https://www.wired.com/story/meet-the-mad-scientist-who-wrote-the-book-on-how-to-hunt-hackers/ Skip to main content Open Navigation Menu To revisit this article, visit My Profile, then View saved stories. Close Alert WIRED Meet the Mad Scientist Who Wrote the Book on How to Hunt Hackers * Security * Politics * Gear * Backchannel * Business * Science * Culture * Ideas * Merch More Search * Security * Politics * Gear * Backchannel * Business * Science * Culture * Ideas * Merch * Podcasts * Video * Newsletters * Magazine * Events * WIRED Insider * WIRED Consulting * Jobs * Coupons Andy Greenberg Backchannel Dec 18, 2019 7:00 AM Meet the Mad Scientist Who Wrote the Book on How to Hunt Hackers Thirty years ago, Cliff Stoll published The Cuckoo's Egg, a book about his cat-and-mouse game with a KGB-sponsored hacker. Today, the internet is a far darker place--and Stoll has become a cybersecurity icon. Cliff Stoll in a cluttered workshop lying on a desk Cliff Stoll in his workshop in Oakland, California. Photograph: Cayce Clifford Save Save In 1986, Cliff Stoll's boss at Lawrence Berkeley National Labs tasked him with getting to the bottom of a 75-cent accounting discrepancy in the lab's computer network, which was rented out to remote users by the minute. Stoll, 36, investigated the source of that minuscule anomaly, pulling on it like a loose thread until it led to a shocking culprit: a hacker in the system. Stoll then spent the next year of his life following that hacker's footprints across the lab's network and the nascent internet. In doing so, he revealed a vast web of similar intrusions into military and government agencies carried out by a group of young German hackers, eventually revealed to have been working in the service of the Soviet KGB. The story that Stoll unraveled from that tiny initial clue, which he published in late 1989 as a kind of digital detective memoir, The Cuckoo's Egg, turned out to be the very first known case of state-sponsored hacking--a tale far bigger than he could have ever imagined when he began hunting those three quarters missing from his lab's ledger. Today, that story has taken on a larger life still. As The Cuckoo's Egg hits its 30th anniversary, the book has sold more than 1 million copies. And for a smaller core of cybersecurity practitioners within that massive readership, it's become a kind of legend: the ur-narrative of a lone hacker hunter, a text that has inspired an entire generation of network defenders chasing their own anomalies through a vastly larger, infinitely more malicious internet. Page of the book Cuckoo's Egg covered with handwritten messages and signatures Stoll asks people who have interviewed him to sign his personal copy of The Cuckoo's Egg. Photograph: Cayce Clifford As for 69-year-old Stoll himself, he talks about the entire series of events as if he still can't believe all the fuss he's caused. "I thought it was a weird, bizarre hiccup I'd stumbled into," Stoll told me when we first spoke last year, after I called the home number he lists on the very eclectic website for his business selling klein bottles--blown-glass oddities that, topologically speaking, have only one side, with no inside or outside. "I had no idea this would become a multibillion-dollar industry. Or essential to running a large business. Or that the CEO of a credit reporting company could lose his job because of computer security. Or that thousands of people would have careers in the field. Or that national institutions in many countries around the world would devote themselves to exploiting security holes in computer networks." SUBSCRIBE Image may contain Advertisement Poster Graphics and Art Subscribe to WIRED and stay smart with more of your favorite writers like Andy Greenberg. In fact, Stoll is an unlikely legend for his cybersecurity industry admirers. On the day I visited Stoll in his Oakland home last month, just a few days after the 30th anniversary of The Cuckoo's Egg's publication, he had spent the morning watching Mercury transit the Sun with his telescope. Stoll has a PhD in planetary astronomy and had intended to make stargazing his career before Lawrence Berkeley transferred him--not entirely voluntarily--into the IT department. When I arrive, he takes me to his workshop in the back of the house, a room with one wall covered in printed pictures of inventors, mathematicians, and scientists who inspire him: Felix Klein, Alan Turing, Emmy Noether. Then he flips up his desk on a hinge to reveal a door in the wall beneath it. Inside is a small, homemade forklift robot, which lives in the crawlspace beneath his house. Using a remote control and watching several screens that show a feed from the robot's cameras, he wheels his little bot across the cramped storage space under his home, its walls lined with cardboard boxes, to delicately retrieve a crate full of beautifully crafted klein bottles wrapped in paper. Most Popular * Here Comes the Flood of Plug-In Hybrids Gear Here Comes the Flood of Plug-In Hybrids Aarian Marshall * Large Language Models' Emergent Abilities Are a Mirage Science Large Language Models' Emergent Abilities Are a Mirage Stephen Ornes * Why the Baltimore Bridge Collapsed So Quickly Science Why the Baltimore Bridge Collapsed So Quickly Chris Baraniuk * The Mayor of