The Cuckoo's Egg: How a 75-Cent Error Became the First Cyber Espionage Case

Podcast

The Cuckoo's Egg: How a 75-Cent Error Became the First Cyber Espionage Case

I’ve got a signed hardback copy of Clifford Stoll’s The Cuckoo’s Egg on my shelf. Proper fanboy moment when I got him to sign it. He writes this wild story about chasing a hacker over a seventy-five cent billing error. Less than a quid. That book basically hard-wired my brain to never ignore “tiny, boring mistakes” in numbers or logs again.

This week on The Small Business Cyber Security Guy podcast, Graham Falkner, Mauven MacLeod and I sat down to pull apart how a 1986 spy hunt translates into practical security for a UK small business in 2026. What follows is the full story, the lessons, and the specific actions you can take this week.

The Dullest Beginning in Cybersecurity History

Picture the mid-1980s at Lawrence Berkeley National Laboratory in California. No laptops on every desk. One big shared computer system, terminals and dumb screens, and everybody billed for how much “computer time” they used. CPU seconds, storage, the lot, because the lab had to spread costs across different research projects.

One day the accounts were out by about seventy-five cents. Nobody’s house was getting repossessed over it. But the accountants told Clifford Stoll, the sysadmin: there is a bug in your usage program, fix it.

He could have rounded it off, bodged the numbers, moved on with his life. Instead, he went line by line through usage records, login times, and project billing codes. And this is where it stopped being a boring accounts job and turned into a thriller.

He found an odd user account. Logins at weird hours when nobody sensible was in the lab. Connections that did not line up with anyone’s office hours or experiments. The more he looked at the history, the more it looked like a real person sneaking in, not a maths error in his billing script.

Primitive Tools, Brilliant Thinking

Because people dialled into the system over phone lines, Stoll had breadcrumbs the hacker could not avoid leaving. Once he suspected this was not a software bug, he turned on more detailed record-keeping. Instead of just knowing “user X was connected for an hour”, he started logging what commands they ran, which files they touched, which systems they tried to reach.

Today you would call it audit logging or activity monitoring. Back then it was “print absolutely everything the sod types.”

And because the mystery user dialled in at inconvenient hours, Stoll did something brilliantly low-tech. He built a physical alarm. When his hacker logged in, a beeper went off so he could run to the terminal and watch it live.

As Mauven pointed out on the podcast, that is exactly the kind of bodge you do in a small business. A Raspberry Pi, a cheap speaker, a script that pings when there is a suspicious login. It does not have to be fancy. Just “make noise when weird thing happens.”

The Trace

Stoll realised that if he could keep the hacker online long enough, the phone company engineers could trace the route of the call through exchanges and international links. So instead of kicking the intruder off, he carefully kept them connected. He let them wander around the system, within limits, precisely so the trace had time to complete.

He matched the times in his computer logs with the telco’s trace information. Over time, the trail went out of the US, across to Europe, and ultimately to Hanover, Germany. The hacker was Markus Hess, who had been breaking into systems and selling the results to the Soviet KGB. Hess is estimated to have compromised around 400 US military computers during his operations.

Stoll eventually built what we would now call a honeypot: a fake SDI (Strategic Defence Initiative) department stuffed with impressive-sounding documents, designed to keep Hess connected long enough for the German authorities to locate him at his home. It worked.

All of this with printouts, a beeper, and a phone company on speed-dial. No SIEM. No SOC. No threat intel feeds. Just persistence and carefully lined-up evidence.

What This Means for a 20-Person UK Business

The tools have changed. The principles have not. Here is what you can steal from Stoll’s playbook this week.

Turn on logging. Your firewall, your router, Microsoft 365, Google Workspace, Xero, whatever cloud apps you use: they all have sign-in records, device info, and access logs. Most of them are switched off by default or set to auto-delete after a short period. The NCSC’s Introduction to Logging for Security Purposes guidance provides a four-step programme for putting in place a simple but effective logging capability. Start there.

Set up simple alerts. The beeper of 2026 is “text me if someone signs in from a new location” or “email me if there are ten failed logins.” Microsoft 365 and Google Workspace both offer these as built-in features. If you use neither, your firewall almost certainly has alert capabilities you have never touched.

Keep logs for a useful period. The NCSC recommends storing your most important logs for at least six months. For most small firms, keeping sign-in and admin-change logs for at least three months is a sensible minimum. Keep firewall and router logs for at least a month. Make sure backup records exist so if someone wipes things, you still have evidence.

