The Cuckoo's Egg (book)
Encyclopedia
The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage is a 1989 book written by Clifford Stoll
. It is his first-person
account of the hunt for a computer cracker who broke into a computer at the Lawrence Berkeley National Laboratory
(LBL).
0.75 accounting error in the computer usage accounts. He traced the error to an unauthorized user who had apparently used up 9 seconds of computer time and not paid for it, and eventually realized that the unauthorized user was a cracker who had acquired root access to the LBL system by exploiting a vulnerability in the movemail
function of the original GNU Emacs.
Over the next ten months, Stoll spent a great deal of time and effort tracing the hacker's origin. He saw that the hacker was using a 1200 baud
connection and realized that the intrusion was coming through a telephone modem connection. Stoll's colleagues, Paul Murray and Lloyd Bellknap, helped with the phone lines. Over the course of a long weekend he rounded up fifty terminals, mostly by "borrowing" them from the desks of co-workers away for the weekend, and teleprinters and physically attached them to the fifty incoming phone lines. When the hacker dialed in that weekend, Stoll located the phone line, which was coming from the Tymnet
routing service. With the help of Tymnet, he eventually tracked the intrusion to a call center at MITRE
, a defense contractor in McLean, Virginia
.
Stoll, after returning his "borrowed" terminals, left a teleprinter attached to the intrusion line in order to see and record everything the cracker did. Stoll recorded
the hacker's actions as he sought, and sometimes gained, unauthorized access to military bases around the United States, looking for files that contained words such as "nuclear" or "SDI
". The hacker also copied password files (in order to make dictionary attack
s) and set up Trojan horses
to find passwords. Stoll was amazed that on many of these high-security sites the hacker could easily guess passwords, since many system administrators never bothered to change the passwords from their factory defaults. Even on army bases, the hacker was sometimes able to log in as "guest" with no password.
Over the course of this investigation, Stoll contacted various agents at the FBI
, CIA
, NSA
, and Air Force
OSI
. Since this was almost the first documented case of hacking (Stoll seems to have been the first to keep a daily log book of the hacker's activity), there was some confusion as to jurisdiction and a general reluctance to share information.
Studying his log book, Stoll saw that the hacker was familiar with VMS
, as well as AT&T Unix. He also noted that the hacker tended to be active around the middle of the day, Pacific time. Stoll hypothesized that since modem bills are cheaper at night, and most people have school or a day job and would only have a lot of free time for hacking at night, the hacker was in a time zone some distance to the east.
With the help of Tymnet
and various agents from various agencies, Stoll eventually found that the intrusion was coming from West Germany via satellite. The Deutsche Bundespost
, the German post office, also had authority over the phone system, and they traced the calls to a university in Bremen. In order to entice the hacker to reveal himself, Stoll set up an elaborate hoax (known today as a honeypot
), inventing a new department at LBL that had supposedly been newly formed because of an imaginary SDI contract. He knew the hacker was mainly interested in SDI, so he filled the "SDInet" account (operated by the imaginary secretary Barbara Sherwin) with large files full of impressive-sounding bureaucratese
. The ploy worked, and the Deutsche Bundespost finally located the hacker at his home in Hanover
. The hacker's name was Markus Hess
, and he had been engaged for some years in selling the results of his hacking to the Soviet KGB
. There was ancillary proof of this when a Hungarian
spy
contacted the fictitious SDInet at LBL by mail, based on information he could only have obtained through Hess (apparently this was the KGB's method of double-checking to see if Hess was just making up the information he was selling them).
Stoll later had to fly to Germany to testify at the trial of Hess and a confederate.
Clifford Stoll
*High-Tech Heretic: Reflections of a Computer Contrarian, Clifford Stoll, 2000, ISBN 0-385-48976-5.-External links:* at Berkeley's Open Computing Facility**, December 3, 1989* copy at Electronic Frontier Foundation, May 1988...
. It is his first-person
First-person narrative
First-person point of view is a narrative mode where a story is narrated by one character at a time, speaking for and about themselves. First-person narrative may be singular, plural or multiple as well as being an authoritative, reliable or deceptive "voice" and represents point of view in the...
account of the hunt for a computer cracker who broke into a computer at the Lawrence Berkeley National Laboratory
Lawrence Berkeley National Laboratory
The Lawrence Berkeley National Laboratory , is a U.S. Department of Energy national laboratory conducting unclassified scientific research. It is located on the grounds of the University of California, Berkeley, in the Berkeley Hills above the central campus...
