The Cuckoo's Egg
A 75-cent accounting discrepancy led an astronomer-turned-sysadmin to unmask a hacker selling US military data to the KGB.
In 1986, Clifford Stoll, an astronomer working as a systems administrator at Lawrence Berkeley National Laboratory, was asked to resolve a seventy-five-cent discrepancy in the lab's computer accounting system. Most people would have written it off. Stoll treated it as a thread and pulled.
Following the thread
The discrepancy turned out to be an unauthorized user with no billing account. Rather than locking the intruder out, Stoll did something then nearly unheard of: he left the door open, instrumented the system with printers and pagers, and watched. Over months he documented an attacker using Berkeley as a relay to probe US military and defense-contractor networks across MILNET — methodically, patiently, looking for documents on strategic systems.
Getting any institution to care was the harder problem. The FBI, CIA, NSA, and Air Force OSI each told Stoll, in effect, that the case was someone else's jurisdiction. To produce evidence, he eventually staged a fake trove of "SDInet" documents to keep the attacker online long enough to be traced. The trail led to Markus Hess, a hacker in Hannover, West Germany, who was selling the stolen material to the Soviet KGB.
What the chronicle remembers
The Cuckoo's Egg is the first thoroughly documented account of state-sponsored cyber-espionage, written up by Stoll first as an academic paper and then as a best-selling book. It established the template for nearly everything that followed: patient adversaries, indifferent institutions, the value of logging, and the recurring discovery that the small anomaly nobody bothered to explain was the entire story.