Hacked - The Jaeger
Episode Date: November 24, 2020Jordan Bloemen & Scott Francis Winder discuss the man himself Clifford Stoll. If you like the show and want to make sure we can keep making it, please subscribe and if you can visit https://www.patre...on.com/hackedpodcast and show us some love. Also - don't forget to check out our loving sponsor Proton VPN. Visit protonVPN.com/hackedpodcast for 33% off a 2-year plan. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
So this is about an astronomer.
Astronomy.
Who in 1986 had just lost his funding.
And Clifford, the out-of-work astronomer, takes a job at the lab where he'd been doing his research.
They needed someone to run the lab's computers.
He gets settled into his office, this small, unventilated cubicle, when the main guy in charge, this guy named Dave Cleveland, walks in.
The lab makes money by renting out computer systems, and Dave comes in holding, like a report of the usage, essentially a bill.
The end of that particular month, we had 75 cents left over in charges that we had no one to bill for.
And that was very frustrating because our programs, our counting programs were very accurate.
And we knew it wasn't a rounding problem or something like that, our arithmetic error.
We knew we didn't have someone to charge the 75 cents to.
And what happened to that person?
Where'd they come from?
Where'd they go?
And it opened up a whole can of worms.
75 cents.
75 cents.
To Cliff, like a big discrepancy in the bill was going to be easy to find, but 75 cents was sort of like a fun challenge for a...
Yeah, sure.
It's a tiny amount.
Yeah.
So first, Clifford writes a test program to make sure that the accounting system was working properly, which it was.
Then Clifford decides to dive into the list of names, account numbers, and charges.
And one of them stands out at him.
One account doesn't have an account number associated with it and has used exactly.
at least 75 cents worth of computer time.
It seems like an obvious place to start.
Seems like a pretty obvious place to start.
The account's name is Hunter.
So Cliff shuts down Hunter's account.
Done.
Right, we're done here.
All right. Hunter's disabled.
75 cents, nullified.
Move on, write it off, get that tax break.
So the next day, Clifford gets a message from a computer in Maryland,
codenamed Docmaster.
And it turns out that someone had tried to break into Docmaster's system.
and the attack was launched from Clifford's lap.
And the second day on the job, Clifford is tasked with hunting down the culprit,
codenamed Hunter.
The German word for hunter is Yeager,
which is also this like small bird,
with this really distinct predatory behavior known for intruding on other birds
and lurking around a nest where it's not welcome and launching these little attacks.
Sounds appropriate.
So this is that story.
The story of the three years that followed,
which saw this sort of mild-mannered astronomer,
embarking on one of the first cases of cyber forensics, looking for this new type of criminal.
A hacker sneaking into military computers, stealing secrets.
As a scientist, it was bewildering.
But in the end, it was science that showed the way out.
Let me tell you what happened.
This is the Jaeger.
Here, unhacked.
Used to be that computers were isolated.
Big computer here would solve one problem.
This computer would solve another.
Now, though, we share data.
from one scientist to another.
And that means we need to network our computers.
We need to send messages from one system to another, yet to another.
Those computer networks from communities,
from neighborhoods where one system sends information to another.
And it's not just the computers that form the communities.
The people using them are in one large neighborhood as well.
Our networks are like a new kind of highway system.
Once you get on a network, you can travel around the world.
All you have to do is find a computer's network address and then call it up.
You type in your account name and then your password.
The password's usually not displayed to keep it secure from somebody looking over your shoulder.
If you're legitimate, it invites you in.
You can even dial up a network on a telephone line with your home computer.
It all works great until somebody, a hacker, tries to break in where he doesn't belong.
That's the world we live in now.
So a lot of listeners might know this story.
Clifford stole the guy that it's about wrote a very popular book about it called The Cuckoo's Egg.
Which I read.
You read that?
I read it in like the 90s, though.
Then you know this story.
Crazy.
I don't even remember the book, but I know I read it.
Have you seen the PBS doc?
No.
Oh, it's good.
Is it?
It's really good.
We got a lot of the archival material in this episode from that documentary.
Sick.
He's given a lot of interviews.
So a lot of people have maybe heard this story.
I hadn't heard this story.
you apparently had.
But I just thought it was a pretty fun story.
