The Cuckoo's Egg (book)

The Cuckoo's Egg
Author	Clifford Stoll
Country	United States
Language	English
Publisher	Doubleday
Publication date	1989
Media type	Print
Pages	326
ISBN	0-385-24946-2
OCLC	43977527
Dewey Decimal	364.16/8/0973 21
LC Class	UB271.R92 H477 2000

Last updated April 05, 2024

The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage is a 1989 book written by Clifford Stoll. It is his first-person account of the hunt for a computer hacker who broke into a computer at the Lawrence Berkeley National Laboratory (LBNL).

Summary

Author Clifford Stoll, an astronomer by training, managed computers at Lawrence Berkeley National Laboratory (LBNL) in California. One day in 1986 his supervisor asked him to resolve an accounting error of 75 cents in the computer usage accounts. Stoll traced the error to an unauthorized user who had apparently used nine seconds of computer time and not paid for it. Stoll eventually realized that the unauthorized user was a hacker who had acquired superuser access to the LBNL system by exploiting a vulnerability in the movemail function of the original GNU Emacs.

Early on, and over the course of a long weekend, Stoll rounded up fifty terminals, as well as teleprinters, mostly by "borrowing" them from the desks of co-workers away for the weekend. These he physically attached to the fifty incoming phone lines at LBNL. When the hacker dialed in that weekend, Stoll located the phone line used, which was coming from the Tymnet routing service. With the help of Tymnet, he eventually tracked the intrusion to a call center at MITRE, a defense contractor in McLean, Virginia. Over the next ten months, Stoll spent enormous amounts of time and effort tracing the hacker's origin. He saw that the hacker was using a 1200 baud connection and realized that the intrusion was coming through a telephone modem connection. Stoll's colleagues, Paul Murray and Lloyd Bellknap, assisted with the phone lines.

After returning his "borrowed" terminals, Stoll left a teleprinter attached to the intrusion line in order to see and record everything the hacker did. He watched as the hacker sought — and sometimes gained — unauthorized access to military bases around the United States, looking for files that contained words such as "nuclear" or "SDI" (Strategic Defense Initiative). The hacker also copied password files (in order to make dictionary attacks) and set up Trojan horses to find passwords. Stoll was amazed that on many of these high-security sites the hacker could easily guess passwords, since many system administrators had never bothered to change the passwords from their factory defaults. Even on military bases, the hacker was sometimes able to log in as "guest" with no password.

This was one of the first ⁠— ⁠if not the first ⁠— documented cases of a computer break-in, and Stoll seems to have been the first to keep a daily logbook of the hacker's activities. Over the course of his investigation, Stoll contacted various agents at the Federal Bureau of Investigation (FBI), the Central Intelligence Agency (CIA), the National Security Agency (NSA) and the United States Air Force Office of Special Investigations (OSI). At the very beginning there was confusion as to jurisdiction and a general reluctance to share information; the FBI in particular was uninterested as no large sum of money was involved and no classified information host was accessed.

Studying his log book, Stoll saw that the hacker was familiar with VAX/VMS, as well as AT&T Unix. He also noted that the hacker tended to be active around the middle of the day, Pacific time. Eventually Stoll hypothesized that, since modem bills are cheaper at night and most people have school or a day job and would only have a lot of free time for hacking at night, the hacker was in a time zone some distance to the east, likely beyond the US East Coast.

With the help of Tymnet and agents from various agencies, Stoll found that the intrusion was coming from West Germany via satellite. The West German post office, the Deutsche Bundespost , had authority over the phone system there, and traced the calls to a university in Bremen. In order to entice the hacker to reveal himself, Stoll set up an elaborate hoax – known today as a honeypot – by inventing a fictitious department at LBNL that had supposedly been newly formed by an "SDI" contract, also fictitious. When he realized the hacker was particularly interested in the faux SDI entity, he filled the "SDInet" account (operated by an imaginary secretary named "Barbara Sherwin") with large files full of impressive-sounding bureaucratese. The ploy worked, and the Deutsche Bundespost finally located the hacker at his home in Hanover.

The hacker's name was Markus Hess, and had been engaged for some years in selling the results of his hacking to the Soviet Union's intelligence agency, the KGB. There was ancillary proof of this when a Hungarian agent contacted the fictitious SDInet at LBNL by mail, based on information he could only have obtained through Hess. Apparently this was the KGB's method of double-checking to see if Hess was just making up the information he was selling. Stoll later flew to West Germany to testify at the trial of Hess.

References in popular culture

The book was chronicled in an episode of WGBH's NOVA entitled "The KGB, the Computer, and Me", which aired on PBS stations on October 3, 1990. Stoll and several of his co-workers participated in re-enactments of the events described.^[1]^[2]
Another documentary, Spycatcher, was made by Yorkshire Television.^[2]
The number sequence mentioned in Chapter 48 has become a popular math puzzle, known as the Cuckoo's Egg, the Morris Number Sequence, or the look-and-say sequence.
In the summer of 2000 the name "Cuckoo's Egg" was used to describe a file sharing hack attempt that substituted white noise or sound effects files for legitimate song files on Napster and other networks.^[3]
These events are referenced in Cory Doctorow's speculative fiction short story "The Things that Make Me Weak and Strange Get Engineered Away", as "(a) sysadmin who'd tracked a $0.75 billing anomaly back to a foreign spy-ring that was using his systems to hack his military."^[4]

Related Research Articles

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

In a positive connotation, a hacker is a person skilled in information technology who achieves goals by non-standard means. Though the term hacker has become associated in popular culture with a security hacker – someone with knowledge of bugs or exploits to break into computer systems and access data which would otherwise be inaccessible to them – hacking can also be utilized by legitimate figures in legal situations. For example, law enforcement agencies sometimes use hacking techniques to collect evidence on criminals and other malicious actors. This could include using anonymity tools to mask their identities online and pose as criminals. Likewise, covert world agencies can employ hacking techniques in the legal conduct of their work. Hacking and cyber-attacks are used extra-legally and illegally by law enforcement and security agencies, and employed by state actors as a weapon of legal and illegal warfare.