(LBL).
Summary
Clifford Stoll (the author) managed some computers at Lawrence Berkeley National Laboratory in California. One day, in August 1986, his supervisor (Dave Cleveland) asked him to resolve a USD$United States dollar
The United States dollar , also referred to as the American dollar, is the official currency of the United States of America. It is divided into 100 smaller units called cents or pennies....
0.75 accounting error in the computer usage accounts. He traced the error to an unauthorized user who had apparently used up 9 seconds of computer time and not paid for it, and eventually realized that the unauthorized user was a cracker who had acquired root access to the LBL system by exploiting a vulnerability in the movemail
Movemail
Movemail is a computer program by the GNU Project that moves mail from a user's Unix mailspool to another file. It is part of GNU Mailutils.A compromising of Movemail was the backbone of the hack described in The Cuckoo's Egg by which Markus Hess broke into the Lawrence Berkeley National Laboratory...
function of the original GNU Emacs.
Over the next ten months, Stoll spent a great deal of time and effort tracing the hacker's origin. He saw that the hacker was using a 1200 baud
Baud
In telecommunications and electronics, baud is synonymous to symbols per second or pulses per second. It is the unit of symbol rate, also known as baud rate or modulation rate; the number of distinct symbol changes made to the transmission medium per second in a digitally modulated signal or a...
connection and realized that the intrusion was coming through a telephone modem connection. Stoll's colleagues, Paul Murray and Lloyd Bellknap, helped with the phone lines. Over the course of a long weekend he rounded up fifty terminals, mostly by "borrowing" them from the desks of co-workers away for the weekend, and teleprinters and physically attached them to the fifty incoming phone lines. When the hacker dialed in that weekend, Stoll located the phone line, which was coming from the Tymnet
Tymnet
Tymnet was an international data communications network headquartered in San Jose, California that used virtual call packet switched technology and X.25, SNA/SDLC, ASCII and BSC interfaces to connect host computers at thousands of large companies, educational institutions, and government agencies....
routing service. With the help of Tymnet, he eventually tracked the intrusion to a call center at MITRE
MITRE
The Mitre Corporation is a not-for-profit organization based in Bedford, Massachusetts and McLean, Virginia...
, a defense contractor in McLean, Virginia
McLean, Virginia
McLean is an unincorporated community and census-designated place in Fairfax County in Northern Virginia. The community had a total population of 48,115 as of the 2010 census....
.
Stoll, after returning his "borrowed" terminals, left a teleprinter attached to the intrusion line in order to see and record everything the cracker did. Stoll recorded
Log book
A log book, in records management, may refer to:* A book of log tables* Logbook a log of important events in the management, operation, and navigation of a ship; or of the important events of a trip or expn* Inventor's notebook...
the hacker's actions as he sought, and sometimes gained, unauthorized access to military bases around the United States, looking for files that contained words such as "nuclear" or "SDI
Strategic Defense Initiative
The Strategic Defense Initiative was proposed by U.S. President Ronald Reagan on March 23, 1983 to use ground and space-based systems to protect the United States from attack by strategic nuclear ballistic missiles. The initiative focused on strategic defense rather than the prior strategic...
". The hacker also copied password files (in order to make dictionary attack
Dictionary attack
In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.-Technique:...
s) and set up Trojan horses
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
to find passwords. Stoll was amazed that on many of these high-security sites the hacker could easily guess passwords, since many system administrators never bothered to change the passwords from their factory defaults. Even on army bases, the hacker was sometimes able to log in as "guest" with no password.
Over the course of this investigation, Stoll contacted various agents at the FBI
Federal Bureau of Investigation
The Federal Bureau of Investigation is an agency of the United States Department of Justice that serves as both a federal criminal investigative body and an internal intelligence agency . The FBI has investigative jurisdiction over violations of more than 200 categories of federal crime...
, CIA
Central Intelligence Agency
The Central Intelligence Agency is a civilian intelligence agency of the United States government. It is an executive agency and reports directly to the Director of National Intelligence, responsible for providing national security intelligence assessment to senior United States policymakers...
