Author Archives: Chris Sanders

Source Code S2: Episode 8 – Gwen Betts

I’m joined by Gwen Betts for the final episode of this season. She is a UX director at Rapid7 via the acquisition of her previous company, Komand. She provides a unique perspective as someone who started in design and would later bring that expertise to security. We talked about her design principles and what makes good UX. We also discussed how security professionals can most effectively engage with UX and areas of the infosec space that are ripe for UX innovation.

Gwen chose to support Resilient Coders of Boston with her appearance. The organization provides technology career education with a focus on diversity.


Listen Now:


You can also subscribe to it using your favorite podcasting platform:


If you like what you hear, I’d sincerely appreciate you subscribing, “liking”, or giving a positive review of the podcast on whatever platform you use. As always, I love hearing your feedback as well and you can reach me @chrissanders88. You can reach Gwen Betts on Twitter at @gwennasaurus.

Special thanks to our title sponsor, Ninja Jobs!



The Complete Cuckoo’s Egg Online Course Available for Free

If you’ve been following along with my blog, you know that I’ve been teaching a free online course on Thursday evenings for the past few months. I’ve decided to release those recordings and supplementary material for free.

The Cuckoo’s Egg Decompiled is an online course designed to provide an introduction to information security, as told through the lens of Cliff Stoll’s “The Cuckoo’s Egg” book.

The course was recorded live online from Nov 2017 through Jan 2018. The course videos, slides, and lecture notes are freely available under the terms of the Creative Commons CC BY-NC 4.0 license. That means you are free to use, share, and adapt this content. However, you must give appropriate credit/citations and you may not use it for commercial purposes. However, if you are a college professor or high school teacher you may adapt it for your classes.


You can access the download links for this course here:

Cuckoo’s Egg – Week 8 Notes

Session Recording:

This week, we finished the book to include chapters 47-56.

The attacker had dialed in for brief moments during the few weeks that followed but didn’t do anything notable. They also ignored the new SDINET files. At one point Cliff notices someone login through a new account belonging to a professor. He verifies that the login was not done by the professor. Cliff uses the power of deduction to figure out that the attacker must have cracked the professor’s password from the stolen password file by using a dictionary attack. Cliff is stunned to talk to Bob Morris (who he met previously at NSA) and find that dictionary attacks are “child’s play” and have been in existence for 5-10 years.

Cliff visits DC again and gives a talk to the NSA X-1 team and several high ranking flag officers. He is asked to visit Teejay at the CIA and is introduced to the deputy director. It turns out they’ve been following this case daily. They present Cliff with a certificate of appreciation.

Cliff receives a letter in the mail addressed to Barbara Sherwin, the fake administrator name he made up in the SDINET files. It is a nearly exact copy of the template form he placed with the files to request more information. It is postmarked with a return address from Pittsburgh and uses the name Laszlo J, Balogh. Cliff informs the FBI about this who request he handle it very carefully and send it to them. An OSI investigator also shows up to inspect it, and Teejay at the CIA is informed as well. The FBI asks cliff for a copy of the LBL letterhead. It sounds like they are going to send a reply back to the attacker.

Evidence Collection

When Cliff receives this letter he doesn’t do a great job of preserving it as evidence. Anything that might result in litigation must be treated carefully so that the investigating team can get the most value out of the facet of reality it represents. This means handling things with care and preserving a chain of custody. These concerns don’t only apply to physical evidence however, they apply to computer evidence too.

With this in mind, I provided a brief overview of concerns related to preservation of digital evidence. This included discussions about permission, volatility and whether you should shut computers off, pollution of evidence that happens when installing software or interacting with a system, and chain of custody. I also discussed the practicality of treating systems as evidence and when that doens’t necessarily happen in practice.

More Reading:



The attacker breaks into a few more networks via LBL including Unisys and NASA. Cliff continues tracking these and initiating traces while also creating SDINET files that serve the purpose of keeping the attacker on the network longer.