London Enters the Bullshit Cinematic Universe Backchannel The Mayor of London Enters the Bullshit Cinematic Universe Peter Guest * Stoll is still curious about hacking too. A couple of months earlier, he mentions, he decided on a lark to reverse-engineer some hackers' malware-laced Excel file to see where it hid its malicious code. "I said to myself 'Oh, here's how they're hiding it.' It was very sweet and a useful lesson," Stoll says, sitting on the floor of his workshop next to his forklift bot. "Having said that, I'm not very interested in cybersecurity today. I wish I was more interested. I wish I could help people defend their systems. Instead, I went back to figuring out how to make a klein bottle that can sit without wobbling." Royalties from The Cuckoo's Egg paid off Stoll's mortgage years ago. Today, klein bottles sales provide him another--very modest--income stream. As for cybersecurity, beyond a few conference talks, he hasn't worked in the industry for decades. The same omnivorous curiosity that drove him to chase his hacker for a year eventually led him to devote the next 30 to his other interests like mathematics, electronic music, and physics--none of which he claims to be an expert in. "To a mathematician, I'm a pretty good physicist," Stoll deadpans. "To a physicist, I'm a fairly good computer maven. To real computer jocks, they know me as somebody who's a good writer. To people who know how to write ... I'm a really good mathematician!" --------------------------------------------------------------------- Cliff Stoll writing an equation on a glass window "To a mathematician, I'm a pretty good physicist," Stoll says. Photograph: Cayce Clifford Equations on a white board "To people who know how to write," he says, "I'm a really good mathematician!" Photograph: Cayce Clifford But if Stoll is a cybersecurity amateur, few experts have had as much influence on the field. Stoll's fans in the industry point out how, in hunting his hacker 30 years ago, he pioneered techniques out of necessity that would later become standard practice. Stoll slept under his desk at the lab and programmed his pager to alert him when the hacker logged into the network in the middle of the night. He also set up dozens of printers to transcribe every keystroke the hacker typed in real time. All of that added up to something like the first intrusion detection system. When Stoll traced the hacker's intrusions to the Department of Defense's MILNET systems, an Alabama army base, the White Sands Missile Range, Navy shipyards, Air Force bases, NASA's Jet Propulsion Laboratory, defense contractors, and the CIA, Stoll was mapping out an intrusion campaign just as threat intelligence analysts do today. When he planted hundreds of fake secret military documents on his network that tricked his hacker into staying logged into the Lawrence Berkeley system long enough for a German telecom employee to trace the intrusion to the hacker's location in Hanover, he was building a "honeypot"--the same sort of decoy regularly used to track and analyze modern hackers and botnets. Most Popular * Here Comes the Flood of Plug-In Hybrids Gear Here Comes the Flood of Plug-In Hybrids Aarian Marshall * Large Language Models' Emergent Abilities Are a Mirage Science Large Language Models' Emergent Abilities Are a Mirage Stephen Ornes * Why the Baltimore Bridge Collapsed So Quickly Science Why the Baltimore Bridge Collapsed So Quickly Chris Baraniuk * The Mayor of London Enters the Bullshit Cinematic Universe Backchannel The Mayor of London Enters the Bullshit Cinematic Universe Peter Guest * "The Cuckoo's Egg documented so many of the methods we now use to deal with high-end intruders," says Richard Bejtlich, a well-known security guru and author of The Tao of Network Security Monitoring: Beyond Intrusion Detection, who has worked on incident response and network monitoring at companies like Corelight and FireEye. "You can see in the book almost everything you need to do in an incident. The mindset, the thoroughness, the commitment to it. It's all there." Even before his book was published, Stoll's hacker-tracking work at Lawrence Berkeley National Labs inspired its sister institution, Lawrence Livermore National Labs, to try to develop more systematic, automated defenses against hackers. An engineer there, Todd Heberlein, was given a grant to build the world's first network security monitoring software. "You could literally say that Cliff Stoll kick-started the entire intrusion detection field. We essentially automated in software much of what Stoll was doing," Heberlein says. "Once I had our tools turned on, we saw people every day trying to hack our network and sometimes succeeding. An entire crime wave was happening and no one was aware of it." Eventually a version of Heberlein's network monitoring software was deployed to more than 100 Air Force networks, including the ones Richard Bejtlich found himself working on during his time in the military in the late 1990s. As a high school student, Bejtlich had been captivated by a paperback copy of The Cuckoo's Egg, and he reread it during that time in the Air Force. "Every element of what Stoll did, we were doing," he recalls. Around 2010, when he was working as director of incident response for General Electric, Bejtlich