Skip to content
hacker_culture_
Back to the collection
SecurityInvestigation· 1986

The Cuckoo's Egg

A 75-cent accounting error that uncovered Cold-War espionage and invented modern incident response.

4 min read739 words
Portrait of Clifford Stoll, astronomer and author of The Cuckoo's Egg
Image: heipei · CC BY-SA 2.0

The object

In August 1986, Cliff Stoll (an astronomer who had drifted into running the computers at Lawrence Berkeley National Laboratory after his telescope-time funding ran out) was handed a trivial chore: reconcile a 75-cent discrepancy between two accounting programs that billed users for time on the lab's mainframes. The lab charged in fractions of a second, and the books had never disagreed before. Rather than write the gap off, Stoll traced it to an unauthorized user, "Hunter," who had no billing address because he had never been authorized at all. The artifact is the year-long paper trail of the pursuit that followed (logbooks, printouts, and a hand-drawn map of network hops), later published as the book The Cuckoo's Egg (1989), which reads like a detective novel and is, in fact, the first detailed public account of an internet intrusion investigation. The title comes from the intruder's method: like a cuckoo laying its egg in another bird's nest, he slipped his code into systems that then nurtured it, exploiting a flaw in the GNU Emacs movemail utility to gain superuser rights.

The chase

The intruder was Markus Hess, operating out of Hannover, West Germany, on the periphery of the Chaos Computer Club's milieu. Dialing through the German Datex-P network and the Tymnet international gateway, he hopped through Berkeley into MILNET, the U.S. military's segment of the early internet, probing some 450 computers at bases, defense contractors, and NASA, and breaking into roughly thirty. What he found he sold to the KGB for cash and drugs, brokered by a Hannover dealer named Pengo and others. Stoll improvised everything that has since become standard practice: he wired fifty printers and teletypes to the incoming lines so every keystroke was logged on paper, kept meticulous minute-by-minute timelines, and slept on a cot in the machine room with a pager clipped to his belt so an alarm would wake him when Hess logged on. The FBI, CIA, NSA, and Air Force OSI all initially shrugged, since no agency would claim a case about a few dollars, so Stoll kept going alone. Because Hess stayed connected only minutes at a time, too briefly for the German Bundespost to complete a trace, Stoll invented a lure: a fictitious office of "SDInet" (Strategic Defense Initiative network) stuffed with bogus classified-sounding files. Hess lingered for hours reading them, long enough to be traced across the Atlantic to Hannover. The bait worked twice over: in 1987 a Hungarian agent mailed a letter to the fake SDInet office, confirming the espionage link.

The circle around it

Hess did not act alone. His collaborators belonged to a loose Hannover group that sold Western computer access to the Soviets; the ring was rolled up after Stoll's trace, and in 1990 Hess and two others were convicted of espionage in a German court and given suspended sentences. The most haunting figure was Karl Koch (handle Hagbard Celine, taken from Robert Anton Wilson's Illuminatus! trilogy), a young hacker steeped in conspiracy theory and addiction who had been part of the same scene. In May 1989, days after the network television exposure of the case and before he could fully testify, Koch was found burned to death in a forest near Celle. The official ruling was suicide; the timing left the affair a permanently unsettled tone and later inspired the German film 23 (1998).

Why it matters

This is the moment hacking ceased to be a domestic story. A man at a keyboard in West Germany could touch a U.S. submarine base and NASA's networks, and the legal, diplomatic, and ethical infrastructure for responding did not yet exist. There was no clear law under which to charge him in the United States, and no routine channel for the FBI to coordinate with German police. The Cuckoo's Egg gave that infrastructure its first vocabulary. Almost every concept in contemporary incident response, from chain of custody on logs to deception environments and honeypots to cross-jurisdiction coordination, has a draft in Stoll's printouts. The case also helped spur the founding, in 1988, of the first Computer Emergency Response Team (CERT) at Carnegie Mellon, the institutional template now copied worldwide.

The lesson it set loose

Pay attention to the small wrong numbers. The defining intrusions are rarely announced; they are spotted by someone who refuses to round a 75-cent error away. Curiosity, the founding hacker virtue, turns out to be a defender's discipline too.

Further reading

Keep exploring

Next exhibit

The Conscience of a Hacker