The Cuckoo's Egg

The object

In August 1986, Cliff Stoll — an astronomer turned reluctant sysadmin at Lawrence Berkeley National Laboratory — noticed a 75-cent discrepancy in the computer accounting logs. Rather than dismiss it, he followed the thread. The artifact is the year-long paper trail of his pursuit, later published as the book The Cuckoo's Egg (1989), which reads like a detective novel and is, in fact, the first detailed public account of an internet intrusion investigation.

The chase

The intruder was Markus Hess, a German hacker on the periphery of the Chaos Computer Club's milieu, breaking into U.S. military and research networks and selling what he found to the KGB. Stoll improvised everything that has since become standard practice: he set up honeypots, kept meticulous timelines, called the FBI (who initially shrugged), routed alarms to a beeper, and finally lured Hess into reading fake "SDInet" documents long enough to be traced across continents. Karl Koch — Hagbard Celine — was part of the same circle. His unsolved death in 1989, days before a planned interview, gave the affair a permanently unsettled tone.

Why it matters

This is the moment hacking ceased to be a domestic story. A teenager at a German keyboard could touch a U.S. submarine base, and the legal, diplomatic, and ethical infrastructure for responding did not yet exist. The Cuckoo's Egg gave that infrastructure its first vocabulary. Almost every concept in contemporary incident response — chain of custody on logs, deception environments, cross-jurisdiction coordination — has a draft in Stoll's printouts.

The lesson it set loose

Pay attention to the small wrong numbers. The defining intrusions are rarely announced; they are spotted by someone who refuses to round a 75-cent error away. Curiosity, the founding hacker virtue, turns out to be a defender's discipline too.