Show logo
Explore all episodes

Invisible Intruders

  |  Command Line Heroes Team  
Security
Tech history

Command Line Heroes • • Invisible Intruders | Command Line Heroes

Invisible Intruders | Command Line Heroes

About the episode

What began as a supposed accounting error landed Cliff Stoll in the midst of database intrusions, government organizations, and the beginnings of a newer threat—cyber-espionage. This led the eclectic astronomer-cum-systems administrator to create what we know today as intrusion detection. And it all began at a time when people didn’t understand the importance of cybersecurity.

This is a story that many in the infosec community have already heard, but the lessons from Stoll’s journey are still relevant. Katie Hafner gives us the background on this unbelievable story. Richard Bejtlich outlines the “honey pot” that finally cracked open the international case. And Don Cavender discusses the impact of Stoll’s work, and how it has inspired generations of security professionals.

Command Line Heroes Team Red Hat original show

Subscribe

Subscribe here:

Listen on Apple Podcasts Listen on Spotify Subscribe via RSS Feed

Transcript

I know. I know. Yeah, I've got it with me. Okay, just ducking into the subway. See you soon. Oh, great. 20 minutes before the next one. Carol waits on the freezing subway station, alone. Out of habit, she scans her phone, no signal. Looks in her bag, there's the thumb drive. After months of back and forth with a reluctant source, Carol finally has the incriminating evidence she needs to win her case. What's in her bag proves it all. Carol looks to the opening elevator door. No one comes out. Strange. She takes a few steps backwards and looks down the rest of the platform. Anybody there? Hello? Is somebody there? Clutching her bag ... Hello? ... Carol starts to make her way to the stairs. She can hear someone. She just can't see them. What do you want? No! No! An invisible force ... Who are you? ... Grabs her bag ... What are you? Stop. Come back. ... Wrestles it from her grip. No. Somebody help me. The thumb drive with all those crucial secrets disappears. The ability to turn invisible to roam without being noticed has profound consequences. It opens the door for all kinds of crimes. After all, the rules change when nobody knows you're there. Suddenly, the risk factor drops away. Forbidden places, forbidden actions, they all start to look inviting. I'm Saron Yitbarek, and this is Command Line Heroes, an original podcast for Red Hat. This season, we're exploring the great security crises of the digital age and we saved one of the wildest stories until now, the tale of a hacker who crept unnoticed into some of America's most valuable computer systems. They snooped wherever they wanted because they believed nobody would ever see their movements, nobody would ever track them. It was a perfect plan, unless someone found a way to begin seeing the invisible. It's the 1980s, the internet as we know it really doesn't exist. There's ARPANET and it was in some ways, fantastic. In other ways, really innocent. It was like a neighborhood where people feel really safe just keeping their doors unlocked. Katie Hafner is a journalist and author who's been writing about technology and hackers since the '80s. 40 years ago, she reminds us, computer networks were just beginning to grow and security was not top of mind. Logins and passwords were a formality. The ARPANET was being built, after all, to help people connect and unwanted intruders were ... Back then really kind of a stunning, even, notion that someone would want to break into a computer. In the midst of that innocent ARPANET age in 1986, an excitable astronomer named Cliff Stoll was looking for work. While waiting for an astronomy job, he found himself a gig as a system administrator at the Lawrence Berkeley Lab in California. He'd help them run a dozen mainframes that scientists logged in to use. Stoll chose a desk in an unventilated windowless office in the basement, hoping nobody would notice him. There he was, and he'd been asked to look into this small accounting discrepancy. Hundreds of scientists paid to use those mainframes and the accounting logs at Berkeley Lab showed that for the first time ever something didn't add up. Stoll's boss had found that 75 cents were missing. An ordinary person might have assumed it was some kind of rounding error and moved on. Stoll, though, wasn't ordinary. 75 cents couldn't just go missing. He started scrolling through the list of users and hours later found one that didn't have a valid billing address. He deleted that user from the system. Now, this is where most people would go for lunch, forget about the whole thing. But this discrepancy didn't sit well with Stoll. He decided to watch the system more closely. He programmed his terminal to beep whenever somebody logged on to one of their computers. Every few minutes, Stoll heard a beep and ran over to see what username was being typed in. He asked his boss about one name that kept coming up, Sventek, and his boss found that odd because the user behind that name, Joe Sventek, was away that year. Sventek hadn't even been a user at LBL for a while. So if Sventek wasn't around anymore, why was Sventek logging in? And then he realized that it was somebody who had basically taken over Sventek's account. Someone was using Sventek's identity to gain access to the lab's computers. But who? And why? Stoll was determined to find out. He started monitoring the intruder's activities more closely, logging everything they did. He was just fascinated by this puzzle. Here was this guy who was supposed to be figuring out stellar formations and instead he's chasing a hacker. Stoll's curiosity got the better of him. Instead of simply blocking the intruder, he decided to watch and learn. He wanted to understand what the hacker was after and how they were getting in. It's important to remember that this was completely uncharted territory. There was no playbook for dealing with computer intrusions. Stoll was making it up as he went along. What Stoll discovered was that the intruder wasn't just poking around his lab's systems. They were using Berkeley as a stepping stone to access other computers, including military systems. The hacker was systematically searching for information about nuclear weapons, satellite data, and other classified materials. The hacker was very methodical. They would