HOME

TheInfoList



OR:

''The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage'' is a 1989 book written by
Clifford Stoll Clifford Paul "Cliff" Stoll (born June 4, 1950) is an American astronomer, author and teacher. He is best known for his investigation in 1986, while working as a system administrator at the Lawrence Berkeley National Laboratory, that led to th ...
. It is his first-person account of the hunt for a
computer hacker A hacker is a person skilled in information technology who achieves goals and solves problems by non-standard means. The term has become associated in popular culture with a security hackersomeone with knowledge of bug (computing), bugs or exp ...
who broke into a computer at
Lawrence Berkeley National Laboratory Lawrence Berkeley National Laboratory (LBNL, Berkeley Lab) is a Federally funded research and development centers, federally funded research and development center in the Berkeley Hills, hills of Berkeley, California, United States. Established i ...
(LBNL). Stoll's use of the term extended the metaphor ''cuckoo's egg'' from
brood parasitism Brood parasitism is a subclass of parasitism and phenomenon and behavioural pattern of animals that rely on others to raise their young. The strategy appears among birds, insects and fish. The brood parasite manipulates a host, either of the ...
in birds to
malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...
.


Summary

Author Clifford Stoll, an
astronomer An astronomer is a scientist in the field of astronomy who focuses on a specific question or field outside the scope of Earth. Astronomers observe astronomical objects, such as stars, planets, natural satellite, moons, comets and galaxy, galax ...
by training, managed computers at
Lawrence Berkeley National Laboratory Lawrence Berkeley National Laboratory (LBNL, Berkeley Lab) is a Federally funded research and development centers, federally funded research and development center in the Berkeley Hills, hills of Berkeley, California, United States. Established i ...
(LBNL) in California. One day in 1986 his supervisor asked him to resolve an accounting error of 75 cents in the computer usage accounts. Stoll traced the error to an unauthorized user who had apparently used nine seconds of computer time and not paid for it. Stoll eventually realized that the unauthorized user was a hacker who had acquired
superuser In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of the ...
access to the LBNL system by exploiting a vulnerability in the
movemail movemail is a computer program by the GNU Project that moves mail from a user's Unix mailspool to another file. It is part of GNU Mailutils. A compromising of movemail was the backbone of the hack described in '' The Cuckoo's Egg'' by which Marku ...
function of the original
GNU Emacs GNU Emacs is a text editor and suite of free software tools. Its development began in 1984 by GNU Project founder Richard Stallman, based on the Emacs editor developed for Unix operating systems. GNU Emacs has been a central component of the GNU ...
. Early on, and over the course of a long weekend, Stoll rounded up fifty terminals, as well as
teleprinter A teleprinter (teletypewriter, teletype or TTY) is an electromechanical device that can be used to send and receive typed messages through various communications channels, in both point-to-point (telecommunications), point-to-point and point- ...
s, mostly by "borrowing" them from the desks of co-workers away for the weekend. He physically attached them to the fifty incoming phone lines at LBNL. When the hacker dialed in that weekend, Stoll located the phone line used, which was coming from the
Tymnet Tymnet was an international data communications network developed and operated by Tymshare. It was based at the company’s headquarters in Cupertino, California. The network used packet-switching techniques, including statistical multiplexing, an ...
routing service. With the help of Tymnet, he eventually tracked the intrusion to a call center at
MITRE The mitre (Commonwealth English) or miter (American English; American and British English spelling differences#-re, -er, see spelling differences; both pronounced ; ) is a type of headgear now known as the traditional, ceremonial headdress of ...
, a defense contractor in
McLean, Virginia McLean ( ) is an Unincorporated area#United States, unincorporated community and census-designated place in Fairfax County, Virginia, United States. The population of the community was 50,773 at the 2020 United States census, 2020 census. It is ...
. Over the next ten months, Stoll spent enormous amounts of time and effort tracing the hacker's origin. He saw that the hacker was using a 1200
baud In telecommunications and electronics, baud (; symbol: Bd) is a common unit of measurement of symbol rate, which is one of the components that determine the speed of communication over a data channel. It is the unit for symbol rate or modulat ...
connection and realized that the intrusion was coming through a telephone
modem The Democratic Movement (, ; MoDem ) is a centre to centre-right political party in France, whose main ideological trends are liberalism and Christian democracy, and that is characterised by a strong pro-Europeanist stance. MoDem was establis ...
connection. Stoll's colleagues, Paul Murray and Lloyd Bellknap, assisted with the phone lines. After returning his "borrowed" terminals, Stoll left a teleprinter attached to the intrusion line in order to see and record everything the hacker did. He watched as the hacker sought — and sometimes gained — unauthorized access to military bases around the United States, looking for files that contained words such as "nuclear" or " SDI" (Strategic Defense Initiative). The hacker also copied password files (in order to make
dictionary attack In cryptanalysis and computer security, a dictionary attack is an attack using a restricted subset of a keyspace to defeat a cipher or authentication mechanism by trying to determine its decryption key or passphrase, sometimes trying thousands or ...
s) and set up
Trojan horses In Greek mythology, the Trojan Horse () was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending befor ...
to find passwords. Stoll was amazed that on many of these high-security sites the hacker could easily guess passwords, since many
system administrator An IT administrator, system administrator, sysadmin, or admin is a person who is responsible for the upkeep, configuration, and reliable operation of computer systems, especially multi-user computers, such as Server (computing), servers. The ...
