The Cuckoo's Egg

1. A Trivial Accounting Error Uncovers a Major Breach

But errors in the pennies column arise from deeply buried problems, so finding these bugs is a natural test for a budding software wizard.

The investigation begins. Cliff Stoll, a newly reassigned astronomer at Lawrence Berkeley Laboratory (LBL), is tasked with finding a 75-cent discrepancy in the computer system's accounting logs. What seems like a minor bug quickly escalates when he discovers the missing time corresponds to an unauthorized user account. This small anomaly is the first thread pulled in a complex web of intrusion.

Initial clues emerge. The unauthorized account, initially dismissed as an operator error, reappears linked to an attempted break-in reported by a distant computer system called Dockmaster. Further investigation reveals the account belongs to a former employee, Joe Sventek, who is known to be out of the country. This confirms the presence of an external intruder.

Suspicion of a hacker. The combination of the accounting error, the unauthorized account, and the attempted external break-in leads Cliff to suspect a hacker has compromised the system. This realization shifts the focus from a simple accounting fix to a full-blown security investigation, driven by curiosity and a growing sense of responsibility.

2. The Hacker Exploits Simple, Widespread Vulnerabilities

It doesn't take brilliance or wizardry to break into computers. Just patience.

Exploiting known flaws. The hacker doesn't rely on sophisticated, unknown exploits. Instead, he leverages common, easily discoverable vulnerabilities that system administrators often overlook. His primary methods include:

• Using default or easily guessed passwords (e.g., "guest," "system," "service").
• Exploiting known bugs in widely used software (e.g., a flaw in the Gnu-Emacs editor allowing privilege escalation).
• Taking advantage of misconfigured systems where default accounts have excessive privileges (e.g., UUCP accounts).

Patience over skill. The hacker's success stems from methodical persistence rather than technical genius. He patiently tries common account names and passwords, and systematically probes for known software vulnerabilities across numerous systems. This highlights that basic security hygiene is often neglected, leaving systems open to even unsophisticated attacks.

Widespread insecurity. The investigation reveals that many computer systems, even those at military and defense contractor sites, suffer from these fundamental security weaknesses. Administrators often prioritize usability or are simply unaware of the risks, leaving doors wide open for intruders who are willing to look.

3. Networks Create a Global, Interconnected Landscape

The Internet: an electronic highway interconnecting a hundred-thousand computers around the world.

Vast and complex. The investigation quickly moves beyond LBL's local network to the Internet, a sprawling collection of interconnected networks including the military's Milnet. This vast landscape allows the hacker to move between systems across the country and eventually, the world.

Stepping stones and pathways. The hacker uses compromised systems as stepping stones to reach other targets. By breaking into one computer, he gains access to its network connections and potentially discovers passwords or information about other systems, creating a chain of intrusions across the network. Examples include moving from LBL to Anniston Army Depot, and later using Mitre to dial out to various sites.

Anonymity and reach. The complexity and global reach of the networks provide the hacker with anonymity, making it difficult to trace his origin. He can enter the network in one location (e.g., Germany), pass through multiple intermediate systems (e.g., Tymnet, LBL, Mitre), and attack a target thousands of miles away (e.g., Air Force Space Command, Fort Buckner in Japan), obscuring his true location.

4. Bureaucracy and Jurisdiction Hinder Effective Response

Every agency seemed to have a good reason to do nothing.

Lack of clear responsibility. Cliff attempts to report the intrusion to various U.S. government agencies, including the FBI, CIA, NSA, and Department of Energy. Initially, most agencies are reluctant to get involved, citing lack of clear jurisdiction, insufficient monetary loss, or absence of classified data compromise.

"Not my bailiwick." A recurring theme is agencies deferring responsibility to others. The FBI views it as a local problem or lacking sufficient damage for federal intervention. The CIA and NSA are primarily focused on foreign intelligence and national security, initially seeing no evidence of espionage. This bureaucratic inertia allows the hacker to continue operating unchecked for months.

Inter-agency friction. Even when agencies become interested, communication and cooperation are challenging. The FBI struggles to coordinate with German authorities, and there are hints of friction or lack of trust between different U.S. intelligence and law enforcement entities. Cliff often finds himself acting as an unofficial liaison, passing information between reluctant parties.

5. Unconventional Methods Are Key to Tracking

If they won't get the Germans to trace a call, then find some other way.

Creative monitoring. Lacking official resources and facing bureaucratic hurdles, Cliff develops his own methods to track the hacker. He uses printers to log keystrokes, sets up alarms on specific accounts, and employs a pocket pager to be notified instantly of the hacker's activity.

Exploiting hacker behavior. Cliff uses the hacker's predictable patterns against him. By timing network echoes during file transfers, he estimates the hacker's distance. He analyzes login times to infer the hacker's location and work habits. He even uses physical methods like jingling keys on phone lines to disrupt the hacker's sessions without alerting him to being watched.

The "Operation Showerhead" sting. The most creative tactic involves creating fake, sensitive documents about a fictional "SDI Network" and leaving them as bait. This lures the hacker into spending extended time on LBL's system, providing the necessary duration for phone traces. The hacker's subsequent letter requesting these documents provides a crucial physical link.