And since I'd never heard it,
figured a lot of people hadn't.
I read this book when I was a formulating young cybersecurity nut.
There's a lot of bad acting in this movie.
I can tell.
You can tell.
By the audio takes.
So.
No offense, if this makes it enough of the episode.
I'm sure you're all great, distinguished actors.
They all went on to have established acting careers.
The best part about it, though, is that, like, when we hear from Dave Cleveland,
that's actually Dave Cleveland taking part in that PBS documentary.
When we hear from the secondary character, that's the real person.
Because they were all really excited to be in this movie about this really cool thing they had just done.
Cool.
So, it's lunch the next day, and Clifford has a lead on the culprit.
There's only one user connected from their lab to Docmaster at the time of the break-in.
Someone named Spentek.
Spentek?
Oh, that's impossible.
Joe, is the professor down at the university here?
a well-known computer scientist.
He's worked here for years.
A lot of us know him.
He's not the type of guy to break into a computer.
Besides, he's so good, we probably wouldn't have caught him if he had decided to break in.
Wow.
Yeah, I know, right?
We probably wouldn't have caught him.
So, Sventek, this real username belonging to a real person who is boss is like certain isn't behind the attack.
And Clifford figures out that, oh, a student must have stolen this professor's login.
And Cliff decides I'm just going to teach this little punk a lesson.
He sets a trap.
He gets the hacker on the line.
I programmed my terminal to beep whenever anyone logged into the lab.
And Clifford just watches as hundreds of people connect and disconnect from the lab's computers.
And at 1233 in the afternoon, it beeps for like the hundredth time.
And the username Sventek is back online.
All he'd left was a terminal number.
The line that he'd used to enter the lab's computer system.
So Clifford figures out the line that this person is using to log in as Sventec.
Sure, the terminal ID.
So Clifford goes to talk to a guy in the office named Paul Murray.
Snaking all through the astronomy lab is just miles and miles of cables,
and Paul is the guy who oversaw all that physical infrastructure.
And Paul confirmed that the person using Sventec's account was coming in from outside the lab,
coming in through one of the 50 phone lines running in.
And Paul has one of the wildest ideas.
ever to figure out who it is.
Attach a printer to each line and print out every call that came in.
Great.
So Cliff liberates 50 printers from around the entire university,
and he connects one printer to every one of the 50 phone lines coming into the lab,
and he tells them to print out the login info of every single person from around the world
that connects to their laboratory.
The next day he comes in, and he finds 80 feet of printouts documenting every single single,
single login by username. He starts by hand parsing through the logins. And Clifford
discovers that his intruder isn't just passing through the labs computers. Looking at the
actual traffic, he's like actively looking around on their system. So he wasn't just printing
out the login information. He was printing out every console command being executed to?
That sounds correct. I'm assuming that is what happened. That's what I would do in a pre-Excel world.
Sure. He's opening stuff and he's mucking around in files that the Sventic account shouldn't even
even had the ability to look at.
So now we have this new question.
How is he getting access to this stuff?
He not only could read any file in my whole system, but he could change any of them.
He could erase any of those files.
I love those reads.
Man, really bringing it home for me.
So the question now is how is this fake Sventek done it?
How has he gotten this sort of like admin access, essentially?
Yeah, let's call it super user access, or root access.
So it turns out that the last thing.
lab had this kind of like crude early mailing system. And essentially if you wanted, say I wanted
to send you a file, I just renamed it your username or I renamed it with your username somewhere in
the file and it would just move it over to your account. The way that you would transfer files
was just by renaming them and they would jump over to this other person's profile. That sounds like
a grotesque security vulnerability. Yeah, it sure does. And the hacker figured it out and he figured
out that you could use that system to send files not to say Scott, but to root, but to the
systems area that ran the machine, which apparently is called root.
And the systems area had this routine also super duper secure that basically said, hey, just
run all of the local maintenance software every five minutes.
So he transferred in a new maintenance out of that does whatever he needs or a new maintenance,
you know, command lit.
And it just says makes Ventech the admin.
Perfect.
Waits five minutes.
It runs it.
It's called Kron, too, the thing that you're, the scheduling system, just so you're up on the names.
Root is a super user and Kron is the scheduled maintenance.
