Nervous System: Honeypots in Space

Honeypots are designed to trick hackers into exposing themselves. The first known use of such a trap occurred in the mid-1980s, when a $0.75 discrepancy exposed an international cadre of spies attempting to steal military secrets about the fabled “Star Wars” Strategic Defense Initiative.

Cybersecurity experts design special traps called honeypots to trick hackers into exposing enough about themselves to enable the good guys to identify and possibly prosecute the bad guys. The first known use of such a trap occurred in the mid-1980s, when a system administrator for a national lab became obsessed with an unaccounted-for nine-second gap in his logs. Many people would have overlooked the trivial event—indeed, most did. But Clifford Stoll stuck with it, exposing an international cadre of spies attempting to steal military secrets about the fabled “Star Wars” Strategic Defense Initiative.

The story begins in 1986. As part of his duties working at Lawrence Berkeley National Laboratory, Stoll had to reconcile a discrepancy in the institution’s computer usage logs. Someone had logged into the lab’s system and used about nine seconds of computing time without assigning their usage to a billing code, resulting in a $0.75 shortfall.

It was the only such shortfall in the lab’s history.

Most systems administrators—if they even became aware of a discrepancy so slight—would be disinclined to waste additional system resources, time, and money investigating. It was easy to overlook a minor glitch, especially when investigating a problem worth less than a dollar would ultimately occupy the almost full-time attention of a senior employee for most of a year. It was much easier to write off the seventy-five cents and move on to real work.

But Clifford Stoll was not most systems administrators. And once he started working on this problem, he could not let go.

The more Stoll probed, the more certain he became that these were intentional intrusions into the lab’s computer systems, rather than an accidental act of carelessness by an authorized user. Someone was connecting via a dialup modem connection, escalating their user privileges in the Unix system, and taking steps to cover their trail. Whoever it was appeared to be using Stoll’s lab as a stopping-off point to connect to other systems.

The intruders were leapfrogging across institutional weaknesses across the globe. Thanks to poor password security, unpatched vulnerabilities, and overall user laxity throughout the business, educational, and government systems they encountered, these intruders could move largely unimpeded through supposedly secure and sensitive institutions. But at the individual level, most of the affected systems were only incidentally touched. Whoever it was had figured out that most organizations were disinclined to undertake costly measures to enhance their security unless they themselves had been directly victimized. But in a networked world, those insecure organizations weakened their neighbors.

The attackers followed a path that led from computers at the University of Bremen in Germany across the Atlantic, into the Jet Propulsion Laboratory in Pasadena, California, and military networks like ARPANET and MILNET. Stoll’s system at Berkeley Labs was just one of many hops along the way. Stoll distinguished himself from the other system administrators whom the hackers exploited simply because he kept investigating even though his own system’s exposure had been so small.

The next challenge Stoll faced was getting anyone in authority to care about the problem as much as he did. The FBI, CIA, NSA, Air Force, and German authorities all struggled to work out where this novel problem fell within their respective jurisdictions and remits. As a hippie-adjacent college scientist in Berkeley, Stoll was naturally suspicious of government agencies, but he then found himself rather ironically frustrated by their aloof responses. Weren’t these government spies supposed to trample over people’s privacy when national security was at risk? he thought.

Stoll had worked out that the hackers were primarily interested in information about the United States’ proposed Strategic Defense Initiative (SDI), derisively nicknamed “Star Wars” by the media. So Stoll laid a trap. He created a set of fake SDI documents to attract the hackers’ attention long enough to trace their connections. This was the first documented use of the honeypot technique.

By carefully monitoring access to the treasure trove of fake Star Wars documents, Stoll captured enough information about his secret visitors to unmask them. The intrusions were traced back to a Russian-sponsored international group of hackers working out of Germany to steal US military secrets for the KGB. The lead hacker, Markus Hess, was tried in Germany in 1990 and found guilty of espionage. It is believed he and his gang penetrated over 400 military computers during the 1980s. After his sentence was suspended on the promise of good behavior, Hess apparently withdrew from hacking. He has avoided the public spotlight ever since—and has never openly discussed the case.

By contrast, Stoll described his investigation in exacting detail in the 1989 true-life cyber-espionage thriller The Cuckoo’s Egg. That landmark book was informed by Stoll’s extensive and prodigious recordkeeping. It remains both a page-turner and a sobering reminder of how human failings can sometimes be the greatest cybersecurity threat.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.