, NSA
National Security Agency
The National Security Agency/Central Security Service is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S...
, and Air Force
United States Air Force
The United States Air Force is the aerial warfare service branch of the United States Armed Forces and one of the American uniformed services. Initially part of the United States Army, the USAF was formed as a separate branch of the military on September 18, 1947 under the National Security Act of...
OSI
Air Force Office of Special Investigations
The Air Force Office of Special Investigations , is a Field Operating Agency of the United States Air Force that provides professional investigative services to commanders throughout the Air Force...
. Since this was almost the first documented case of hacking (Stoll seems to have been the first to keep a daily log book of the hacker's activity), there was some confusion as to jurisdiction and a general reluctance to share information.
Studying his log book, Stoll saw that the hacker was familiar with VMS
OpenVMS
OpenVMS , previously known as VAX-11/VMS, VAX/VMS or VMS, is a computer server operating system that runs on VAX, Alpha and Itanium-based families of computers. Contrary to what its name suggests, OpenVMS is not open source software; however, the source listings are available for purchase...
, as well as AT&T Unix. He also noted that the hacker tended to be active around the middle of the day, Pacific time. Stoll hypothesized that since modem bills are cheaper at night, and most people have school or a day job and would only have a lot of free time for hacking at night, the hacker was in a time zone some distance to the east.
With the help of Tymnet
Tymnet
Tymnet was an international data communications network headquartered in San Jose, California that used virtual call packet switched technology and X.25, SNA/SDLC, ASCII and BSC interfaces to connect host computers at thousands of large companies, educational institutions, and government agencies....
and various agents from various agencies, Stoll eventually found that the intrusion was coming from West Germany via satellite. The Deutsche Bundespost
Deutsche Bundespost
The Deutsche Bundespost was created in 1947 as a successor to the Reichspost . Between 1947 and 1950 the enterprise was called Deutsche Post...
, the German post office, also had authority over the phone system, and they traced the calls to a university in Bremen. In order to entice the hacker to reveal himself, Stoll set up an elaborate hoax (known today as a honeypot
Honeypot (computing)
In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems...
), inventing a new department at LBL that had supposedly been newly formed because of an imaginary SDI contract. He knew the hacker was mainly interested in SDI, so he filled the "SDInet" account (operated by the imaginary secretary Barbara Sherwin) with large files full of impressive-sounding bureaucratese
Administratium
Administratium is a well-known joke in scientific circles, and is a spoof both on the bureaucracy of scientific establishments and on descriptions of newly discovered chemical elements....
. The ploy worked, and the Deutsche Bundespost finally located the hacker at his home in Hanover
Hanover
Hanover or Hannover, on the river Leine, is the capital of the federal state of Lower Saxony , Germany and was once by personal union the family seat of the Hanoverian Kings of Great Britain, under their title as the dukes of Brunswick-Lüneburg...
. The hacker's name was Markus Hess
Markus Hess
Markus Hess, a German citizen, is best known for his endeavours as a hacker in the late 1980s. Hess was recruited by the KGB to be an international spy with the objective of securing U.S...
, and he had been engaged for some years in selling the results of his hacking to the Soviet KGB
KGB
The KGB was the commonly used acronym for the . It was the national security agency of the Soviet Union from 1954 until 1991, and was the premier internal security, intelligence, and secret police organization during that time.The State Security Agency of the Republic of Belarus currently uses the...
. There was ancillary proof of this when a Hungarian
Hungary
Hungary , officially the Republic of Hungary , is a landlocked country in Central Europe. It is situated in the Carpathian Basin and is bordered by Slovakia to the north, Ukraine and Romania to the east, Serbia and Croatia to the south, Slovenia to the southwest and Austria to the west. The...
spy
SPY
SPY is a three-letter acronym that may refer to:* SPY , ticker symbol for Standard & Poor's Depositary Receipts* SPY , a satirical monthly, trademarked all-caps* SPY , airport code for San Pédro, Côte d'Ivoire...
contacted the fictitious SDInet at LBL by mail, based on information he could only have obtained through Hess (apparently this was the KGB's method of double-checking to see if Hess was just making up the information he was selling them).
Stoll later had to fly to Germany to testify at the trial of Hess and a confederate.