208:(LBNL) in California. One day in 1986 his supervisor asked him to resolve an accounting error of 75 cents in the computer usage accounts. Stoll traced the error to an unauthorized user who had apparently used nine seconds of computer time and not paid for it. Stoll eventually realized that the unauthorized user was a hacker who had acquired
335:âby inventing a fictitious department at LBNL that had supposedly been newly formed by an "SDI" contract, also fictitious. When he realized the hacker was particularly interested in the faux SDI entity, he filled the "SDInet" account (operated by an imaginary secretary named "Barbara Sherwin") with large files full of impressive-sounding
366:
contacted the fictitious SDInet at LBNL by mail, based on information he could only have obtained through Hess. Apparently this was the KGB's method of double-checking to see if Hess was just making up the information he was selling. Stoll later flew to West
Germany to testify at the trial of Hess.
250:
After returning his "borrowed" terminals, Stoll left a teleprinter attached to the intrusion line in order to see and record everything the hacker did. He watched as the hacker sought — and sometimes gained — unauthorized access to military bases around the United States, looking for
314:. Eventually Stoll hypothesized that, since modem bills are cheaper at night and most people have school or a day job and would only have a lot of free time for hacking at night, the hacker was in a time zone some distance to the east, likely beyond the US East Coast.
227:, mostly by "borrowing" them from the desks of co-workers away for the weekend. These he physically attached to the fifty incoming phone lines at LBNL. When the hacker dialed in that weekend, Stoll located the phone line used, which was coming from the
34:
278:
firstâ âdocumented cases of a computer break-in, and Stoll seems to have been the first to keep a daily logbook of the hacker's activities. Over the course of his investigation, Stoll contacted various agents at the
411:
In the summer of 2000 the name "Cuckoo's Egg" was used to describe a file sharing hack attempt that substituted white noise or sound effects files for legitimate song files on
Napster and other networks.
295:(OSI). At the very beginning there was confusion as to jurisdiction and a general reluctance to share information; the FBI in particular was uninterested as no large sum of money was involved and no
292:
239:. Over the next ten months, Stoll spent enormous amounts of time and effort tracing the hacker's origin. He saw that the hacker was using a 1200
567:
205:
172:
404:
The number sequence mentioned in
Chapter 48 has become a popular math puzzle, known as the Cuckoo's Egg, the Morris Number Sequence, or the
582:
577:
518:
547:
West German hackers use
Columbia's Kermit software to break into dozens of US military computers and capture information for the KGB
108:
263:
to find passwords. Stoll was amazed that on many of these high-security sites the hacker could easily guess passwords, since many
572:
20:
592:
562:
475:
280:
252:
130:
390:
stations on
October 3, 1990. Stoll and several of his co-workers participated in re-enactments of the events described.
387:
284:
426:
who'd tracked a $ 0.75 billing anomaly back to a foreign spy-ring that was using his systems to hack his military."
179:
168:
382:
288:
260:
587:
296:
164:
317:
With the help of Tymnet and agents from various agencies, Stoll found that the intrusion was coming from
405:
62:
398:
332:
264:
419:
331:. In order to entice the hacker to reveal himself, Stoll set up an elaborate hoaxâknown today as a
323:
231:
routing service. With the help of Tymnet, he eventually tracked the intrusion to a call center at
449:
271:. Even on military bases, the hacker was sometimes able to log in as "guest" with no password.
247:
connection. Stoll's colleagues, Paul Murray and Lloyd
Bellknap, assisted with the phone lines.
444:
311:
256:
232:
223:
Early on, and over the course of a long weekend, Stoll rounded up fifty terminals, as well as
115:
103:
268:
236:
185:
141:
546:
479:
255:" (Strategic Defense Initiative). The hacker also copied password files (in order to make
336:
160:
44:
354:, and he had been engaged for some years in selling the results of his hacking to the
556:
415:
327:, had authority over the phone system there, and traced the calls to a university in
529:
523:
471:
422:
short story "The Things that Make Me Weak and
Strange Get Engineered Away", as "(a)
19:
This article is about the cybersecurity book by
Clifford Stoll. For other uses, see
355:
318:
502:
310:. He also noted that the hacker tended to be active around the middle of the day,
33:
351:
224:
201:
541:
437:
363:
217:
209:
243:
connection and realized that the intrusion was coming through a telephone
423:
213:
122:
377:
344:
303:
189:
156:
The Cuckoo's Egg: Tracking a Spy
Through the Maze of Computer Espionage
328:
228:
302:
Studying his log book, Stoll saw that the hacker was familiar with
244:
307:
240:
491:
212:
access to the LBNL system by exploiting a vulnerability in the
503:"The Things that Make Me Weak and Strange Get Engineered Away"
359:
267:
had never bothered to change the passwords from their factory
116:
549:, Columbia University Computing History, 1986-1987 section.
142:
386:
entitled "The KGB, the
Computer, and Me", which aired on
293:
United States Air Force Office of Special Investigations
362:. There was ancillary proof of this when a Hungarian
467:
465:
140:
128:
114:
102:
94:
86:
78:
68:
58:
50:
40:
472:Richard Stoll's Personal Webpage on TV adaptations
251:files that contained words such as "nuclear" or "
321:via satellite. The West German post office, the
542:Reference to the book on Internet Storm Center
178:Stoll's use of the term extended the metaphor
526:âThe author's original article about the trap
8:
26:
343:finally located the hacker at his home in
32:
25:
376:The book was chronicled in an episode of
441:âa film made from the hackers' viewpoint
461:
16:1989 nonfiction book by Clifford Stoll
358:'s civilian intelligence agency, the
206:Lawrence Berkeley National Laboratory
173:Lawrence Berkeley National Laboratory
7:
519:Image of 1st Edition CoverâDoubleday
492:The Hand-2-Mouth Cuckoo Egg Project
274:This was one of the firstâ ââ if not
204:by training, managed computers at
14:
171:who broke into a computer at the
414:These events are referenced in
281:Federal Bureau of Investigation
1:
505:. Tor.com. Edited 2015-06-24.
