Dec 3, 2021

A honeypot is basically a computer made to look like a sweet, yummy bit of morsel that a hacker might find yummy mcyummersons. This is the story of one of the earliest on the Internet.

Clifford Stoll has been a lot of things. He was a teacher and a ham operator and appears on shows. And an engineer at a radio station. And he was an astronomer. But he’s probably best known for being an accidental systems administrator at Lawrence Berkeley National Laboratory who setup a honeypot in 1986 and used that to catch a KGB hacker.

It sounds like it could be a movie. And it was - on public television. Called “The KGB, the Computer, and Me.” And a book.

Clifford Stoll was an astronomer who stayed on as a systems administrator when a grant he was working on as an astronomer ran out. Many in IT came to the industry accidentally. Especially in the 80s and 90s.

Now accountants are meticulous. The monthly accounting report at the lab had never had any discrepancies. So when the lab had a 75 cent accounting error, his manager Dave Cleveland had Stoll go digging into the system to figure out what happened. And yet what he found was far more than the missing 75 cents.

This was an error of time sharing systems. And the lab leased out compute time at $300 per hour. Everyone who had accessed the system had an account number to bill time to. Well, everyone except a user named hunter. They disabled the user and then got an email that one of their computers tried to break into a computer elsewhere.

This is just a couple years after the movie War Games had been released. So of course this was something fun to dig your teeth into. Stoll combed through the logs and found the account that attempted to break into the computers in Maryland was a local professor named Joe Sventek, now at the University of Oregon. One who it was doubtful made the attempt because he was out town at the time.

So Stoll set his computer to beep when someone logged in so he could set a trap for the person using the professors account. Every time someone connected a teletype session, or tty, Stoll checked the machine. Until Sventek connected and with that, he went to see the networking team who confirmed the connection wasn’t a local terminal but had come in through one of the 50 modems through a dial-up session.

There wasn’t much in the form of caller ID. So Stoll had to connect a printer to each of the modems - that gave him the ability to print every command the user ran. A system had been compromised and this user was able to sudo, or elevate their privileges. UNIX System V had been released 3 years earlier and suddenly labs around the world were all running similar operating systems on their mainframes. Someone with a working knowledge of Unix internals could figure out how to do all kinds of things. Like add a program to routine housecleaning items that elevated their privileges.

They could also get into the passwd file that at the time housed all the passwords and delete those that were encrypted, thus granting access without a password. And they even went so far as to come up with dictionary brute force attacks similar to a modern rainbow table to figure out passwords so they wouldn’t get locked out when the user whose password was deleted called in to reset it again.

Being root allowed someone to delete the shell history and given that all the labs and universities were charging time, remove any record they’d been there from the call accounting systems. So Stoll wired a pager into the system so he could run up to the lab any time the hacker connected. Turns out the hacker was using the network to move laterally into other systems, including going from what was ARPANET at the time to military systems on Milnet. The hacker used default credentials for systems and leave accounts behind so he could get back in later.

Jaeger means hunter in German and those were both accounts used. So maybe they were looking for a German. Tymenet and Pacbell got involved and once they got a warrant they were able to get the phone number of the person connecting to the system. Only problem is the warrant was just for California.

Stoll scanned the packet delays and determined the hacker was coming in from overseas. The hacker had come in through Mitre Corporation. After Mitre disabled the connection the hacker slipped up and came in through International Telephone and Telegraph. Now they knew he was not in the US. In fact, he was in West Germany. At the time, Germany was still divided by the Berlin Wall and was a pretty mature spot for espionage. They confirmed the accounts were indicating they were dealing with a German.

Once they had the call traced to Germany they needed to keep the hacker online for an hour to trace the actual phone number because the facilities there still used mechanical switching mechanisms to connect calls. So that’s where the honeypot comes into play. Stoll’s girlfriend came up with the idea to make up a bunch of fake government data and host it on the system. Boom. It worked, the hacker stayed on for over an hour and they traced the number.

Along the way, this hippy-esque Cliff Stoll had worked with “the Man.” Looking through the logs, the hacker was accessing information about missile systems, military secrets, members of the CIA. There was so much on these systems. So Stoll called some of the people at the CIA. The FBI and NSA were also involved and before long, German authorities arrested the hacker.

Markus Hess, whose handle was Urmel, was a German hacker who we now think broke into over 400 military computers in the 80s. It wasn’t just one person though. Dirk-Otto Brezinski, or DOB, Hans Hübner, or Pengo, and Karl Koch, or Pengo were also involved. And not only had they stolen secrets, but they’d sold them to The KGB using Peter Carl as a handler.

Back in 1985, Koch was part of a small group of hackers who founded the Computer-Stammtisch in Hanover. That later became the Hanover chapter of the Chaos Computer Club. Hübner and Koch confessed, which gave them espionage amnesty - important in a place with so much of that going around in the 70s and 80s. He would be found burned by gasoline to death and while it was reported a suicide, that has very much been disputed - especially given that it happened shortly before the trials.

DOB and Urmel received a couple years of probation for their part in the espionage, likely less of a sentence given that the investigations took time and the Berlin Wall came down the year they were sentenced.

Hübner’s story and interrogation is covered in a book called Cyberpunk - which tells the same story from the side of the hackers. This includes passing into East Germany with magnetic tapes, working with handlers, sex, drugs, and hacker-esque rock and roll. I think I initially read the books a decade apart but would strongly recommend reading Part II of it either immediately before or after The Cukoo’s Egg.

It’s interesting how a bunch of kids just having fun can become something far more. Similar stories were happening all over the world - another book called The Hacker Crackdown tells of many, many of these stories. Real cyberpunk stories told by one of the great cyberpunk authors. And it continues through to the modern era, except with much larger stakes than ever.

Gorbachev may have worked to dismantle some of the more dangerous aspects of these security apparatuses, but Putin has certainly worked hard to build them up. Russian-sponsored and other state-sponsored rings of hackers continue to probe the Internet, delving into every little possible hole they can find. China hacks Google in 2009, Iran hits casinos, the US hits Iranian systems to disable centrifuges, and the list goes on. You see, these kids were stealing secrets - but after the Morris Worm brought the Internet to its knees in 1988, we started to realize how powerful the networks were becoming.

But it all started with 75 cents. Because when it comes to security, there’s no amount or event too small to look into.