I’d better use these passive voice questions and just make some PowerPoint displays. We don’t have any problems. Go away.
Analysis, deception, honeypots, OODA. I’ve covered maybe a little bit of this. But I’d like to say, since I’m way over time, but if I’m clever, I can plug this in and it’ll give me a lot more time. Let’s see if that works. Yeah look at them. Oh, and it’s increasing. With every minute I have more time.
I was an undergraduate at the State University of New York at Buffalo in 1972, studying physics. And there were riots going on. Students were rioting and people throwing bricks and things like this, but I didn’t care, I’m studying physics, astronomy, statistical mechanics, quantum mechanics, stuff like this.
And one evening– it’s an April evening, 1972 ’73– I have a midterm. And so I’m walking across campus with a stack of books under my arm. Landau, Lipschitz, Reznick and Halliday, the usual physics books. And have stat, mech and all the stuff, [INAUDIBLE]. And there’s a riot going on.
I look over there. Look over there. There’s a policeman– there’s a cop. He looks at me and he says, you, you’re a student. I say, yeah, but I’m a physics major. I’m not a rioter. Science, physics, you know, quantum mechanics, gauge theory, matrix inversion, stuff like this.
And he says, you’re a student. He reaches behind him, grabs a rifle, aims it at me, goes [INAUDIBLE]. Tear gas canister, size of a Pepsi can, goes poof in front of me. I get a breath of tear gas and I can’t breathe. And this cop is coming after me. [INAUDIBLE] over their head. He’s chasing me across campus. I keep saying, quantum mechanics, Landau, Lipschitz. I’ve got a midterm tomorrow.
And he says, student. And he’s using words that my mother’s never used. And he chases me across campus. I’m running. Why he’s hitting me over the head or doing something like this?
I go running up the steps of Hayes Hall– one of the [INAUDIBLE] buildings that has a bell tower– you see them all over the place. And a clock tower. And run up two flights of stairs, three flights. And I hear this guy clunking along behind me.
There’s the door. There’s a door maybe a meter tall, half a meter wide. I look at the door. The door looks back at me. It opens. I pull the door shut.
I hear this cop banging on the door and cursing me. I look around. I’m in the middle of the bell tower. It’s this bell tower. There was clocks 50 or 100 feet above me.
And I’m saying, this is weird. So I’m looking at them saying, yeah, the answers are real easy. So I’m looking at these– I’m inside this bell tower and I see a bunch of gears, brass gears. And there’s a pendulum going tick tick tick. And these gears are turning. And I’m thinking, it’s a clock. It’s a pendulum clock.
Oh, if I shorten the length of the clock, it’ll tick faster. If I lengthen it, it’ll tick slower. So the period is inversely proportional to the length of the pendulum. And I’m thinking that’s cool, but what am I doing here. Why am I here.
And I start climbing up the stairs. They’re sort of like a circular staircase going up this bell tower. It’s really old and dusty and there’s four dowels coming up from this clock. And they go up to differential gears, where like up there–
I climb up to the point where I’m in the middle of clocks. There’s a clock north. There’s a clock south. There’s one east and there’s one west. I’m looking at them.
I’m saying, OK, there’s these four clocks. But from where I am, the hands are going backwards. I’m in the middle of the clock tower and the hands are going backwards. So I’m thinking, oh, how do you get time to reverse? How do you get time reversals?
It’s thermodynamically hard to do. There’s Michelson time stretching and things like this, but why am I here. What am I doing here. What’s some chocolate milk doing on this– you didn’t see that.
But why am I here? So then I see this ladder. There’s this ladder going up to the very top of the bell tower. And so I climb up. It’s a wooden ladder. Climb up.
I push the hatchway up. I’m now above the clocks. And there’s some bells next to me. I’m in the middle of the bells on top the bell tower. And these little dome windows that I can look out.
I look across campus. And I see students heaving bricks at the cops. I see police shooting tear gas at students. It’s 10:00 at night.
And I’m saying, this is insane. Why am I here. What am I doing here. And I’m saying, this is just nuts.
And then I remembered what one of my high school English teachers said, namely, when people cast bells, they put an inscription on them. They put an inscription on the bells. And so I said, OK, so I go over to this– I’m over. I’m sorry. I apologize–
And so I go over and I wipe the pigeon manure off one of the bells. And ask myself, what am I doing here? Why am I here? And so at this time, if I can remember it, I’ll tell you the words inscribed on the Hayes Hall tower bells.
Namely, all truth is one. In this light, may science and religion endeavor here for the steady evolution of mankind. From darkness to light. From narrowness to broadmindedness. From prejudice to tolerance. It is the voice of life which calls us to come and learn. Thank you.
Give him a hand, ladies and gentlemen. The incomparable, inimitable, inexhaustible, Cliff Stoll.