Huh.
So a Kron job.
So he added a Kron job for something.
And that Kron job was probably to make him super user.
Huh.
So the Kron job runs?
The Kron job runs.
The Kron job runs.
He now has this super user access.
He uses it to immediately go in and change the accounting records to delete any record that he was over there.
Clean up his history.
Like all good hackers?
A little bit like brushing away your footprints as he walked down a street.
And the only way that any of this ever got launched off was because he just like mucked up and forgot to remove one 75 cent usage charge.
So the most consoles, so when you terminal into a computer, the shell that you use, the shell is the thing that you type commands into and they execute on the remote computer.
Most shells keep a history file of all the commands run.
So a common practice is to clean up after yourself is to delete your history.
But if you're really good, you'll actually just manufacture a fake history so it doesn't look suspicious.
I don't think this guy was quite that good.
Well, he was early days.
This is true.
None of that stuff had been cooked up yet.
Yeah.
By the time you're getting into this, there's already books about what this guy was doing.
Exactly.
Interesting.
So Cliff decides the only way he's going to find this guy is if you can do a trace.
And in order to be able to do the trace, he has to identify when the hacker is logging on.
And he has to do that without 50 printers and an army of people parsing over every single thing that they print out.
He needed to kind of cook up this solution.
Well, it's interesting to me because one of the primitive Unix commands is who is and who am I and like who.
And who is like a classic command to say who's online right now.
So it would be pretty easy to schedule a task to constantly look at who.
And when you find the username you're looking for, execute something, be it a notification.
or what.
It's funny, you should say that.
So Clifford decides he's going to invent this alarm system that ends up working out a lot
like what you just said.
One that's going to alert him every time SvenTech and only SvenTac logs in any time of day,
which does sound kind of simple until you remember that Clifford couldn't connect to the
lab from home because home internet.
Dial in back then.
Back then.
You'd be able to dial it.
You'd have a terminal at home and you'd literally plug your phone into two sockets.
and it would send audio signals back and forth.
Damn.
Cliff didn't have that, I guess.
Well, other people had it to connect to Cliff's lab,
so it's weird that the admin didn't have that.
Yeah, I wonder what the...
It's funny to consider that this is just an out-of-work astronomer
doing all of this as part of his, like, lab maintenance job.
Some of the solutions he had to come up with,
I sense, are a little bit more rough and tumble
than what someone else might have been able to do at the same time.
Sure.
Yeah.
So Clifford and a colleague write what he,
he described as this, it's kind of what you just described.
It's a simple program that just monitor all the traffic coming in,
filtering for the appearance of a single text phrase.
Totally.
Sventec.
Sventec.
He called it in the documentary a logic analyzer, which I feel like.
Sure.
Yeah.
Logic analyzer being there's logic.
If username equals Sventek, then do X.
Then, yeah, there's logic in there.
So then he goes out and he buys a $99 electronic dialer from, like, Radio Shack,
which he connects to the system.
Which they don't make anymore.
No?
Not really.
I guess I don't really know what you'd use it for.
They used to just dial numbers.
You program them to dial numbers.
They use like those telemarketers.
They use them now.
They exist.
They're just software now.
Huh.
Well, he programmed it to call a phone in the office.
Actually, you remember the Zoom episode?
Autodiler.
Same thing.
Oh, okay.
Sure.
So he's got the auto dialer,
and it's looking for the text phrase,
Spentek.
The auto dialer is looking for the text?
No, the logic analyzes.
There you go.
Okay.
And then it's 1986, so he goes out and he buys himself a pager.
And strung together, the moment the hacker logs in using Spentek's info,
the term Spentek appears in the traffic, which trips the logic analyzer,
which dials the number of the phone in the lab, which pings his pager.
Beautiful.
It's pretty sweet.
When the hacker called, I was waiting.
So when the hacker calls, Clifford's waiting, and he runs up to the lab and he does a phone trace.
And after like a handful of tries of getting this call running over to the lab,
which I guess he was within running distance of
and not making it in time.
After a couple of these, it works.
And Cliver does the trace and he's able to follow the traffic.
Do you want to guess where it was?
Somewhere else in the building.
There was an army base.
Oh, perfect.