Use your providers. Stoll leaned on the phone company. You can lean on your IT support, your ISP, your cloud vendor. If you see dodgy activity, they often have more data than you do: network logs, access records, abuse teams who can look deeper. Treat them as part of your incident response, not just the people you shout at when the broadband drops.

Build a curiosity culture. If your staff feel they can say “this email looked weird, so I checked” or “I saw a login from a place I did not recognise” without being laughed at, you will catch problems earlier. Stoll was the annoying person who would not let the 75-cent error go. Without that stubbornness, a KGB spy ring would have carried on stealing US military secrets indefinitely.

The Expert Who Got the Big Picture Wrong

There is a fascinating postscript. After The Cuckoo’s Egg, Stoll wrote Silicon Snake Oil in 1995, warning that the internet was overhyped. He called it a place for “lotus-eaters” and argued that real life was far richer than anything on a computer screen.

He was spectacularly wrong. And he owned it. When the article resurfaced on BoingBoing in 2010, he left a comment admitting his mistake and noting that whenever he thinks he knows what is happening, he now tempers his confidence.

It is a good reminder. Even the person who spotted the pattern, who caught the spy, who literally wrote the book on following small anomalies to their source, can still get the bigger picture wrong. Humility is not weakness. It is what stops you from becoming the thing you fight against: someone so confident in their own cleverness that they stop paying attention to the evidence.

How to Turn This Into a Competitive Advantage

If you run a small business, the Cuckoo’s Egg story is not just a good yarn. It is a differentiator.

Demonstrate logging capability to clients. If you can show prospective customers or partners that you have active logging, alerting, and a documented incident response process, you immediately stand out from competitors who cannot. In regulated sectors and supply chains, this is increasingly a procurement requirement.

Use it in tender responses. When a client asks “how do you handle security incidents?”, having a clear answer backed by actual log retention and alerting configuration beats a vague reference to antivirus software.

Frame security as operational maturity. The businesses that spot small anomalies early are the businesses that do not end up on the front page. That reliability is worth money to customers who depend on you.

How to Sell This to Your Board

If you need to make the case internally, here are the key arguments.

It costs almost nothing. Turning on logging in your existing cloud platforms is free. Setting up basic alerts takes less than an hour. The NCSC’s guidance is free and written for non-specialists.

The alternative is blindness. Without logging, you cannot answer the basic questions investigators ask after an incident: who accessed what, when, and from where. That blindness turns a containable incident into a catastrophe.

Regulators expect it. The DSIT Cyber Security Breaches Survey 2025/2026 found that 43% of UK businesses experienced a cyber breach or attack in the past twelve months. The ICO expects organisations to demonstrate they can detect and respond to incidents. Logging is the minimum.

Insurance underwriters check for it. Cyber insurance applications increasingly ask about logging, monitoring, and incident response capability. Having these in place can affect both eligibility and premium costs.

What to Do This Week

  1. Find your logs. Identify where sign-in logs, admin change records, and firewall logs live in your systems. If you do not know, ask your IT provider.
  2. Check retention periods. How long are those logs kept? If the answer is “I don’t know” or “a few days”, extend them to at least three months.
  3. Turn on one alert. Pick the simplest alert your primary cloud platform offers: new device login, impossible travel, or failed login threshold. Switch it on.
  4. Tell your team. Let staff know that reporting something odd is encouraged, not a nuisance. Clifford Stoll was that annoying person. Be that annoying person.

Listen to the Full Episode

This article covers the highlights, but the full podcast conversation goes deeper into Stoll’s methods, the Cold War context, and the specific tools available to small businesses today. Listen wherever you get your podcasts.

Next week on the podcast: We continue the theme of practical detection for small businesses with a look at the tools hiding inside the software you already pay for.

Sources

SourceArticle
WikipediaThe Cuckoo’s Egg (book)
WikipediaMarkus Hess
WikipediaSilicon Snake Oil
NCSCIntroduction to Logging for Security Purposes
NCSC10 Steps: Logging and Monitoring
DSIT / Home OfficeCyber Security Breaches Survey 2025/2026
NCSCLogging and Protective Monitoring

Related Posts:

Filed under

  • smb-security
  • uk-business
  • incident-response
  • business-risk
  • credential-theft
  • remote-access