search for files with keywords like 'nuclear' or 'strategic' or 'SDI' - the Strategic Defense Initiative, which was Reagan's Star Wars program. Stoll realized he was dealing with something much bigger than a simple computer break-in. This looked like espionage. He started keeping detailed logs of everything the intruder did, creating what was essentially the first intrusion detection system. Cliff would sit there with his printer just churning out page after page of logs, and he would go through them line by line, trying to figure out what the hacker was doing. But monitoring wasn't enough. Stoll needed to trace the intrusion back to its source. This was incredibly difficult in the 1980s when networks were less sophisticated and international connections were limited. The internet wasn't the internet that we know today. It was mostly universities and government labs connected by phone lines. Tracing a connection meant calling up system administrators at different sites and asking them to check their logs. Stoll became obsessed with tracking down the intruder. He would stay up all night, monitoring the systems, following the digital breadcrumbs wherever they led. His girlfriend at the time, Martha, would bring him coffee and food to keep him going. He was completely consumed by this hunt. It took over his life for months. He would get calls at all hours of the night when the hacker logged in. Meanwhile, Stoll was trying to get law enforcement interested in the case. But this was 1986, and computer crimes weren't well understood. The FBI wasn't sure if they had jurisdiction, and local police didn't know what to do with computer break-ins. Nobody knew how to handle this. Computer crime wasn't really a concept yet. There were no laws specifically dealing with computer intrusions. Stoll was essentially pioneering the field of computer forensics. Frustrated by the lack of official response, Stoll decided to set a trap. He created a fake file containing information about a fictional military project and made it look enticing to the hacker. This was one of the first honey pots ever created. What Cliff did was absolutely brilliant for its time. He created this fake file about SDI, the Strategic Defense Initiative, and he made it look like it contained classified information about nuclear weapons. Richard Bejtlich is a cybersecurity strategist and author who has studied Stoll's techniques. The honey pot was designed to keep the hacker online long enough to trace the connection back to its source. The idea was that if the hacker found this file interesting enough, they would spend time downloading it. And while they were downloading this large file, Stoll would have time to trace the connection back through all the different network nodes. The trap worked. When the hacker discovered the fake file and started downloading it, Stoll was able to trace the connection back through multiple networks and international gateways. The trail led all the way to Germany. It was an incredibly complex process. Stoll had to coordinate with system administrators at universities and military bases, phone companies, and eventually international telecommunications providers. Remember, this was all done manually, with phone calls and paper logs. After months of investigation, Stoll and the authorities were finally able to identify the hacker. It was a young German named Markus Hess, who was part of a group selling stolen information to the Soviet Union. Markus Hess was not your typical hacker. He wasn't doing this for the intellectual challenge or to prove a point. He was doing it for money. The Soviets were paying for Western military secrets, and Hess was happy to provide them. The revelation that foreign agents were using computer networks to steal military secrets sent shockwaves through the U.S. government. This was during the height of the Cold War, and the implications were enormous. This case really opened people's eyes to the vulnerability of computer networks. Up until then, most people thought that physical security was enough. If you controlled access to the building, you controlled access to the computers. But Stoll's investigation proved that hackers could access sensitive systems from anywhere in the world. Geographic distance was no longer a barrier to computer intrusion. The case also showed that computer security wasn't just a technical problem - it was a national security issue. This wasn't just about protecting academic research or business data. It was about protecting military secrets and national defense capabilities. Stoll's work didn't just catch one hacker - it helped establish an entire new field of cybersecurity. His techniques for monitoring network activity, creating honey pots, and tracing intrusions became standard practices in the industry. Cliff Stoll essentially invented intrusion detection. Before his case, the standard response to a computer break-in was to change passwords and hope it didn't happen again. Stoll showed that you could actually monitor and track intruders in real time. The case also highlighted the international nature of computer crime. Hess was in Germany, but he was accessing systems all over the world. This showed that cybersecurity would require international cooperation and new legal frameworks. The legal aspects were really challenging. How do you prosecute someone in another country for crimes committed against computer systems in the United States? These were completely new questions that the legal system wasn't prepared to handle. Stoll documented his entire experience in a book called "The Cuckoo's Egg," which became a bestseller and introduced the general public to the world of computer hacking and cybersecurity. The book was incredibly important because it made cybersecurity accessible to a general audience. Before that, computer security was mostly discussed in technical journals that only specialists read. The book also inspired a generation of cybersecurity professionals. Many people working in the field today cite Stoll's story as the reason they got interested in computer security. It may have begun as a puzzle, but Hess was not alone over in Hanover. He was actually part of a club of hackers. They are the ones who brought him into their little hacking ring. They had met up with some Soviet—you know this was back in the 1980s when the Cold War was really in full swing and there was a lot of worry about what could happen