Same guy who logged into my computer as SvenTech
was logging into an army computer under the name Hunter.
Same guy who caused that 75 cent accounting imbalance.
Once he got into this army computer,
I could see him searching therapy.
database, looking for military information, looking for stuff about their missile plans. Weird stuff
was happening here. And so what did Cliff do? He called the Army. What you're going to do?
Call the Army! This movie's too much. It's so good, man. Clifford calls the Army after this break.
Think about the last time you heard a breach story on this show. It always starts the same way.
Someone, somewhere, saw something too late. An alert, bearer.
A signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora superintelligence platform, a fully agenic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy.
and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries.
human analysts. Arctic Wolf didn't try and bolt AI onto an old model. They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven decision
reflects your environment instead of generic assumptions. The automation frees your
concierge security team to focus on higher value strategy and proactive risk reductions
while the agents handle the grind. If you want to see what trustworthy production
ready AI and security operations actually looks like, go to arctic wolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their
head. Organizations around the world saw headlines they never expected and cybersecurity
teams were tested like never before. But here's the thing. These incidents aren't just
news headlines. They're learning opportunities. And that's why Arctic Wolf is hosting a live
webinar on February 5th diving to the most impactful breaches of 2025. Their field CTO and
security leaders are going to unpack not just what happened, but why these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving, how defenders are
responding, and what strategies can help you stay ahead of the next big breach. It's not fear mongering.
it's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
Scientists use the networks to connect to other labs and universities.
But you could also connect to a network of unclassified military computers over something called the mill net.
That's what the hacker did.
So there's this recurring motif in this story where every time Cliff hits a dead end,
he goes back to that network traffic.
Following the hackers, he moves around from system to system.
system, which apparently he could do.
I guess he could watch the hacker, maybe because he's using their computer to keep going
and do other stuff.
The traffic is somewhat visible.
I don't really understand how that works.
He can see this stuff in his world pretty easily.
And I think he's somehow seeing this stuff after the guys come into his network.
Oh, yes.
Yeah.
So if he's passing through his lab onto other people's computers, he would see that.
Yes.
Yes.
Now that we're all summarized and clear.
So Clifford is watching this hacker kind of lurk around, this time on the mill net.
When he got onto the mill net, he tried to get into one computer after another.
He didn't do anything fancy.
He tried standard account names and passwords.
All new computers are supplied with them.
You're supposed to replace them, but people forget, even on military computers.
Sounds like a common problem that still exists today.
Some things truly do not change.
That was what, almost 34 years ago?
Yeah.
Yeah.
The concept of usernames and passwords is brought up as like a novel context in this story.
Like if you're watching the docs.
It wasn't just a phone number.
No.
So we'd find a new system and you'd try those default usernames and passwords,
kind of whatever they came preset as, whatever they were in the box.
And roughly speaking, one out of 10 machines were using those default usernames and passwords.
A ratio that has probably changed.
Probably not.
But not by that much.
The weakest link theory, you know?
One out of ten.
Once you get into one, typically you can find other ways to get access to the other nine.
So once he's in, he'd set up a phony account using one of essentially four usernames.
Hunter, Hedges, Jaeger, Benson.
over and over again.
Hunter, Hedges, Yeager, Benson.
Some strong names.
Clifford watched the names appear over and over get Hunter Hedges, Yeager, Benson.
So he takes these four words, and he goes to someone named Maggie Morley, the Labs librarian.
The words he was interested in were Yeager and Benson and Hunter and Hedges.
The name Yeager pinged for her for two reasons.
First, Maggie is a Scrabble player, borderline pro level.
And one time, she played Yeager and she landed that J on a triple word score.
Damn.
Yeah, I'm pretty sure she messed up that other Scrabble nerd.
But it also meant something else.
Jaeger, I also knew, was a kind of bird which harassed other birds,
causing them to drop the food from their beaks.
And it's also a German word meaning hunter.
Jaeger and Hunter.
So he's a German.
two of the usernames.
As for Hedges and Benson.
Benson and Hedges is a smoker.
He's a German smoker.
We figured it out.
They have two clues.
He has the Yeager,
which implies that he's German,
and the cigarettes,
which implies cigarettes.
And he follows this trail for a little bit.