371:References in popular culture
568:Books about computer hacking
583:Hacking (computer security)
578:Doubleday (publisher) books
339:. The ploy worked, and the
285:Central Intelligence Agency
609:
524:"Stalking the Wily Hacker"
235:, a defense contractor in
200:Author Clifford Stoll, an
167:account of the hunt for a
159:is a 1989 book written by
18:
216:function of the original
31:
533:interview with Stoll on
289:National Security Agency
573:Computer security books
478:August 6, 2011, at the
593:Works about cybercrime
563:1989 non-fiction books
350:The hacker's name was
297:classified information
406:look-and-say sequence
393:Another documentary,
265:system administrators
399:Yorkshire Television
420:speculative fiction
341:Deutsche Bundespost
324:Deutsche Bundespost
299:host was accessed.
148:UB271.R92 H477 2000
28:
537:, December 3, 1989
450:Karl Koch (hacker)
257:dictionary attacks
445:Digital footprint
152:
151:
79:Publication place
27:The Cuckoo's Egg
600:
535:The Cuckoo's Egg
506:
500:
494:
489:
483:
469:
237:McLean, Virginia
186:brood parasitism
144:
136:364.16/8/0973 21
118:
70:Publication date
36:
29:
608:
607:
603:
602:
601:
599:
598:
597:
553:
552:
515:
510:
509:
501:
497:
490:
486:
480:Wayback Machine
470:
463:
458:
433:
373:
291:(NSA), and the
198:
169:computer hacker
133:
87:Media type
71:
24:
17:
12:
11:
5:
606:
604:
596:
595:
590:
585:
580:
575:
570:
565:
555:
554:
551:
550:
544:
539:
527:
521:
514:
513:External links
511:
508:
507:
495:
484:
460:
459:
457:
454:
453:
452:
447:
442:
432:
429:
428:
427:
412:
409:
402:
397:, was made by
391:
372:
369:
197:
194:
161:Clifford Stoll
150:
149:
146:
138:
137:
134:
129:
126:
125:
120:
112:
111:
106:
100:
99:
96:
92:
91:
88:
84:
83:
80:
76:
75:
72:
69:
66:
65:
60:
56:
55:
52:
48:
47:
45:Clifford Stoll
42:
38:
37:
15:
13:
10:
9:
6:
4:
3:
2:
605:
594:
591:
589:
588:Trojan horses
586:
584:
581:
579:
576:
574:
571:
569:
566:
564:
561:
560:
558:
548:
545:
543:
540:
538:
536:
532:
528:
525:
522:
520:
517:
516:
512:
504:
499:
496:
493:
488:
485:
481:
477:
473:
468:
466:
462:
455:
451:
448:
446:
443:
440:
439:
435:
434:
430:
425:
421:
417:
416:Cory Doctorow
413:
410:
407:
403:
400:
396:
392:
389:
385:
384:
379:
375:
374:
370:
368:
365:
361:
357:
353:
348:
346:
342:
338:
337:bureaucratese
334:
330:
326:
325:
320:
315:
313:
309:
308:AT&T Unix
306:, as well as
305:
300:
298:
294:
290:
286:
282:
277:
272:
270:
266:
262:
261:Trojan horses
259:) and set up
258:
254:
248:
246:
242:
238:
234:
230:
226:
221:
219:
215:
211:
207:
203:
195:
193:
191:
187:
183:
182:
176:
174:
170:
166:
162:
158:
157:
147:
145:
143:LC Class
139:
135:
132:
131:Dewey Decimal
127:
124:
121:
119:
113:
110:
109:0-385-24946-2
107:
105:
101:
97:
93:
89:
85:
82:United States
81:
77:
73:
67:
64:
61:
57:
53:
49:
46:
43:
39:
35:
30:
22:
534:
530:
498:
487:
436:
394:
381:
356:Soviet Union
349:
340:
322:
319:West Germany
316:
312:Pacific time
301:
275:
273:
249:
225:teleprinters
222:
199:
188:in birds to
181:Cuckoo's egg
180:
177:
165:first-person
163:. It is his
155:
154:
153:
21:Cuckoo's egg
352:Markus Hess
287:(CIA), the
283:(FBI), the
557:Categories
456:References
395:Spycatcher
202:astronomer
531:Booknotes
218:GNU Emacs
210:superuser
63:Doubleday
59:Publisher
476:Archived
431:See also
424:sysadmin
333:honeypot
269:defaults
214:movemail
175:(LBNL).
123:43977527
51:Language
345:Hanover
304:VAX/VMS
196:Summary
190:malware
54:English
329:Bremen
229:Tymnet
41:Author
364:agent
245:modem
233:MITRE
184:from
95:Pages
90:Print
383:NOVA
378:WGBH
241:baud
117:OCLC
104:ISBN
74:1989
418:'s
388:PBS
380:'s
360:KGB
276:the
253:SDI
98:326
559::
474:(
464:^
438:23
347:.
220:.
192:.
482:)
408:.
401:.
23:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.