Cliff Stoll tells all. (author Clifford Stoll) (Column) (Interview)
by Darren P. Mckeeman
Henry Stricland and I met Clifford Stoll, author of the best-selling book The Cuckoo's Egg, at the restaurant where he had survived the 1990 San Francisco earthquake.
COMPUTE: How was it, dealing with the FBI and the CIA?
Stoll: It destroyed all my conspiracy theories. Because people know very little more than they tell. The same is true about the CIA and the FBI. They're as lost and confused as anyone else. . . . They know a few . . . interesting secrets, but not much. My . . . paranoia quotient went down a whole lot. That's too bad. I like my paranoias. (Smiles) But just because you're not paranoid doesn't mean no one's looking at you.
C: Did you see anything funny in your trying to warm the CIA about a hacker breaking into its computer?
Stoll: Oh, the CIA took it very seriously. Unlike say, the FBI or the NSA, they reacted immediately. Other organizations took the attitudes of "Oh. You've got a problem. Don't call us. You've got a problem." A couple of people at the CIA really knew their stuff. Other organizations, they just didn't want another problem. Our funding agency, the Department of Energy, said, "You know how to lock the door. The chances of catching this person are slim to zero. So far, nobody knows about this but you. If Congress hears about this, it will investigate . . . ."
C: That was the attitude?
Stoll: Oh, absolutely. . . . Let me rebuild what happened. I noticed a 75-cent accounting error in my system. So I . . . look at the accounting system, and lo! The program's working right. I go and look at my files and say, "Oh, jeez. Here's somebody breaking into my computer." My background is in physics, astronomy, and science. My reaction is "I don't understand this. Let me do research." Another organization, the Department of Energy, lives in a very different world. It's a world of congressional funding. . . . If there's a problem at Lawrence Berkeley labs with someone breaking into a computer, . . . conceivably Congress could be unhappy, so the DOE wants this to go away. A mind-set of "minimize embarrasing things." The same kind of minds you will find in large business organizations. Embezzlement is something you'll hear about outside of banking, but you won't hear prominent bankers talk about it because they don't want people to know it's possible. Contrast this with the CIA. I called them up; I had a printout of this hacker getting names from the CIA's computer. I don't have any truck with the CIA. They're not my friends. I live in Berkeley is as far left in the country as you're gonna get. On the other hand, I have an ethical duty to my neighbor [who] happens to be the CIA.
C: Were the organizations as interesting as the hackers?
Stoll:> The answer to that is no in two directions. I wasn't interested in the hackers. To come across people who believe that it's their right or responsibility to break into computers doesn't interesrt me at all. I'm a physicist. I do science. It struck me as more interesting technically--[I began wondering,] what's happening? . . . What's the connectivity here? . . . What's permitting this? Here is a field of study no one has worked on before: how do insecure networks, through holes in security, allow exploitation of databases in a way that nobody's ever talked about before? Was it fun? Was it enjoyable? Those aren't operators for me. [But] I started asking questions. . . . "Why is somebody breaking into a military computer, stealing information, [and] . . . copying it across networks into some machine in Europe? Why is it that this person is obsessed with things like Strategic Defense Initiative [and] . . . North American Air Defense?" Immediately, it comes up in my mind, "Oh. We're looking at a spy." Then a whole new set of implications comes up. As [an objective] scientist, I just observe. [But] now, I ask myself, what are my responsibilities? What do I care about? Do I seek only to protect my system? Do I care only about my job? In that case, I'll shut the guy off. That's what the funding agency says. If it's only my computer and users, I'll send the guy a nasty piece of E-mail and shut him out because I know he won't get in anymore. If it's my neighbors, I'll tell them about it. No . . . you have a responsibility to a neighborhood, a community. When I found out that it was likely that I was following a spy [and] it was likely that he was working against the society that I believe in, [then I was] no longer doing science, and I was no longer out there studying things. If I'm studying the planet Mars and the craters on the moon Phobos, I can say, "Hey, wow, I'm doing really neat science." But if I find that [Phobos is] going to crash into North Dakota, then I have a responsibility beyond writing a paper on it.