But the next big break in the story
comes from a collaborator of Clifford's,
this guy named Ron Vavir.
Ron Vavir worked over in IT
over at a company called Telnet,
and he's watching this hacker move around
on the network as well.
And Ron Vavir calls up Clifford and he tells him he's traced the hacker from Cliff's lab to his lab in Oakland to telephone lines at Pacific Bell's exchange.
And Bell won't agree to give them any information unless they go get a warrant.
So Cliff calls up to Oakland DA and he gets a warrant.
And Bell agrees to trace the number.
Did you ever do any phone finagally hacky stuff?
Maybe.
Back in the day when servers had dial-in modems, and you could literally just auto-dial until you received a computer signal.
So you'd be sitting at home at night and your phone would ring, and you'd pick it up and say hello, and then you'd hear a modem chirp at you.
Back in the day, you used to be able just to use an auto-dialer and dial blocks of numbers used by companies, used by anything.
And you'd only get a ping back when you hit a server.
It would hang up on everybody until it got a computer signal.
And then it would pop up on the terminal and be like, here's a computer.
Huh.
So cool thing about phone tracing.
Cool thing.
And I'm sure it's all automated now.
But I guess back in 1986, doing a phone trace involved like a technician following the call by tracing it from one phone company's towers to the next,
calling up technicians at those companies doing this massive cooperative, like surveillance dragnet operation.
Yeah, you'd be tracing.
the copper connections back.
You have all these operators on the line at the same time
until you've traced the call back to its original source.
And this big cooperative mission manages to trace the call
all the way back to the East Coast, Virginia.
So they've got a technician in Virginia with this information,
the location of the hacker,
and the address where the phone connection terminates.
And they've got a search warrant.
And they hand that search warrant to the technician,
and she looks at it and she says,
I'm in Virginia, and this is a...
search warrant from California.
And Clifford
says, oh no.
Oh, no.
You're really leaning into this acting.
So we find Clifford, having followed the hacker
all the way back to Virginia at this very abrupt
dead end.
Because they can't execute the search warrant?
They can't execute the search warrant.
So they need to get the FBI.
This is going off for months, by the way,
and I have no idea if Clifford has, like, any other job at this lab.
It's just dead.
dedicated his life to tracking down this one person who's using 75 cents worth of extra competing power.
He dedicated like six months and then kind of almost three years to doing this.
The economic benefits are just shining through here.
He did write a book and you did read that book.
I did read that book.
We're talking about it.
That's true.
So yet again, Clifford goes back to watching this hacker, watching this person lurk around on this network.
And they're digging around on some systems operated by the CIA.
And they're looking up like CIA staff information.
information, addresses, phone numbers, like really privileged information.
So Clifford calls up the CIA, and the CIA flies to him, pays him a visit, and when they look
over the whole thing, learn the whole story thus far.
The story of this guy looking at their agent's information, they decide, well, this is none
of our business, because domestic surveillance apparently wasn't their prerogative.
Yeah, it still isn't, I don't think.
And they just didn't really understand, I think, what they were looking at.
They must not have.
No.
Because I feel like protecting their information should be a key tenant of what the CIA is.
You'd think, right?
And if you want good confirmation that these sort of agencies didn't really understand what they were looking at, the FBI didn't care either.
This is 1986.
They saw 75 descent discrepancy and decided it wasn't worth their time.
This is astronomers in labs.
They don't care about computers back then.
No.
So Clifford goes back to his method.
He starts parsing through all that information again.
So I had to rely on what I knew best.
Doing science.
God love science.
And science led Clifford to Kermit.
Kermit.
So he's a German hunting, smoking frog?
Not the frog, a piece of software.
So Kermit apparently was a computer file transfer protocol used back in the 1980s.
And the hacker was using Kermit to grab and move files around the network.
Right.
And Kermit would send a little packet of data and then would wait.
And when the hacker would get the packet, the software would ping, cool, got that data.
And then the next transfer would start.
And Clifford has this idea concerning that little window of time between when the packet is sent and when the confirmation pin comes back.
So he hijacks it.
He hijacks it.
Brilliant. Man in the middle.
If I could measure the delay time between each reply, then I could calculate how far away the hacker was.