says he read it again, and found dozens more lessons for his team. He'd later pull them together for a talk about those lessons, "Cooking the Cuckoo's Egg," that he gave at a Department of Justice cybersecurity conference. Just as much as its technical lessons, The Cuckoo's Egg captures a deeply personal side of the job of hacker tracking too. The long hours, friction with bosses, federal agents who demand to be briefed on discoveries without sharing their own information, and tensions with loved ones--Stoll's then-girlfriend (now ex-wife) didn't always appreciate his nights sleeping under his desk to hunt an invisible white whale. "There are still incident responders who sleep under desks and are awoken at weird times. You're at the mercy of the intruder," Bejtlich says. "Anyone who has done this can relate to being away from the family and working crazy hours. it's completely familiar even 30 years later." But there's a thrilling side to Stoll's story as well: an ideal for aspiring network defenders, many of whom hope to someday find themselves the protagonist in a detective story like the one Stoll wrote about. "People who get into cybersecurity dream they'll work on something like this," says Chris Sanders, a security consultant who created a course based on The Cuckoo's Egg called "The Cuckoo's Egg Decompiled." "They imagine finding the thing that becomes the bigger thing. We all want to live that. Some live it and some don't. But we all get to live it vicariously through Cliff." --------------------------------------------------------------------- Cliff Stoll holding a klein bottle in his backyard Stoll makes and sells blown glass klein bottles that, topologically speaking, have only one side, with no inside or outside. Photograph: Cayce Clifford That fantasy version of Cliff Stoll is hard to make out in the mad scientist, klein bottle-selling Cliff Stoll of today. But, it turns out, underneath 30 years of layered polymath whimsy, the obsessed hacker hunter is still there. Most Popular * Here Comes the Flood of Plug-In Hybrids Gear Here Comes the Flood of Plug-In Hybrids Aarian Marshall * Large Language Models' Emergent Abilities Are a Mirage Science Large Language Models' Emergent Abilities Are a Mirage Stephen Ornes * Why the Baltimore Bridge Collapsed So Quickly Science Why the Baltimore Bridge Collapsed So Quickly Chris Baraniuk * The Mayor of London Enters the Bullshit Cinematic Universe Backchannel The Mayor of London Enters the Bullshit Cinematic Universe Peter Guest * After he finishes giving me a tour of his workshop, Stoll sits me down in his cluttered dining room lined with books, including a full 20-volume set of the Oxford English Dictionary, one of the first things he says he bought with his Cuckoo's Egg advance. He starts reminiscing, telling a story about his hacker hunting that isn't in the book. After Stoll helped German police trace the Lawrence Berkeley National Lab's hacker to an address in Hanover, they arrested the intruder--a young man named Markus Hess. The police found that Hess, along with four other hackers, had together decided to sell their stolen secrets to the Soviets. What he didn't mention in the book is that he later met Hess in person. When Stoll was called to the German town of Celle near Hanover to serve as an expert witness in the case, as he tells it, he ran into Hess in the courthouse bathroom, coming face to face with the hacker he'd chased online for a year. Hess recognized Stoll, and began asking him in English why he had so doggedly pursued him. "Do you know what you're doing to me?" Hess asked, according to Stoll's 30-year-old memories. "You're going to get me sent to prison!" Stoll says he simply told Hess, "You don't understand," walked out of the bathroom, and testified against him. (That telling of events couldn't be confirmed with Hess, who has no contact information available online and hasn't commented publicly on The Cuckoo's Egg in decades. Even Hans Hubner, one of Hess' co-conspirators at the time, told me he had no idea about how to reach him. Hubner also noted that his own primary motivation in hacking had always been exploration and technical discovery, not Russian money. He believes Hess, who was given a 20-month suspended sentence for his intrusions, likely felt the same.) At this point in the story, Stoll becomes silent and his face twists into a pained expression. Slowly, I realize that he's angry. Then Stoll tells me what he really wanted to tell Hess: "If you're so smart, if you're so brilliant, make something that will make the internet a better place! Find out what's wrong and make it better! Don't go screwing with information that belongs to innocent people!" Stoll says. He startles me by pounding his fist on his dining room table. "Don't think you're licensed to break into computers because you're clever. No! You have a responsibility to those who have built those systems, those who maintain those networks, who built the delicate software. You have a responsibility to your colleagues like me to behave ethically." This is the other ingredient to Stoll's hacker-hunting obsession, and the same drive in so many others in the cybersecurity world who followed him--not just curiosity, but a kind of low-burning moral outrage. For Stoll, it seems