Finally, on June 21st, Cliff observes the attacker login for the last time. Shortly after that, he gets a note from the FBI that the Germans were positioning officers outside the attacker’s location and would arrest him the next time he connected to LBL. Cliff was to monitor and call when this occurred. Cliff monitored for a few days but the attacker never connected back. He received a call from the FBI that the investigation was over. An arrest warrant had been issued, and the attacker would not be back. No more information was provided but Cliff was told to keep this to himself and he would learn more in time once the case was mostly closed.

Cliff eventually gets tired of waiting around and submits an article about these events to the ACM. Before it is published, a German magazine publishes a story about it citing his log book. The only person who had a copy of his log book was the FBI, who must have sent it to the German legal attache, and now who knows where it has been. LBL conducts a press conference for Cliff to talk about the events that have transpired since the cat is out of the bag.

Oddly enough, it’s the press who expose the name of the attacker: Markus Hess. Cliff eventually pieces together the full story of what happened. In short, a group of five young German hackers got together and used their skills to find vulnerabilities and compromise networks. They did it for many reasons: the thrill of success, financial gain, and even to support drug habits. Eventually, this led them to sell information to the KGB. It was the KGB who were responsible for requesting information by mail to LBL via a Hungarian criminal in Pittsburgh. All five hackers were eventually prosecuted, although they had very different stories.

Questions to Consider

What has changed about computer security since the 1980s? What hasn’t?

Has our ability to secure information been outpaced by our reliance on it?



Cuckoo’s Egg – Week 7 Notes

Session Recording: (Available 1/26-2/2)

Next Sessions Registration:

This week, we reviewed chapters 38-46.

Cliff hears that the FBI is working with the German attache to get the warrant sorted out but it is taking some time due to internal issues. Meanwhile, he discovers the computer responsible for the Bevatron, a cancer research device, has been compromised. This is a sensitive system whose data integrity is paramount, as it directly relates to cancer treatment. Incorrect numbers could kill someone. He works with the system owner to reset all the passwords and kick the attacker out. He laments over the fact that he can’t do anything to stop the attacker, he can only watch and kick them out when he spots them. 

Industrial Control Systems (ICS)

The attack on the computer that controls the Bevatron is an example of how machines can be attacked in such a way as to cause a kinetic impact. Although the attacker didn’t succeed in doing this and likely had no idea what they were interacting with, the computer they were accessing could control this physical device. Much of the world around us now is controlled by devices that are network and internet-connected, which brings about unique concerns. 

With this in mind, I provided an overview of ICS devices and how they interact with normal computer networks. I highlighted the segmentation that normally exists and spent time “mythbusting” some common misconceptions about the nature of the threat to ICS networks and how likely that is. Along the way I highlighted examples ICS malware and specified attacks to ICS networks where additional study is helpful for those interested in this topic.  

More Reading:

Dig Deeper Exercises:

  • Level 1
    • Research at least one family of ICS targeting malware in depth. Clearly define the function and impact of the malware when executed.
  • Level 2
    • Research the Shamoon attack at Saudi Aramco and compare it to what happened in Iran with Stuxnet. Can you clearly define what makes one different than the others?



Cliff gets a call from the FBI telling him they are calling off the case. He persists but to no avail. He eventually calls TeeJay with the CIA and explains the scenario. TeeJay gets back with him in a couple of days and lets him know the CIA made a “grandstand play” and that the investigation is back on, which he confirms with Mike at the FBI.

Shortly after that, the attacker comes back. He is traced back through Datex, then to Bremen, and finally to Hannover again. The Bundespost reiterates they need a warrant or they will drop the whole case. The University of Bremen also reiterates they need to move forward or they are going to plug their holes. Cliff confirms that to trace the call in Hannover requires someone with feet on the ground in the switching station, and the actual trace could take as long as two hours.