So Clifford runs this experiment.
it's smart he's a pretty smart guy there's one funny thing he gets very very wrong later in life
but this is all very very smart later in life not in this investigation no in this investigation
he messes off something huge in his personal life catastrophic he gets one thing wrong and he admits
he gets wrong anyway clifred runs this experiment and he watches as the hacker transfers a file
and then he counts waiting for the ping one mississippi two mississippi i'm sure he used science
to count it out are you actually no and it takes it takes it
takes three seconds around trip from Berkeley to wherever the hacker is and back.
And moving at the speed of light across these cables, that is, fun fact,
280,000 miles away.
As physics goes, the hacker was on the moon.
Or he was just routing through so many networks.
And at this point, Clifford figures that out.
Figures out there's relay stations.
The signal has to ping through that add a little bit of delay each time.
So they take this different approach.
And he performs a new experiment.
And what Clifford does is he connects from,
Berkeley to other systems around the country, transfers a file, and then measures those delay times.
First, Berkeley to L.A., quarter second. Berkeley to Iowa, like three quarters of a second.
California to Boston, second and a half. But none of those are anywhere close to the three-second
delay he's watching with his hacker, which means the hacker is somewhere much further away.
Crossing an ocean, maybe. Maybe.
Smoking a cigarettes in a dark, mysterious room with a jagged haircut and a long trench coat.
Because the trail ends Virginia, but it can't.
in Virginia. It had just be one stop on the way to this guy in the transcript smoking these
benson hedges. I mean, do it. So right around this time, a DA in Virginia gives them a warrant
to find out where their original phone trace ended. And it turns out that his ping theory is correct,
that the hacker had just been sort of passing through breaking into a system of Virginia as another
node in this big relay to cover his tracks. Luckily for Cliff, the machine that he had infiltrated
in Virginia wasn't owned by a university. It was operated by a university. It was operated by
company in Virginia called Miter.
He broken into Miter and then he dialed straight back out again.
Which is probably where this would have ended.
If it wasn't for the fact that Miter, which is in Virginia,
is just Miles from Langley,
headquarters of the CIA,
who were a big client of miters.
Suddenly a bunch of clues kind of converge.
First, the authorities finally get interested
because it's not about 75 cents.
It's about a guy that they can see
is mucking around in their system.
Which I wonder why they cared this time,
but not the first time, but that's on the CIA to answer.
Second clue, Clifford's pager goes off again,
and the hacker is back active on their system.
So he runs up to the lab, and he runs this trace.
Traces his hacker to Port 14.
And he finds...
Cliff, are you sure this is the same guy?
Yeah, I'm sure it's him.
Okay, I've got his network address locked on,
but he's coming in from somewhere strange.
Like where?
He's coming in from outside TimeNet.
he's coming in on a circuit that's owned by international telephone telegraph company.
The hacker was coming in from abroad, West Germany.
And suddenly the username makes sense.
Yeager, the German word for Hunter, the delay time, three seconds.
It all kind of clicks together for Clifford.
Zhe Germans.
He said Germans.
So Cliff calls up the German telecom that the hacker's on,
and the company quickly traces the hacker back to Hanover.
He's in the hacker's backyard.
He's getting really, really close to this guy.
Great town Hanover.
Yeah, you bet.
A little bit of telephone line trivia for Hanover.
Back in the 1950s, when Hanover built a lot of the telephone infrastructure, they used like old rotary switches, which worked fine.
But it did mean that if you wanted to do a then modern trace, you had to test every single one of those switches by hand, which took a lot of time.
And time is a really big problem because at this point, finding the guy was like a classic, we got to keep the bad guy on the line type problem.
Sure.
Tracing the call on rotary switches could take up to an hour,
but the hacker was only ever passing through Clifford's system
on the way to juice your military stuff on the mill net.
For weeks it went on like this.
Time after time, the hacker would log on for five minutes or less
and then disappear.
There was never anything there for them on Clifford's network.
So what do you think Clifford did to keep the hacker on for long enough to trace him?
Talk to him.
That's what I'd do.
Yeah.
He kind of did that.
Either that or I'd set up like a real juicy file transfer.
Cliffs at home talking with his then-girlfriend Martha and her roommate when they come up with this idea.
If there isn't anything he's interested on your machine now, want to make some up?
