From Wikipedia, the free encyclopedia

The Cuckoo's Egg

Author	Clifford Stoll
Cover artist	Ed Holub
Country	United States
Language	English
Publisher	Pocket Books
Publication date	1990
Media type	Print ()
Pages	402
ISBN	ISBN 0-7434-1146-3

The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage is a 1990 book written by Clifford Stoll. It is his first-person account of the hunt for a computer cracker who broke into a computer at the Lawrence Berkeley National Laboratory.

Contents 1 Method 2 Aftermath 3 Trivia 4 See also 5 References 6 External links

The author's supervisor asked him to resolve a USD$.75 accounting error in the computer usage accounts. He traced the error to an unauthorized user, and eventually realized that the unauthorized user was a cracker who had acquired root access to the LBL system by exploiting a vulnerability in the movemail function of the original GNU Emacs.

Over the next ten months, Stoll spent a great deal of time and effort tracing the cracker's origin. He saw that the cracker was using a 1200 baud connection and realized that the intrusion was coming through a telephone modem connection. Over the course of a long weekend he rounded up fifty terminals (mostly by "borrowing" them from the desks of co-workers away for the weekend) and teletype printers and physically attached them to the fifty incoming phone lines. When the cracker dialed in that weekend, Stoll located the phone line, which was coming from the Tymnet routing service. With the help of Tymnet, he eventually tracked the intrusion to a call center at MITRE, a defense contractor in McLean, Virginia.

Stoll returned his "borrowed" terminals and left a teletype printer attached to the intrusion line; that way he could see and record everything the cracker did (this took place in 1986, so the cracker was using the command line via telnet.) He took notes as the cracker sought, and sometimes gained, unauthorized access to military bases around the United States, looking for files that contained words such as "nuclear" or "SDI". The cracker also copied password files (in order to make dictionary attacks) and set up Trojan horses to find passwords. Stoll was amazed that on many of these high-security sites the cracker could easily guess passwords, since many system administrators never bothered to change the passwords from their factory defaults. Even on Army bases the cracker was sometimes able to log in as "guest" with no password.

Over the course of this investigation, Stoll contacted various agents at the FBI, CIA, NSA, and Air Force OSI. Since this was almost the first documented case of cracking (Stoll seems to have been the first to keep a daily log book of the cracker's activity) there was some confusion as to jurisdiction and a general reluctance to share information (Stoll quotes an NSA agent as saying, "We listen, we don't talk").

Studying his log book, Stoll saw that the cracker was familiar with VMS, as well as AT&T Unix (but not Berkeley Unix). Also, the cracker tended to be active around the middle of the day, Pacific time. Stoll hypothesized that since modem bills are cheaper at night, and most people have school or a day job and would only have a lot of free time for hacking at night, the cracker was in a time zone some distance to the east.

With the help of Tymnet and various agents from various agencies, Stoll eventually found that the intrusion was coming from West Germany via satellite. The Deutsche Bundespost, the German post office, also had authority over the phone system, and they traced the calls to a university in Bremen. In order to entice the cracker to stay on the line long enough to be backtracked from Bremen, Stoll set up an elaborate hoax (known today as a honeypot), inventing a new department at LBL that had supposedly been newly formed because of an imaginary SDI contract. He knew the cracker was mainly interested in SDI, so he filled the "SDInet" account (operated by the imaginary secretary Barbara Sherwin) with large files full of impressive-sounding bureaucratese. The ploy worked, and the Deutsche Bundespost finally located the cracker at his home in Hanover. The cracker's name was Markus Hess, and he had been engaged for some years in selling the results of his cracking to the Soviet KGB. There was ancillary proof of this when a Hungarian spy contacted the imaginary SDInet at LBL, based on information he could only have gotten through Hess (apparently this was the KGB's method of double-checking to see if Hess was just making up the information he was selling them).

Stoll later had to fly to Germany to testify at the trial of Hess and a confederate. Although Hess was active at the same time and in the same area as the German Chaos Computer Club, they do not seem to have been working together.

The book was later chronicled in an episode of WGBH's NOVA entitled "The KGB, the Computer, and Me", which aired on PBS stations in 1990.^[1]

Stoll went on to work in the Astrophysics department at Harvard University. Today he manufactures Klein bottles and sells them via the Internet.

The number sequence mentioned in Chapter 48 has become a popular math puzzle, known as the Cuckoo's Egg, the Morris Number Sequence, or the Look-and-say sequence.

In the summer of 2000 the name "Cuckoo's Egg" was used to describe a file sharing hack attempt that substituted white noise or sound effects files for legitimate song files on Napster and other networks.[1]

There is a recipe for chocolate chip cookies referenced in the book as a footnote.

• Greek telephone tapping case 2004-2005

• The author's web page about the book
• Stalking the Wiley Hacker The author's original article about the trap
• Transcript of an interview (Brian Lamb asking questions on Booknotes/C-SPAN in December 1989)
• Reference to the book on Internet Storm Center