While Cliff is describing his plight to his girlfriend, Martha, she comes up with a brilliant idea. Cliff needs to keep the hacker on the network for a long time to complete the trace, and the hacker is interested in specific types of information. So, why not give it to him? They devise a plan to create fake documents related to something called “SDINET” to lure the attacker in. They spend a lot of time making them official and even setup a detail request form that has to be mailed in with the hopes that the attacker does so and leaves a return address. This is one of the earliest mentions of a honeypot.


With some help, Cliff devises a plan to use what is one of the earliest recorded forms of a honeypot to attract the attacker and keep them connected while traces could be made. Honeypots have been used for a long time, but more traditionally for research purposes, to track scanning and worm activity, and to gather malware. I provided an overview of the evolution of honeypots, culminating in the modern use of tactical honeypots for detection and network security monitoring. I demoed a few simple honeypots like the Cowrie SSH honeypot and Tom’s Honeypot. I also discussed non-traditional honeypots and demonstrated a HoneyDoc.

More Reading:

Dig Deeper Exercises:

  • Level 1
    • Download and install Cowrie on a VM or test system. Configure it so that it perfectly mirrors the SSH login of a specific Linux distribution.
  • Level 2
    • Use netcat to create a simple honeypot that listens on one or more ports and logs the data it receives to a file.
  • Level 3
    • Create and Word document and figure out how to embed a tracking link that phones home when opened.



Cliff spends some time talking with the various agencies to get approval for his project. He doesn’t get it, but he doesn’t find anyone who tells him not to do it either, so he moves forward. The attacker comes back and falls for the bait by enumerating and downloading the files. Concurrently, a trace is made that gets as far as a specific exchange in downtown Hannover. They know the connection is coming from a local line and they’ve traced it to a block of 50 numbers, but they’ll have to wait for the next call to go any further.

It took two more traces, but then it happened. The folks at Hannover were able to trace the call to an individual number which was tied to a computer at a business while the attacker was enumerating Cliff’s files and breaking into a military base in Okinawa via LBL. Hannover said they would give the number over to the FBI. The attacks had been traced to their source.

Cliff repeats a few more traces as the attacker comes back, but then enters a holding pattern now as the Bundespost and German authorities are still waiting for a warrant from the FBI and their legal attache. During this time, Cliff is invited up to a meeting with all the interested parties in DC. He meets the cast of characters he’s been talking to. He’s also invited to speak at the NSA and brief the Deputy NSA Director. During this exchange he meets Bob Morris, whose son later becomes famous for creating the Morris Worm, the first ever worm observed on the internet.



Questions to Consider

Honeypots are one of best forms of detection in terms of signal:noise ratio. Take what I discussed this week and try to answer the following:

  • Should honeypots be a required detection tool for all organizations? Where do they not make sense?
  • What are a few unique ways you could build honeypots for detection in your home or work network?


Next Session

February 1st 7:30PM ET — The Last One!

Read Chapters 57-56

Register/Attend Here:


Source Code S2: Episode 7 – Michael W. Lucas

We’re talking writing this week with my good friend Michael W. Lucas, a fellow No Starch Press Author. We discussed how he became interested in writing and how his career as an author evolved alongside his technical career. Now a full-time writer, Michael has written dozens of books, including technical and fiction works. If you’ve ever been interested in the business, skillset, or process of authorship then you’ll enjoy our conversation.

Michael chose to support Soroptimist International of Gross Point with his appearance. These funds will go to support issues surrounding human trafficking, teen violence, and anti-bullying.

Listen Now:


You can also subscribe to it using your favorite podcasting platform:


If you like what you hear, I’d sincerely appreciate you subscribing, “liking”, or giving a positive review of the podcast on whatever platform you use. As always, I love hearing your feedback as well and you can reach me @chrissanders88. You can reach Michael Lucas on Twitter at @mwlauthor.

Special thanks to our title sponsor, Ninja Jobs!