Why don't he just make something up?
That's right.
Honeypot.
Honeypot, classic.
I can't believe they actually didn't come up with the idea of a full-blown honeypot
and just have this guy dial into an isolated computer that just kind of tracked everything he did.
but maybe that's too advanced for 1986.
Yeah, they didn't invent the idea.
Like that term predates all this.
It's like a long word from espionage.
But they certainly like came up with it on their own.
Yeah.
So Clifford cooks up some files,
something that this hacker is going to want to read.
Like secret government information.
And he'd write all of this dense,
bureaucratic nonsense,
but then he would pepper in like terms like chemical warfare and Star Wars.
Because it's 1986.
And he takes these files.
Han Solo.
Wookie.
And he takes this file and he plants the trap.
Meant to keep the hacker on his servers long enough
to be able to do this rotary trace way off in Germany.
And it works.
Oh, hi, Cliff.
Is our friend on again?
Yeah, hackers on.
Start the trace.
So the hacker bumps into Cliff Sineypot.
And he peers in and he sees all this jargon and he likes what he sees.
So he pulls up a chair and he starts reading.
And Cliff launches the.
trace. The technician in Germany is checking all these rotary switches. He's testing and testing and
testing and he finds it. Could you imagine the infrastructure required to do this? Literally no.
Like just picking up a phone and calling Germany's Secret Service or whoever's taking care of it
in Germany, who's then calling the telco, who's then like just the amount of, you'd have a 20-minute
delay just in phone calls. Truly did he have no other duties at this job? Because it's like a
full, anyway. The hacker's on again. So he does it.
finds the end destination where...
The origin point.
Exactly.
So we did it.
Fire out!
Well, I'm headed home to celebrate.
Celebrate with a strawberry milkshake.
I think I'll have a beer.
I think I'll have a beer.
I think I'm 42.
I'm going to have a beer, Clifford.
It had taken Cliff six months to track the hacker to his source.
And it would be another six months of legal wrangling between the FBI and the German authorities to,
to get the name of the guy.
Special agent Mike Gibbons explained.
Well, Cliff had originally traced the hackers into my backyard in northern Virginia,
but I didn't really have a lot to go on.
A few weeks later, he called me and told me that the hackers were all the way over
across the ocean in Germany and that he really needed some help.
We thought it was a pretty serious matter when you have people from another country
that are breaking into various government and military computer systems.
So we opened full investigation into the matter.
We met with the Germans over here.
and tried to describe what was going on.
We found we had no extradition in place,
no way to bring these hackers over to American justice.
But the Germans had some new laws in place
and were quite willing to prosecute them over there.
So in January 1990, the case comes to trial.
Three years after it started,
Clifford finally gets a look at his hackers
in this small town called Sella in Germany,
where he's to appear as an expert witness.
Hackers, plural.
Hmm.
Dirk Brighinski, Peter Carl, Marcus Hess, and Carl Cook.
Briginski was a programmer.
Carl Cook, also knows Hagbard, died a few months before the trial.
Carl, a former croupier, who comes up again later.
And Marcus Hess, 28 years old, another programmer from Hanover,
who was the kind of main actor that Clifford had been following.
And it turned out that they were right.
During the trial, Cliff found out that Hess smoked Benson to Hedges.
It would turn out that the four men had started out as kind of this freedom of information hacker
group that would meet at a bar and then muck around to networks all around the world.
And there were just people who wanted to see kind of what was out there and how far into it they could get.
And the trouble emerged when Carl, a former croupier, got involved with the group because Carl had contacts in the KGB.
And when he told the KGB what kind of info this group of people was finding, the KGB offered to buy it.
And suddenly the group was in business hack.
for hire.
All three defendants were found guilty and charged two years in prison and fined $12,000,
which was about a quarter of what they'd made from selling information to the KGB,
and they were immediately let on on bail.
Agent Givens explained.
We were surprised with the relative ease that they broke into a lot of these computer systems.
It was really not through flaws in the computers.
It was because some of the computer systems left their front door wide open.
We don't feel this is really a sudden breakdown of security.
people have been breaking into institutions for a number of years and hacking, as it's called.
