Wednesday, November 30, 2016

The wayback machine

Computers are fuckin' wild, friends. The changes in computing from thirty years ago to now are mind-boggling. It makes the 60-year jump from flight to lunar landing seem glacially slow.

The Cuckoo's Egg is a book that makes you first marvel at how different computing was when the book was written and then gasp at the vast gulf between the attitudes of then and now. In 1989 Stoll was the kind of optimist that it seemed was needed to promote the growth and understanding of networked systems, but in 2016 he looks like a hopeless idealist. We're on an internet that is, essentially, Stoll's version of computer hell. There's no transparency, everything is password protected and a lot of communication is encrypted - whole security systems are set up to verify the authenticity of requests from jump to jump and server to server. Stoll operated in a world where anyone with a phone line could enter almost any server because very few servers had any means of preventing them from doing so.

I (kind of) work in IT and I (actually) spend a lot of time dealing with, discussing, and researching information security (InfoSec - which is a polite way of saying "hacking" and hack prevention). As a result of my time spent on IT and InfoSec Stoll's ancient systems are fascinating in how they are constructed on a basis of trust that has *never* existed in my adult lifetime. But it's also really interesting that, in spite of how untrusting we've become, we're still dealing with a lot of the same problems Stoll describe. People are still bad at changing default passwords, applying patches, and managing individual accounts. We're still infinitely socially engineerable and it's usually pretty easy to guess most people's account names and passwords based on the information available on their public facebook pages (or at least it's easy to re-set their accounts so that you can change their passwords).

But one thing that did suffer tremendously in the wake of the attacks described in The Cuckoo's Egg has been the slow, aching death of open-source software. It's not 100% gone and probably never will be - everyone has experienced open-source in the form of Wikipedia - but open-source operating systems make up a much smaller part of the landscape than they did in 1989.

The EMACS word processing program was an oft-unpatched open-source program that had a vulnerability and left a backdoor into systems it was installed on. Using an accidental opening like this to access a system is called an exploit and exploits are what has led to the languishing of open-source products. If anyone can add to the code of a program than anyone can drop in a backdoor or a virus; large software companies don't typically do this intentionally and attempt to prevent it from accidentally happening because they have a reputation to worry about. We can actually see this playing out in the world right now with attitudes toward Adobe Flash and debates about OSX and Windows; Flash is being phased out because it's too open to attack, OSX has gotten major criticism for concealing SSH vulnerabilities, and Microsoft is facing a lot of suspicion because it sometimes seems like Windows 10 was specifically made to be difficult to protect. When an exploitable vulnerability from a major publisher becomes known they rush to fill the hole to keep their customer base. When a vulnerability becomes clear in open source software users often question if the cure is going to be worse than the disease.

Most people who use open-source operating systems and programs these days are somewhat more savvy than people who are comfortable using a computer straight out of the box - I think this is because there's a sense of inevitability. Open-source users know that their configuration is a fleeting thing that's going to be lost to upgrades and reinstalls in three months to keep up with technology and security from known vulnerabilities. It's more overhead than casual users are comfortable worrying about.

But back to Stoll - his story is the reason that this is true. The Cuckoo's Egg tells the story of the first really well documented (and publicly known) ongoing hack. Now we hear about this kind of thing every other month, but Stoll had front-row seats to watch the way that humans were going to define the way that other humans interacted with networks. And it turns out that humans were going to have to be more isolated and circumspect than the idealistic Stoll had hoped.

The book is a good read from a historical perspective, and it's a genuinely interesting story, but it won't tell you a hell of a lot about the way technology works today. It brings up some good questions that we have yet to supply good answers for (most notably: how do you handle discovering an exploit - do you reveal it and risk copycats or keep it secret and hope more malicious actors don't stumble on it) and he makes a strong case for education and transparency.

There are some pretty awkward moments, though, as a result of when it was written. At one point Stoll, a Berkeley liberal in the late 80s, mimics a Chinese accent in a way that is painful to read. There's a mild undercurrent of benevolent sexism. It's not comfortable, but it does explain a lot about how and why internet culture came to be what it is (mainly that it basically got started by English-speaking white dudes who had no idea they were excluding women or people of color, and would have been offended if you suggested that they were doing so - surprise! everything is very much the same).

I liked The Cuckoo's Egg, I'll be hanging onto it and probably re-reading it a few times in the future. It's a great case study, if nothing else, and is written in an engaging and understandable way.

     - Alli

Stoll, Clifford. The Cuckoo's Egg. Doubleday Publishing. New York: New York. 1989.

No comments:

Post a Comment