with classified information. Don't forget that this was in the era of Star Wars, and so the Soviets would've wanted any information they could get about that. So Hess found himself hacking for info that could be sold to the Soviets. They pulled him into it. Hess was different from the rest of the hackers though. It bears emphasizing, he was a Unix guy. The other hackers didn't know Unix and this mattered because the Lawrence Berkeley Lab was running on it. So when that hacking ring brought on Marcus Hess, one of the unintended consequences was that somebody was now in a position to break into the very lab where Cliff Stoll had come to work. Six months after Stoll was told about that 75 cent see in his lab's accounting, the German police arrested Hess along with others from that hacking ring. Stoll flew to Germany to testify against him. Hess was found guilty of espionage and given a 20 month suspended sentence. Something vital had been proven. Cliff Stoll showed the world that sensitive government secrets were vulnerable to computer hacks. A whole landscape of international digital espionage snapped into focus. The FBI, the CIA, every agency was finally paying attention. And that's when people well started to get serious about building better defenses. Today, intrusion detection systems and honey pots, like the one Cliff Stoll made, have become part of everyday security. But we have to remember what a breakthrough these concepts really were. A friend that was working in cyber recommended it to me, read this book. And I was immediately hooked. Don Cavender is a retired FBI cyber agent, and he's talking about the book Stoll ended up writing. Stoll's story has helped shape the entire field of security. It's amazing that his book is still one of the top recommended reads for somebody new coming into cybersecurity, and he had no cybersecurity background whatsoever. The firewall hadn't been invented yet. So there was no perimeter security at all. There was no type of network security at the time. Stoll had to figure it all out on the fly. Cliff Stoll not knowing any better, what he did was he let the guy in, he kept him online, he kept the hall open, he monitored everything, worked on tracing things back and would reach outside of the lab. Basically make noise, trying to tell the right people what's going on. He went totally against what everybody else was doing at the time in network security. But after Stoll's work, the field began to evolve. For one thing, we realized that in a networked world, everybody has to take part in making things secure. Just because you don't think anybody wants what's on your computer doesn't mean you can't be a gateway to something more sensitive. This is something that can actually happen. If you're vulnerable, you could be used as this jump off point on the way to somewhere else. Authorities eventually learned that Markus Hess had broken into 400 US military computers. Beyond that awareness of our shared danger though, Stoll also showed that cyber criminals are always going to make use of brand new possibilities, brand new vectors of attack. That means security teams have to be constantly reinventing their jobs. They have to stay creative. Now we use more sophisticated means to kind of trace back those types of communications, but he used what he had at his disposal at that time, which was a lot of creative thought on his side. Cavender said he was inspired by Stoll's story, and he wasn't alone. In researching this episode, we heard from many people in security who also read The Cuckoo's Egg and felt called to the world of digital security that people like Stoll were just beginning to uncover. That may be his greatest legacy, not just the technical tricks he thought up, but the philosophy that a single person can use the tools at their disposal to make the world a little more safe. I'd say there's a whole industry full of unsung heroes out there that will never get recognized that are day to day saving civilization through their efforts. At the trial in Germany, one of the arrested hackers told the news cameras "At the beginning, I wasn't thinking of anything. I was just sitting there hacking." At another point, Cliff Stoll says when he ran into one of the hackers in the courthouse washroom, the hacker complained to him that his life was being ruined. Stoll could only shake his head. It seemed like none of these guys understood the severity of their actions. Like the horror film character, The Invisible Man, those hackers thought they could snoop and steal without any repercussions, that they would never get caught. But some of the foundations of our intrusion detection systems were invented by Stoll right as their hacks began. I'm Saron Yitbarek, and this is Command Line Heroes, an original podcast from Red Hat. Next episode, it's our season finale. We've got the tale of a little program called SATAN, that's honestly its name. And like the biblical Satan, this particular program managed to create a lot of chaos once it was unleashed. You'll want to hear how that drama plays out. Subscribe, follow wherever you get your podcasts. And until then, keep on coding.

More about security

Security for modern systems is defined by its adaptability to newer attacks, and its integration into infrastructure and product lifecycles.

Blog Post

Red Hat’s response to OpenPrinting CUPS vulnerabilities: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177

September 26, 2024  |  Blog posts from Red Hat

...

Linux
Security

Blog Post

Red Hat’s path to post-quantum cryptography

July 15, 2024  |  Emily Fox, Simo Sorce

...

Security
Technically Speaking, an original podcast from Red Hat

Original Shows

A new software supply chain security recipe | Technically Speaking

DevOps
Security
Technically Speaking, an original podcast from Red Hat

Original Shows

WebAssembly breaks away from the browser | Technically Speaking

Edge computing
Security
Technically Speaking, an original podcast from Red Hat

Original Shows

Compute confidential: In hardware we trust | Technically Speaking

Edge computing
Security

About the show

Command Line Heroes

During its run from 2018 to 2022, Command Line Heroes shared the epic true stories of developers, programmers, hackers, geeks, and open source rebels, and how they revolutionized the technology landscape. Relive our journey through tech history, and use #CommandLinePod to share your favorite episodes.