s had never bothered to change the passwords from their factory defaults. Even on military bases, the hacker was sometimes able to log in as "guest" with no password. This was one of the first⁠—⁠if not ''the'' first⁠—documented cases of a computer break-in, and Stoll seems to have been the first to keep a daily logbook of the hacker's activities. Over the course of his investigation, Stoll contacted various agents at the
Federal Bureau of Investigation The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and Federal law enforcement in the United States, its principal federal law enforcement ag ...
(FBI), the
Central Intelligence Agency The Central Intelligence Agency (CIA; ) is a civilian foreign intelligence service of the federal government of the United States tasked with advancing national security through collecting and analyzing intelligence from around the world and ...
(CIA), the
National Security Agency The National Security Agency (NSA) is an intelligence agency of the United States Department of Defense, under the authority of the director of national intelligence (DNI). The NSA is responsible for global monitoring, collection, and proces ...
(NSA), and the
United States Air Force Office of Special Investigations The Air Force Office of Special Investigations (OSI or AFOSI) is a U.S. federal law enforcement agency that reports directly to the Secretary of the Air Force. OSI is also a U.S. Air Force field operating agency under the administrative guid ...
(OSI). At the very beginning there was confusion as to jurisdiction and a general reluctance to share information; the FBI in particular was uninterested as no large sum of money was involved and no
classified information Classified information is confidential material that a government deems to be sensitive information which must be protected from unauthorized disclosure that requires special handling and dissemination controls. Access is restricted by law or ...
host was accessed. Studying his log book, Stoll saw that the hacker was familiar with
VAX/VMS OpenVMS, often referred to as just VMS, is a multi-user, multiprocessing and virtual memory-based operating system. It is designed to support time-sharing, batch processing, transaction processing and workstation applications. Customers using Op ...
, as well as
AT&T Unix Unix System V (pronounced: "System Five") is one of the first commercial versions of the Unix operating system. It was originally developed by AT&T and first released in 1983. Four major versions of System V were released, numbered 1, 2, 3, an ...
. He also noted that the hacker tended to be active around the middle of the day,
Pacific time The Pacific Time Zone (PT) is a time zone encompassing parts of western Canada, the western United States, and western Mexico. Places in this zone observe standard time by subtracting eight hours from Coordinated Universal Time ( UTC−08:00). ...
. Eventually Stoll hypothesized that, since modem bills are cheaper at night and most people have school or a day job and would only have a lot of free time for hacking at night, the hacker was in a time zone some distance to the east, likely beyond the US East Coast. With the help of Tymnet and agents from various agencies, Stoll found that the intrusion was coming from
West Germany West Germany was the common English name for the Federal Republic of Germany (FRG) from its formation on 23 May 1949 until German reunification, its reunification with East Germany on 3 October 1990. It is sometimes known as the Bonn Republi ...
via satellite. The West German post office, the ''
Deutsche Bundespost The (, ) was a German state-run postal service and telecommunications business founded in 1947. It was initially the second largest federal employer during its time. After staff reductions in the 1980s, the staff was reduced to roughly 543,20 ...
'', had authority over the phone system there, and traced the calls to a university in
Bremen Bremen (Low German also: ''Breem'' or ''Bräm''), officially the City Municipality of Bremen (, ), is the capital of the States of Germany, German state of the Bremen (state), Free Hanseatic City of Bremen (), a two-city-state consisting of the c ...
. In order to entice the hacker to reveal himself, Stoll set up an elaborate hoax—known today as a honeypot—by inventing a fictitious department at LBNL that had supposedly been newly formed by an "SDI" contract, also fictitious. When he realized the hacker was particularly interested in the faux SDI entity, he filled the "SDInet" account (operated by an imaginary secretary named "Barbara Sherwin") with large files full of impressive-sounding
bureaucratese Officialese, bureaucratese, or governmentese is language that sounds official. It is the "language of officialdom". Officialese is characterized by a preference for wordy, long sentences; complex words, code words, or buzzwords over simple, tra ...
. The ploy worked, and the ''Deutsche Bundespost'' finally located the hacker at his home in
Hanover Hanover ( ; ; ) is the capital and largest city of the States of Germany, German state of Lower Saxony. Its population of 535,932 (2021) makes it the List of cities in Germany by population, 13th-largest city in Germany as well as the fourth-l ...
. The hacker's name was
Markus Hess Markus Hess is a German hacker who was active in the 1980s. Alongside Dirk Brzezinski and Peter Carl, Hess hacked into networks of military and industrial computers based in the United States, Europe and East Asia, and sold the information to the ...
, and he had been engaged for some years in selling the results of his hacking to the
Soviet Union The Union of Soviet Socialist Republics. (USSR), commonly known as the Soviet Union, was a List of former transcontinental countries#Since 1700, transcontinental country that spanned much of Eurasia from 1922 until Dissolution of the Soviet ...
's civilian intelligence agency, the
KGB The Committee for State Security (, ), abbreviated as KGB (, ; ) was the main security agency of the Soviet Union from 1954 to 1991. It was the direct successor of preceding Soviet secret police agencies including the Cheka, Joint State Polit ...
. There was ancillary proof of this when a Hungarian
agent Agent may refer to: Espionage, investigation, and law *, spies or intelligence officers * Law of agency, laws involving a person authorized to act on behalf of another ** Agent of record, a person with a contractual agreement with an insuran ...
contacted the fictitious SDInet at LBNL by mail, based on information he could only have obtained through Hess. Apparently this was the KGB's method of double-checking to see if Hess was just making up the information he was selling. Stoll later flew to West Germany to testify at the trial of Hess.