But what we're having now is that the computers are used so much in the everyday way of every
business and every government agency that now we have a lot of sensitive information on these
computers. And now it's a much more serious matter for someone to break into one of these
institutions and steal the information or alter it.
With just a telephone line and home computer you could break into just about anything.
So Clifford finds himself at the end of the
this mystery in a bar in Hanover, the Kaiser, near where Marcus Hesse had lived, sitting opposite
a friend of Hesses, a member of their group, a guy named Voker Ula.
So we only wanted to hack for freedom of information and showing holes in computers.
Then we all realized that this had happened, that no one could believe.
No one of us could believe that this had happened.
Did you know Marcus Hesse at the time?
Yes, I knew him very well, but no one of us knew that they were perhaps selling information.
Did he suspect that I had followed him?
Did he know?
He didn't suspect.
Marcus said, oh, I'm caught.
I'm very afraid.
There must be a freak on the other side who traced me.
I can't believe that.
Because I have done such a lot of things.
I'm not a computer freak.
You just seem to be one.
No, no, no, no.
So that's a compliment if you didn't know.
A little bit.
A freak, Ph.R.E.A.K was a person that was competent in telephone hacking.
So not just hacking computers, but actually, you know, breaking into telephone systems and tracing and getting free connections and things like that.
So Freaking was a totally separate set of subset of hacking that was just telephone and PBX related.
It sounds like Vokker-Ulan knew that and Clifford Stoll didn't.
It sounds like that.
Probably because Clifford Stoll wasn't a part of that world.
So Voker had been staring down the barrel of this totally different mystery.
What had happened to the fourth hacker, Hagbard.
When they'd first met, he was this nice, affable guy, but almost intamination,
with their journey from a group of freedom of information hackers to hackers for hire selling the KGB,
he'd kind of devolved as well. Vokur told Clifford that Hagerd had gotten more depressed, that he was doing
more drugs. And while all of that kind of fed into the official story of how he died, suicide,
it didn't convince Vokker. Higbard died in 1989 shortly after he'd been charged with espionage.
He drove away from Hanover to Sala, a city about 50 kilometers from Hanover. And he had to do
job there in Cella, and he never came back on this job. And I heard the newspapers
few days later that he was found in a forest near the city, and he was burned. They said
that he burned himself. A Yeager is a little bird that feeds by chasing after other birds,
until they drop whatever they had already caught. And Marcus Hess used it as a code name because
the word meant hunter in Germany.
And I think that if Clifford had used it as his username, it would have applied just as well.
Clifford still ended up having like a really full career after all this.
He wrote Kuku Zeg.
He's written a bunch of different books.
He's a kind of a beloved figure, I think, in the cybersecurity community.
He also famously predicted that internet commerce wasn't going to ever be a thing.
Oh, so that's the drop?
Yeah, that's the drop.
And he does admit it.
He's like, well, I know I'm not that smart because I got that very, very, very
you're wrong. I wonder if Bezos calls him like once a year just to be like, hey man.
Just like text him a winky emoji every single morning he wakes out. Yeah, with his current bank balance.
And 30 years later, a lot has changed. I think I would imagine that rarely does cyber forensics
involve stealing 50 printers. But some things haven't. Information is still worth a lot of money
to people. Valuable things are often and left unlocked. And a lot of people still use the default
password. The motivations are the same too. Like a lot of people,
get into cybersecurity because it's a puzzle.
People that like puzzles tend to like cybersecurity
because it's just a big, challenging puzzle.
A lot of the techniques are the same,
routing through the computers, jumping through networks,
things like that.
Now we use, you know, proxies and dark webs
and things like that, but a lot of the same is true today.
So we did it.
Far out!
Well, I've headed home to celebrate.
celebrate with a strawberry milkshake.
I think I'll have a beer.
If you want to check out our main source for this episode,
you can find it on YouTube.
It's the 1990 PBS documentary,
the KGB, The Computer, and me.
Clifford Stoll is a really likable storyteller
and a hell of a sleuth.
It is definitely worth a watch.
Big shout out to our new patrons on Patreon,
Leif Mathis, and Jimmy Cochran.
Your support means the world to us.
You can support the show at patreon.com
slash hacked podcast,
or follow us on Twitter at Hacked
podcast. Until the next one, thanks for listening.