Attached the rubric and book pdf below
Intrusion Detection and Incident Response Cuckoo’s Egg Analysis GOAL: Read Cliff Stoll’s book, Cuckoo’s Egg (any edition), and write a 7 to 10 page paper on the intrusion detection and incident response techniques used in the book. Identify proper techniques (what will you use as your reference or base framework?) used and those that did not work. This is not a book report—I know the story—it is an analysis. GRADING: This project is worth 100 points. The grade will come from your paper only. Papers that clearly describe the techniques and provide an analysis of how the techniques led to the capture of the hacker will be graded higher. Papers that are well formatted, properly referenced, and cohesive will score higher. Writing a book report with little to no analysis will score much lower. COLLABORATION POLICY: No collaboration allowed—individual effort only. The work on the paper will be an individual effort only. TURN-IN REQUIREMENT: Papers will be 7 to 10 single spaced pages in length, font Times New Roman or Calibri, size 12. The title page should clearly state the title of your paper will include your name. The title page does not count as one of the pages for the report. The bibliography will not count as one of the pages required for turn in. All references will be properly cited—you should have more than one. I recommend using inline references in your paper. More references integrated into your paper tells me you did better research and analysis. Submit your paper on Blackboard in PDF format with the file naming convention lastname_abc123_3523_ Cuckoo_Analysis. LATE SUBMISSIONS: There will be a 25% penalty for each day that the paper is late without prior coordination with me. This means that the best you can do is 75% of the total points possible if you are one day late, 50% if two, and so forth. Intrusion Detection and Incident Response Cuckoo’s Egg Analysis file://D:\temp\cuckoo\STOLL,%20Cliff%20-%20The%20Cuckoo's%20Egg THE CUCKOO'S EGG by Cliff Stoll Page 1 of 254THE CUCKOO'S EGG Acknowledgments HOW DO YOU SPREAD THE WORD WHEN A COMPUTER HAS A SECURITY HOLE? SOME SAY nothing, fearing that telling people how to mix explosives will encourage them to make bombs. In this book I've explicitly described some of these security problems, realizing that people in black hats are already aware of them. I've tried to reconstruct this incident as I experienced it. My main sources are my logbooks and diaries, cross-checked by contacting others involved in this affair and comparing reports from others. A few people appear under aliases, several phone numbers are changed, and some conversations have been recounted from memory, but there's no fictionalizing. For supporting me throughout the investigation and writing, thanks to my friends, colleagues, and family. Regina Wiggen has been my editorial mainstay; thanks also to Jochen Sperber, Jon Rochlis, Dean Chacon, Winona Smith, Stephan Stoll, Dan Sack, Donald Alvarez, Laurie McPherson, Rich Muller, Gene Spafford, Andy Goldstein, and Guy Consolmagno. Thanks also to Bill Stott, for Write to the Point, a book that changed my way of writing. I posted a notice to several computer networks, asking for title suggestions. Several hundred people from around the world replied with zany ideas. My thanks to Karen Anderson in San Francisco and Nigel Roberts in Munich for the title and subtitle. Doubleday's editors, David Gernert and Scott Ferguson, have helped me throughout. It's been fun to work with the kind people at Pocket Books, including Bill Grose, Dudley Frasier, and Gertie the Kangaroo, who's pictured on the cover of this book. To them, as well as my agent, John Brockman, thanks for your continued encouragement and wise advice. To each of these people, I'm indebted; I owe most of them boxes of cookies as well. Lawrence Berkeley Laboratory supported me throughout this quest; the people of Smithsonian Astrophysical Observatory—especially Joe Schwarz and Steve Murray— have been most gracious and supportive while I've been writing this book. My deep thanks go to my friends at both institutes, and my hopes that I'll now be able to return to astronomy. I was ten years old when Ernst Both of the Buffalo Museum of Science invited me to look through a telescope, opening up a universe of astronomy. I wonder if I'll ever be able to thank him properly. I needn't thank my sweetheart and wife, Martha Matthews. She's been as much a part of writing this book as she was in the story. —Cliff Stoll Electronic mail addresses: Internet: cliff@cfa.harvard.edu CompuServe: 71660,3013 Genie: Cliff-Stoll AOL: cliffstoll Page 2 of 254THE CUCKOO'S EGG Page 3 of 254THE CUCKOO'S EGG 1 ME, A WIZARD? UNTIL A WEEK AGO, I WAS AN ASTRONOMER, CONTENTEDLY DESIGNING telescope optics. Looking back on it, I'd lived in an academic dreamland. All these years, never planning for the future, right up to the day my grant money ran out. Lucky for me that my laboratory recycled used astronomers. Instead of standing in the unemployment line, I found myself transferred from the Keck Observatory at the Lawrence Berkeley Lab, down to the computer center in the basement of the same building. Well, hell, I could fake enough computing to impress astronomers, and maybe pick it up fast enough that my co-workers wouldn't catch on. Still, a computer wizard? Not me—I'm an astronomer. Now what? As I apathetically stared at my computer terminal, I still thought of planetary orbits and astrophysics. As new kid on the block, I had my choice of a cubicle with a window facing the Golden Gate Bridge, or an unventilated office with a wall of bookshelves. Swallowing my claustrophobia, I picked the office, hoping that nobody would notice when I slept under the desk. On either side were offices of two systems people, Wayne Graves and Dave Cleveland, the old hands of the system. I soon got to know my neighbors through their bickering. Viewing everyone as incompetent or lazy, Wayne was crossthreaded with the rest of the staff. Yet he knew the system thoroughly, from the disk driver software up to the microwave