![](\"https:\/\/media.wired.com\/photos\/5df9bbf9891bc70008d39ece\/master\/pass\/Backchannel-Cliff-Stoll-8495.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Andy Greenberg| Date: Wed, 18 Dec 2019 12:00:00 +0000<\/strong><\/p>\n Andy Greenberg<\/span><\/a><\/span> <\/span><\/p>\n Thirty years ago, Cliff Stoll published The Cuckoo's Egg<\/em>, a book about his cat-and-mouse game with a KGB-sponsored hacker. Today, the internet is a far darker place—and Stoll has become a cybersecurity icon.<\/p>\n In 1986, Cliff Stoll\u2019s boss<\/strong> at Lawrence Berkeley National Labs tasked him with getting to the bottom of a 75-cent accounting discrepancy in the lab\u2019s computer network, which was rented out to remote users by the minute. Stoll, 36, investigated the source of that minuscule anomaly, pulling on it like a loose thread until it led to a shocking culprit: a hacker in the system.<\/p>\n Stoll then spent the next year of his life following that hacker\u2019s footprints across the lab\u2019s network and the nascent internet. In doing so, he revealed a vast web of similar intrusions into military and government agencies carried out by a group of young German hackers, eventually revealed to have been working in the service of the Soviet KGB. The story that Stoll unraveled from that tiny initial clue, which he published in late 1989 as a kind of digital detective memoir, The Cuckoo\u2019s Egg<\/em>, turned out to be the very first known case of state-sponsored hacking\u2014a tale far bigger than he could have ever imagined when he began hunting those three quarters missing from his lab\u2019s ledger.<\/p>\n Today, that story has taken on a larger life still. As The Cuckoo\u2019s Egg<\/em> hits its 30th anniversary, the book has sold more than 1 million copies. And for a smaller core of cybersecurity practitioners within that massive readership, it\u2019s become a kind of legend: the ur-narrative of a lone hacker hunter, a text that has inspired an entire generation of network defenders chasing their own anomalies through a vastly larger, infinitely more malicious internet.<\/p>\n Stoll asks people who have interviewed him to sign his personal copy of The Cuckoo’s Egg<\/em>.<\/p>\n As for 69-year-old Stoll himself, he talks about the entire series of events as if he still can\u2019t believe all the fuss he\u2019s caused. \u201cI thought it was a weird, bizarre hiccup I\u2019d stumbled into,\u201d Stoll told me when we first spoke last year, after I called the home number he lists on the very eclectic website for his business selling klein bottles<\/a>\u2014blown-glass oddities that, topologically speaking, have only one side, with no inside or outside. \u201cI had no idea this would become a multibillion-dollar industry. Or essential to running a large business. Or that the CEO of a credit reporting company could lose his job because of computer security. Or that thousands of people would have careers in the field. Or that national institutions in many countries around the world would devote themselves to exploiting security holes in computer networks.\u201d<\/p>\n In fact, Stoll is an unlikely legend for his cybersecurity industry admirers. On the day I visited Stoll in his Oakland home last month, just a few days after the 30th anniversary of The Cuckoo's Egg<\/em>\u2019s publication, he had spent the morning watching Mercury transit the Sun with his telescope. Stoll has a PhD in planetary astronomy and had intended to make stargazing his career before Lawrence Berkeley transferred him\u2014not entirely voluntarily\u2014into the IT department.<\/p>\n When I arrive, he takes me to his workshop in the back of the house, a room with one wall covered in printed pictures of inventors, mathematicians, and scientists who inspire him: Felix Klein, Alan Turing, Emmy Noether. Then he flips up his desk on a hinge to reveal a door in the wall beneath it.<\/p>\n Inside is a small, homemade forklift robot, which lives in the crawlspace beneath his house. Using a remote control and watching several screens that show a feed from the robot's cameras, he wheels his little bot across the cramped storage space under his home, its walls lined with cardboard boxes, to delicately retrieve a crate full of beautifully crafted klein bottles wrapped in paper.<\/p>\n Stoll is still curious about hacking too. A couple of months earlier, he mentions, he decided on a lark to reverse-engineer some hackers\u2019 malware-laced Excel file to see where it hid its malicious code. \u201cI said to myself \u2018Oh, here\u2019s how they\u2019re hiding it.\u2019 It was very sweet and a useful lesson,\u201d Stoll says, sitting on the floor of his workshop next to his forklift bot. \u201cHaving said that, I\u2019m not very interested in cybersecurity today. I wish I was more interested. I wish I could help people defend their systems. Instead, I went back to figuring out how to make a klein bottle that can sit without wobbling.