6. Espionage, Not Just Vandalism, Is the Motive

This hacker was a spy.

Targeting military and defense. The hacker's consistent focus on military computers, defense contractors (Mitre, TRW, Unisys, BBN), and sensitive databases (Pentagon Optimis, Air Force Space Command, Navy Coastal Systems Center) strongly suggests a motive beyond simple mischief or intellectual challenge. He specifically searches for keywords like "SDI," "nuclear," "stealth," and military acronyms.

Systematic data theft. The hacker doesn't just break in; he systematically copies files, including password files and documents related to military plans, technology, and logistics. His methodical approach and detailed note-taking (inferred from his actions) indicate he is collecting information for a purpose.

The Pittsburgh connection. The letter from Laszlo Balogh in Pittsburgh, requesting the fake SDI documents, provides a physical link to someone interested in the stolen information. While the hacker is traced to Germany, the letter suggests the information is being passed to individuals or entities in the United States, pointing towards an espionage ring rather than a lone vandal.

7. International Cooperation Proves Challenging

You need a German search warrant.

Legal hurdles. Tracing the hacker across international borders introduces complex legal challenges. U.S. search warrants are not valid in Germany, requiring coordination between U.S. and German law enforcement and judicial systems. Obtaining the necessary German warrants proves difficult and time-consuming.

Communication breakdowns. Despite willingness from some individuals (like Steve White at Tymnet and Wolfgang Hoffman at the Bundespost), official communication channels between U.S. agencies (particularly the FBI) and their German counterparts are slow and inefficient. Messages are delayed or lost, hindering the progress of the investigation and frustrating those on the ground.

Differing priorities and laws. German law initially views hacking as less severe than U.S. law, complicating extradition prospects. Differing priorities and procedures between countries require constant effort to maintain momentum and ensure cooperation, highlighting the difficulties in prosecuting cybercrime across borders.

8. The Hacker is Traced Across Continents

Your hacker is coming from abroad?

Following the digital breadcrumbs. Through persistent monitoring and collaboration with network providers like Tymnet and ITT, Cliff and Steve White are able to trace the hacker's connection beyond the U.S. borders. Initial network traces point to an international record carrier.

Pinpointing the origin. Further tracing through international networks, specifically the German Datex network, allows them to narrow down the hacker's origin. The network address identifies the connection point as being within West Germany.

Zeroing in on location. Subsequent traces, coordinated with the German Bundespost, pinpoint the hacker's connection to specific cities in Germany, initially Bremen and later Hannover. The traces eventually narrow down to a public dial-in port in Hannover, and finally, to a specific telephone number and individual.

9. Security Requires Constant Vigilance and Patching

The shoemakers' kids are running around barefoot.

Neglected basics. The investigation reveals that many systems, even those managed by defense contractors specializing in security, fail at basic security practices. This includes using default passwords, not patching known software vulnerabilities, and failing to monitor audit logs.

Known vulnerabilities persist. Flaws like the Gnu-Emacs move-mail bug and default VMS passwords remain unpatched on numerous systems for extended periods, leaving them open to repeated attacks by the hacker. Even after being notified, some sites are slow to react or make ineffective changes.

The human element. Beyond technical flaws, human errors contribute significantly to insecurity. Users choose weak passwords, share them inappropriately, or store them in insecure locations. System administrators may lack the knowledge or resources to properly secure complex systems.

10. Trust is the Fragile Foundation of Open Networks

This bastard is undermining the trust that holds our community together.

Openness vs. security. The scientific and academic communities value open access and free exchange of information, which is facilitated by interconnected networks. However, this openness makes systems vulnerable to malicious actors who exploit trust.

Erosion of community. The hacker's actions, while not always causing physical damage, erode the sense of trust within the networked community. System administrators become more paranoid, users worry about privacy, and the free flow of information is threatened as sites implement stricter security measures.

The cost of insecurity. The true cost of hacking extends beyond stolen data or computer time. It includes the time and resources spent on investigation and patching, the disruption to operations, and the long-term impact on the collaborative spirit that built and sustains the networks.

11. The Hacker is Identified and Arrested

After all this time, my cuckoo's name is Markus Hess.

Evidence accumulation. Through months of painstaking monitoring, tracing, and analysis, Cliff gathers overwhelming evidence of the hacker's activities, methods, and origin. This includes thousands of pages of printouts, network trace data, and the crucial letter from Pittsburgh.

The net closes. The combined efforts of LBL, Tymnet, the Bundespost, and eventually the FBI and German police narrow the search to a specific individual in Hannover. The German authorities prepare for an arrest, coordinating with U.S. officials.

Arrest and identification. Based on the evidence and successful traces, German police search an apartment and a company in Hannover, seizing computer equipment and records. The individual identified is Markus Hess. While the full scope and motives (including the Pittsburgh connection) remain subjects of further investigation and legal proceedings, the primary hacker is apprehended.

Last updated: May 5, 2025