antennas. Wayne was weaned on Digital Equipment Corporation's Vax computers and would tolerate nothing less: not IBM, not Unix, not Macintoshes. Dave Cleveland, our serene Unix buddha, patiently listened to Wayne's running stream of computer comparisons. A rare meeting didn't have Wayne's pitch, "Vaxes are the choice of scientists everywhere and help build strong programs twelve ways." Dave retorted, "Look, you keep your Vax addicts happy and I'll handle the rest of the world." Dave never gave him the satisfaction of getting riled, and Wayne's complaints eventually trailed off to a mutter. Great. First day on the job, sandwiched between two characters who were already ruining my daydreams with their periodic disputes. At least nobody could complain about my appearance. I wore the standard Berkeley corporate uniform: grubby shirt, faded jeans, long hair, and cheap sneakers. Managers occasionally wore ties, but productivity went down on the days they did. Together, Wayne, Dave, and I were to run the computers as a lab-wide utility. We managed a dozen mainframe computers—giant workhorses for solving physics problems, together worth around six million dollars. The scientists using the computers were supposed to see a simple, powerful computing system, as reliable as the electric company. This meant keeping the machines running full time, around the clock. And just like the electric company, we charged for every cycle of computing that was used. Of four thousand laboratory employees, perhaps a quarter used the main computers. Each of these one thousand accounts was tallied daily, and ledgers kept inside the computer. With an hour of computing costing three hundred dollars, our bookkeeping had to be accurate, so we kept track of every page printed, every block Page 4 of 254THE CUCKOO'S EGG of disk space, and every minute of processor time. A separate computer gathered these statistics and sent monthly bills to laboratory departments. And so it happened that on my second day at work, Dave wandered into my office, mumbling about a hiccup in the Unix accounting system. Someone must have used a few seconds of computing time without paying for it. The computer's books didn't quite balance; last month's bills of $2,387 showed a 75-cent shortfall. Now, an error of a few thousand dollars is obvious and isn't hard to find. But errors in the pennies column arise from deeply buried problems, so finding these bugs is a natural test for a budding software wizard. Dave said that I ought to think about it. "First-degree robbery, huh?" I responded. "Figure it out, Cliff, and you'll amaze everyone," Dave said.Well, this seemed like a fun toy, so I dug into the accounting program. I discovered our accounting software to be a patchwork of programs written by long-departed summer students. Somehow, the hodgepodge worked well enough to be ignored. Looking at the mixture of programs, I found the software in Assembler, Fortran, and Cobol, the most ancient of computer languages. Might as well have been classical Greek, Latin, and Sanskrit. As with most home-brew software, nobody had bothered to document our accounting system. Only a fool would poke around such a labyrinth without a map. Still, here was a plaything for the afternoon and a chance to explore the system. Dave showed me how the system recorded each time someone connected to the computer, logging the user's name, and terminal. It timestamped each connection, recording which tasks the user executed, how many seconds of processor time he used, and when he disconnected. Dave explained that we had two independent accounting systems. The ordinary Unix accounting software just stored the timestamped records into a file. But to satisfy some bureaucrat, Dave had built a second accounting system which kept more detailed records of who was using the computer. Over the years, a succession of bored summer students had written programs to analyze all this accounting information. One program collected the data and stashed it into a file. A second program read that file and figured how much to charge for that session. Yet a third program collected all these charges and printed out bills to be mailed to each department. The last program added up all user charges and compared that total to the result from the computer's internal accounting program. Two accounting files, kept in parallel by different programs, ought to give the same answer. For a year, these programs had run without a glitch, but weren't quite perfect this week. The obvious suspect was round-off error. Probably each accounting entry was correct, but when added together, tenths of a penny differences built up until an error of 75 cents accumulated. I ought to be able to prove this either by analyzing how the programs worked, or by testing them with different data. Rather than trying to understand the code for each program, I wrote a short program to verify the data files. In a few minutes, I had checked the first program: indeed, it properly collected the accounting data. No problem with the first. The second program took me longer to figure out. In an hour I had slapped together enough makeshift code to prove that it actually worked. It just added up time intervals, then multiplied by how much we charge for computer time. So the 75- Page 5 of 254THE CUCKOO'S EGG cent error didn't come from this program. And the third program worked perfectly. It looked at a list of authorized users, found their laboratory accounts, and then printed out a bill. Round-off error? No, all of the programs kept track of money down to the hundredths of a penny. Strange. Where's this 75-cent error coming from? Well, I'd invested a couple hours in trying to understand a trivial problem. I got stubborn: dammit, I'd stay there till midnight, if I had to. Several test programs later, I began actually to have confidence in the mishmash of locally built accounting programs. No question that the accounts didn't balance, but the programs, though not bulletproof, weren't dropping pennies. By now, I'd found the lists of authorized users, and figured out how the programs used the data