to stem from a time few other internet users remember, a time before the World Wide Web even existed and when most denizens of the internet were idealistic academics and scientists like him. Before the hackers--or, at least, the criminal and state-sponsored ones--arrived. Most Popular * Here Comes the Flood of Plug-In Hybrids Gear Here Comes the Flood of Plug-In Hybrids Aarian Marshall * Large Language Models' Emergent Abilities Are a Mirage Science Large Language Models' Emergent Abilities Are a Mirage Stephen Ornes * Why the Baltimore Bridge Collapsed So Quickly Science Why the Baltimore Bridge Collapsed So Quickly Chris Baraniuk * The Mayor of London Enters the Bullshit Cinematic Universe Backchannel The Mayor of London Enters the Bullshit Cinematic Universe Peter Guest * "I remember when the internet was innocent, when it crossed political boundaries without a care, when it was a sandbox for intellectually happy people," Stoll had told me in our first phone call. "Boy, did that bubble burst." He never imagined, 30 years ago, that the internet would become a medium for dark forces: disinformation, espionage, and war. "I look for the best in people. I want to live in a world where computing and technology are used for the good of humanity," Stoll says. "And it breaks my heart." --------------------------------------------------------------------- More Great WIRED Stories * The war vet, the dating site, and the phone call from hell * Room to breathe: My quest to clean up my home's filthy air * Why the "queen of shitty robots" renounced her crown * Amazon, Google, Microsoft--who has the greenest cloud? * Everything you need to know about influencers * Will AI as a field "hit the wall" soon? Plus, the latest news on artificial intelligence * [?] Want the best tools to get healthy? Check out our Gear team's picks for the best fitness trackers, running gear (including shoes and socks), and best headphones. [undefined] Andy Greenberg is a senior writer for WIRED covering hacking, cybersecurity, and surveillance. He's the author of the new book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. His last book was *Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most... Read more Senior Writer * More from WIRED 8 Google Employees Invented Modern AI. Here's the Inside Story 8 Google Employees Invented Modern AI. Here's the Inside Story They met by chance, got hooked on an idea, and wrote the "Transformers" paper--the most consequential tech breakthrough in recent history. Steven Levy '$5,000 to Save a Life Is a Bargain' '$5,000 to Save a Life Is a Bargain' Here's Elie Hassenfeld, your high school EA crush. As effective altruism spirals into self-doubt, the idealist quant is still at it, helping Silicon Valley richies give away hundreds of millions each year. Virginia Heffernan Javier Bardem Is Menacing and Thrilling in Dune: Part Two&-and a Soulful Teddy Bear IRL Javier Bardem Is Menacing and Thrilling in Dune: Part Two--and a Soulful Teddy Bear IRL He's known for playing fanatics and murderous psychopaths. In real life, the actor loves his wife (and Brad Pitt) and cries during E.T. Hemal Jhaveri How the Pentagon Learned to Use Targeted Ads to Find Its Targets&-and Vladimir Putin How the Pentagon Learned to Use Targeted Ads to Find Its Targets--and Vladimir Putin Meet the guy who taught US intelligence agencies how to make the most of the ad tech ecosystem, "the largest information-gathering enterprise ever conceived by man." Byron Tau Can Reddit Survive Its Own IPO? Can Reddit Survive Its Own IPO? An army of more than 60,000 unpaid moderators has unprecedented power over Reddit. The company's future hinges on whether they can coexist with Wall Street's expectations. Robert Peck The Mayor of London Enters the Bullshit Cinematic Universe The Mayor of London Enters the Bullshit Cinematic Universe It all started with an asthma attack. Now Sadiq Khan finds himself at the center of a global conspiracy. Peter Guest The Deaths of Effective Altruism The Deaths of Effective Altruism Sam Bankman-Fried is finally facing punishment. Let's also put his ruinous philosophy on trial. Leif Wenar WIRED WIRED is where tomorrow is realized. It is the essential source of information and ideas that make sense of a world in constant transformation. The WIRED conversation illuminates how technology is changing every aspect of our lives--from culture to business, science to design. The breakthroughs and innovations that we uncover lead to new ways of thinking, new connections, and new industries. More From WIRED * Subscribe * Newsletters * FAQ * WIRED Staff * Editorial Standards * Archive * RSS * Accessibility Help Reviews and Guides * Reviews * Buying Guides * Coupons * Mattresses * Electric Bikes * Fitness Trackers * Streaming Guides * Advertise * Contact Us * Customer Care * Jobs * Press Center * Conde Nast Store * User Agreement * Privacy Policy & Cookie Statement * Your California Privacy Rights (c) 2024 Conde Nast. All rights reserved. WIRED may earn a portion of sales from products that are purchased through our site as part of our Affiliate Partnerships with retailers. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Conde Nast. Ad Choices Select international site United States * Italia * Japon * Czech Republic & Slovakia * * * * * *