Meet Cliff Stoll, the Mad Scientist Who Invented the Art of Hunting Hackers

When I arrive, he takes me to his workshop in the back of the house, a room with one wall covered in printed pictures of inventors, mathematicians, and scientists who inspire him: Felix Klein, Alan Turing, Emmy Noether. Then he flips up his desk on a hinge to reveal a door in the wall beneath it.

Inside is a small, homemade forklift robot, which lives in the crawlspace beneath his house. Using a remote control and watching several screens that show a feed from the robot's cameras, he wheels his little bot across the cramped storage space under his home, its walls lined with cardboard boxes, to delicately retrieve a crate full of beautifully crafted klein bottles wrapped in paper.

Stoll is still curious about hacking too. A couple of months earlier, he mentions, he decided on a lark to reverse-engineer some hackers’ malware-laced Excel file to see where it hid its malicious code. “I said to myself ‘Oh, here’s how they’re hiding it.’ It was very sweet and a useful lesson,” Stoll says, sitting on the floor of his workshop next to his forklift bot. “Having said that, I’m not very interested in cybersecurity today. I wish I was more interested. I wish I could help people defend their systems. Instead, I went back to figuring out how to make a klein bottle that can sit without wobbling.”

Royalties from The Cuckoo's Egg paid off Stoll’s mortgage years ago. Today, klein bottles sales provide him another—very modest—income stream. As for cybersecurity, beyond a few conference talks, he hasn’t worked in the industry for decades. The same omnivorous curiosity that drove him to chase his hacker for a year eventually led him to devote the next 30 to his other interests like mathematics, electronic music, and physics—none of which he claims to be an expert in. “To a mathematician, I’m a pretty good physicist,” Stoll deadpans. “To a physicist, I’m a fairly good computer maven. To real computer jocks, they know me as somebody who’s a good writer. To people who know how to write … I’m a really good mathematician!”

But if Stoll is a cybersecurity amateur, few experts have had as much influence on the field. Stoll’s fans in the industry point out how, in hunting his hacker 30 years ago, he pioneered techniques out of necessity that would later become standard practice. Consider how, since he was sleeping under his desk at the lab, Stoll programmed his pager to alert him when the hacker logged into the network in the middle of the night. He also set up dozens of printers to transcribe every keystroke the hacker typed in real time, enacting something like the first intrusion detection system.

When Stoll traced the hacker’s intrusions to the Department of Defense’s MILNET systems, an Alabama army base, the White Sands Missile Range, Navy shipyards, Air Force bases, NASA’s Jet Propulsion Laboratory, defense contractors, and the CIA, Stoll was mapping out an intrusion campaign just as threat intelligence analysts do today.

When he planted hundreds of fake secret military documents on his network that tricked his hacker into staying logged into the Lawrence Berkeley system long enough for a German telecom employee to trace the intrusion to the hacker’s location in Hanover, he was building a “honeypot”—the same sort of decoy regularly used to track and analyze modern hackers and botnets.

“The Cuckoo's Egg documented so many of the methods we now use to deal with high-end intruders,” says Richard Bejtlich, a well-known security guru and author of The Tao of Network Security Monitoring: Beyond Intrusion Detection, who has worked on incident response and network monitoring at companies like Corelight and FireEye. “You can see in the book almost everything you need to do in an incident. The mindset, the thoroughness, the commitment to it. It’s all there.”

Comments are closed.