\u201d<\/p>\n Royalties from The Cuckoo's Egg<\/em> paid off Stoll\u2019s mortgage years ago. Today, klein bottles sales provide him another\u2014very modest\u2014income stream. As for cybersecurity, beyond a few conference talks, he hasn\u2019t worked in the industry for decades. The same omnivorous curiosity that drove him to chase his hacker for a year eventually led him to devote the next 30 to his other interests like mathematics, electronic music, and physics\u2014none of which he claims to be an expert in. \u201cTo a mathematician, I\u2019m a pretty good physicist,\u201d Stoll deadpans. \u201cTo a physicist, I\u2019m a fairly good computer maven. To real computer jocks, they know me as somebody who\u2019s a good writer. To people who know how to write \u2026 I\u2019m a really good mathematician!\u201d<\/p>\n \u201cTo a mathematician, I\u2019m a pretty good physicist,\u201d Stoll says.<\/p>\n "To people who know how to write," he says, "I\u2019m a really good mathematician!\u201d<\/p>\n But if Stoll is a cybersecurity amateur<\/strong>, few experts have had as much influence on the field. Stoll\u2019s fans in the industry point out how, in hunting his hacker 30 years ago, he pioneered techniques out of necessity that would later become standard practice. Stoll slept under his desk at the lab and programmed his pager to alert him when the hacker logged into the network in the middle of the night. He also set up dozens of printers to transcribe every keystroke the hacker typed in real time. All of that added up to something like the first intrusion detection system.<\/p>\n When Stoll traced the hacker\u2019s intrusions to the Department of Defense\u2019s MILNET systems, an Alabama army base, the White Sands Missile Range, Navy shipyards, Air Force bases, NASA\u2019s Jet Propulsion Laboratory, defense contractors, and the CIA, Stoll was mapping out an intrusion campaign just as threat intelligence analysts do today.<\/p>\n When he planted hundreds of fake secret military documents on his network that tricked his hacker into staying logged into the Lawrence Berkeley system long enough for a German telecom employee to trace the intrusion to the hacker\u2019s location in Hanover, he was building a \u201choneypot\u201d\u2014the same sort of decoy regularly used to track and analyze modern hackers and botnets.<\/p>\n \u201cThe Cuckoo's Egg<\/em> documented so many of the methods we now use to deal with high-end intruders,\u201d says Richard Bejtlich, a well-known security guru and author of The Tao of Network Security Monitoring: Beyond Intrusion Detection<\/em>, who has worked on incident response and network monitoring at companies like Corelight and FireEye. \u201cYou can see in the book almost everything you need to do in an incident. The mindset, the thoroughness, the commitment to it. It\u2019s all there.\u201d<\/p>\n Even before his book was published, Stoll\u2019s hacker-tracking work at Lawrence Berkeley National Labs inspired its sister institution, Lawrence Livermore National Labs, to try to develop more systematic, automated defenses against hackers. An engineer there, Todd Heberlein, was given a grant to build the world\u2019s first network security monitoring software. \u201cYou could literally say that Cliff Stoll kick-started the entire intrusion detection field. We essentially automated in software much of what Stoll was doing,\u201d Heberlein says. \u201cOnce I had our tools turned on, we saw people every day trying to hack our network and sometimes succeeding. An entire crime wave was happening and no one was aware of it.\u201d<\/p>\n Eventually a version of Heberlein\u2019s network monitoring software was deployed to more than 100 Air Force networks, including the ones Richard Bejtlich found himself working on during his time in the military in the late 1990s. As a high school student, Bejtlich had been captivated by a paperback copy of The Cuckoo's Egg<\/em>, and he reread it during that time in the Air Force. \u201cEvery element of what Stoll did, we were doing,\u201d he recalls.<\/p>\n Around 2010, when he was working as director of incident response for General Electric, Bejtlich says he read it again, and found dozens more lessons for his team. He\u2019d later pull them together for a talk about those lessons, "Cooking the Cuckoo's Egg<\/a>,\u201d that he gave at a Department of Justice cybersecurity conference.<\/p>\n Just as much as its technical lessons, The Cuckoo\u2019s Egg<\/em> captures a deeply personal side of the job of hacker tracking too. The long hours, friction with bosses, federal agents who demand to be briefed on discoveries without sharing their own information, and tensions with loved ones\u2014Stoll\u2019s then-girlfriend (now ex-wife) didn\u2019t always appreciate his nights sleeping under his desk to hunt an invisible white whale. \u201cThere are still incident responders who sleep under desks and are awoken at weird times. You\u2019re at the mercy of the intruder,\u201d Bejtlich says. \u201cAnyone who has done this can relate to being away from the family and working crazy hours. it\u2019s completely familiar even 30 years later.\u201d<\/p>\n