The Morris worm or Internet worm of November 2, 1988, is one of the oldest computer worms distributed via the Internet, and the first to gain significant mainstream media attention. It resulted in the first felony conviction in the US under the 1986 Computer Fraud and Abuse Act. It was written by a graduate student at Cornell University, Robert Tappan Morris, and launched on 8:30 pm November 2, 1988, from the Massachusetts Institute of Technology network.

Kevin David Mitnick was an American computer security consultant, author, and convicted hacker. He is best known for his high-profile 1995 arrest and five years in prison for various computer and communications-related crimes. Mitnick's pursuit, arrest, trial, and sentence along with the associated journalism, books, and films were all controversial. After his release from prison, he ran his own security firm, Mitnick Security Consulting, LLC, and was also involved with other computer security businesses.

Karl Werner Lothar Koch was a German hacker in the 1980s, who called himself "hagbard", after Hagbard Celine. He was involved in a Cold War computer espionage incident.

Wardialing is a technique to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for modems, computers, bulletin board systems and fax machines. Hackers use the resulting lists for various purposes: hobbyists for exploration, and crackers—malicious hackers who specialize in breaching computer security—for guessing user accounts, or locating modems that might provide an entry-point into computer or other electronic systems. It may also be used by security personnel, for example, to detect unauthorized devices, such as modems or faxes, on a company's telephone network.

Robert H. Morris Sr. was an American cryptographer and computer scientist.

Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs: conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: it secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

<i>23</i> (film) 1998 German drama thriller film by Hans-Christian Schmid

23, original German title: 23 – Nichts ist so wie es scheint is a 1998 German drama thriller film about young hacker Karl Koch, who died on 23 May 1989, a presumed suicide. It was directed by Hans-Christian Schmid, who also participated in screenwriting. The title derives from the protagonist's obsession with the number 23, a phenomenon often described as apophenia. Although the film was well received by critics and audiences, its accuracy has been vocally disputed by several witnesses to the real-life events on which it was based. Schmid subsequently co-authored a book that tells the story of the making of 23 and also details the differences between the movie and the actual main events.

Clifford Paul "Cliff" Stoll is an American astronomer, author and teacher.

A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files, should they ever be terminated from the company.

Markus Hess is a German hacker who was active in the 1980s. Alongside Dirk Brzezinski and Peter Carl, Hess hacked into networks of military and industrial computers based in the United States, Europe and East Asia, and sold the information to the Soviet KGB for US$54,000. During his time working for the KGB, Hess is estimated to have broken into 400 U.S. military computers. The hacked material included "sensitive semiconductor, satellite, space, and aircraft technologies".

A security hacker is someone who explores methods for breaching defenses and exploiting weaknesses in a computer system or network. Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge, recreation, or evaluation of a system weaknesses to assist in formulating defenses against potential hackers.

Jonathan Joseph James was an American hacker who was the first juvenile incarcerated for cybercrime in the United States. The South Florida native was 15 years old at the time of the first offense and 16 years old on the date of his sentencing. He died at his Pinecrest, Florida home on May 18, 2008, of a self-inflicted gunshot wound.

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

Phone hacking is the practice of exploring a mobile device, often using computer exploits to analyze everything from the lowest memory and CPU levels up to the highest file system and process levels. Modern open source tooling has become fairly sophisticated as to be able to "hook" into individual functions within any running app on an unlocked device and allow deep inspection and modification of its functions.

The following outline is provided as an overview of and topical guide to computer security:

In cybersecurity, cyber self-defense refers to self-defense against cyberattack. While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole, such as corporate entities or entire nations. Surveillance self-defense is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.

A cuckoo's egg is a metaphor for brood parasitism, where a parasitic bird deposits its egg into a host's nest, which then incubates and feeds the chick that hatches, even at the expense of its own offspring. That original biological meaning has been extended to other uses, including one which references spyware and other pieces of malware.

References

↑ The KGB, the Computer, and Me at IMDb
1 2 Richard Stoll's Personal Webpage on TV adaptations Archived August 6, 2011, at the Wayback Machine
↑ The Hand-2-Mouth Cuckoo Egg Project
↑ Tor.com Edited 2015-06-24.

External links

Image of 1st Edition Cover—Doubleday
Stalking the Wily Hacker The author's original article about the trap
Booknotes interview with Stoll on Cuckoo’s Egg, December 3, 1989
Reference to the book on Internet Storm Center
West German hackers use Columbia's Kermit software to break into dozens of US military computers and capture information for the KGB, Columbia University Computing History, 1986-1987 section.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] The KGB, the Computer, and Me at IMDb

[stoll-adaptations-2] 1 2 Richard Stoll's Personal Webpage on TV adaptations Archived August 6, 2011, at the Wayback Machine

[3] The Hand-2-Mouth Cuckoo Egg Project

[4] Tor.com Edited 2015-06-24.

[1]

[2]

[3]

[4]