References in popular culture

* The book was chronicled in an episode of WGBH's ''
NOVA A nova ( novae or novas) is a transient astronomical event that causes the sudden appearance of a bright, apparently "new" star (hence the name "nova", Latin for "new") that slowly fades over weeks or months. All observed novae involve white ...
'' entitled "The KGB, the Computer, and Me", which aired on
PBS The Public Broadcasting Service (PBS) is an American public broadcaster and non-commercial, free-to-air television network based in Arlington, Virginia. PBS is a publicly funded nonprofit organization and the most prominent provider of educat ...
stations on October 3, 1990. Stoll and several of his co-workers participated in re-enactments of the events described.Richard Stoll's Personal Webpage on TV adaptations
)
* Another documentary, ''Spycatcher'', was made by
Yorkshire Television ITV Yorkshire, previously known as Yorkshire Television and commonly referred to as just YTV, is the British television service provided by ITV Broadcasting Limited for the Yorkshire franchise area on the ITV (TV network), ITV network. Until 19 ...
. * The number sequence mentioned in Chapter 48 has become a popular math puzzle, known as the Cuckoo's Egg, the Morris Number Sequence, or the
look-and-say sequence In mathematics, the look-and-say sequence is the integer sequence, sequence of integers beginning as follows: : 1, 11, 21, 1211, 111221, 312211, 13112221, 1113213211, 31131211131221, ... . To generate a member of the sequence from the previous ...
. * In the summer of 2000 the name "Cuckoo's Egg" was used to describe a file sharing hack attempt that substituted white noise or sound effects files for legitimate song files on Napster and other networks. * These events are referenced in
Cory Doctorow Cory Efram Doctorow (; born 17 July 1971) is a Canadian-British blogger, journalist, and science fiction author who served as co-editor of the blog ''Boing Boing''. He is an activist in favour of liberalising copyright laws and a proponent of th ...
's
speculative fiction Speculative fiction is an umbrella term, umbrella genre of fiction that encompasses all the subgenres that depart from Realism (arts), realism, or strictly imitating everyday reality, instead presenting fantastical, supernatural, futuristic, or ...
short story "The Things that Make Me Weak and Strange Get Engineered Away", as "(a)
sysadmin An IT administrator, system administrator, sysadmin, or admin is a person who is responsible for the upkeep, configuration, and reliable operation of computer systems, especially multi-user computers, such as servers. The system administrat ...
who'd tracked a $0.75 billing anomaly back to a foreign spy-ring that was using his systems to hack his military.""The Things that Make Me Weak and Strange Get Engineered Away"
Tor.com. Edited 2015-06-24.


See also

* '' 23''—a film made from the hackers' viewpoint *
Digital footprint Digital footprint or digital shadow refers to one's unique set of traceable digital activities, actions, contributions, and communications manifested on the Internet or digital devices. Digital footprints can be classified as either passive o ...
*
Karl Koch (hacker) Karl Werner Lothar Koch (July 22, 1965 – c. May 23, 1989) was a German hacker in the 1980s, who called himself "hagbard", after Hagbard Celine. He was involved in a Cold War computer espionage incident. Biography Koch was born in Hanover ...


References


External links


Image of 1st Edition Cover—Doubleday

"Stalking the Wily Hacker"
��The author's original article about the trap
''Booknotes'' interview with Stoll on ''The Cuckoo's Egg'', December 3, 1989

Reference to the book on Internet Storm Center

West German hackers use Columbia's Kermit software to break into dozens of US military computers and capture information for the KGB
Columbia University Computing History, 1986-1987 section. {{DEFAULTSORT:Cuckoo's Egg, The 1989 non-fiction books Books about computer hacking Computer security books Doubleday (publisher) books Hacking (computer security) Trojan horses Works about cybercrime