Harvard Astronomer Breaks Spy Ring

BOSTON--A Harvard astronomer was instrumental in the arrests in West Germany this week of three men who allegedly broke into key military and research computers in the United States, Western Europe and Japan, West German officials said.

Clifford Stoll, a 38 year-old computer expert at the Harvard-Smithsonian Observatory, broke the East European spy ring by setting up a complex monitoring system on his computer.

The astronomer originally started out in 1986 to find a 75-cent accounting error in his computer system. When he found that the extra charge was due to a mysterious hacker who had tapped into his system, he rigged his computer so that an electronic beeper would sound every time a hacker entered the system.

After discovering the intruders were stealing passwords to get into sensitive military computers, Stoll got help from the FBI. Almost a year later, he succeeded in tracing them to Hanover, West Germany.

"In one sense, it was exciting," he said in an interview Thursday. "In another sense, it was dreadful, because I got zero astronomy done for two years."

A German television network reported that authorities believe the West German hackers were recruited by the Soviet KGB in 1985 and "were paid with cash and drugs and were later forced to provide the codes and passwords to the Soviets."

FBI spokesperson Greg Jones said yesterday that the bureau would not comment on the investigation. But others connected with the probe said Stoll deserved much of the credit.

"I would say he was largely responsible for cracking the case," said Charles S. Hurley, former spokesperson for the Lawrence Berkeley Laboratory in Berkeley, Calif., where Stoll was working when the initial computer break-in occurred. "He pursued them with extraordinary persistence."

Stoll said the puniness of the accounting error initially drew his attention.

"If it had been $1,000 off, I wouldn't have thought anything of it," he said. "It's like, if your house collapses, you just assume there's been an earthquake. But if you find a tiny termite hole, you think, 'Geez, I'd better investigate.' It's the little problems that are the most fascinating."

Stoll, who holds a doctorate in astronomy from the University of Arizona, said the hackers were "no geniuses, but certainly clever."

To hide their location, he said, they attacked military computers via modems, or telephone computer links, through a constantly changing series of computers at West German universities, American research labs and defense contractors.

To gain access to sensitive data, they sometimes planted so-called "Trojan Horse" programs, which look helpful but actually function to steal passwords.

In other cases, Stoll said, the hackers succeeded with "very simple, you might even say crude techniques," such as trying common passwords like "field," "guest" and "system."

Last May, Stoll published an article about his pursuit of the Trojan horsemen in a technical journal, Communications of the Association for Computer Machinery.

Stoll omitted some details from the article because the FBI and its German equivalent, the Bundeskriminalamt (BKA), were still investigating the incident when it was written. The astronomer now has a contract with Doubleday for a book about his work.

Stoll said he gives his girlfriend credit for his big break in the case. He said that because she was annoyed by the constant beeping of the electronic pager, she suggested he lay a trap for the hackers.

To entice the hackers to spend more time on the network, Stoll created a Trojan Horse of his own called "SDI Net," which documented fictitious military information. The hackers took the bait and spent more than two hours reading the material.

Three months later, Stoll said, he received a letter from a man in Pittsburgh asking for information about SDI Net. In April, 1987, he turned the letter over to the FBI, who found that the man had connections to Eastern European governments and immediately began an investigation.

In all, Stoll said, the spy ring attempted to break into about 450 different computers and succeeded in gaining access to more than 40 of them--including data systems at the Pentagon, defense contracting firms and U.S. military bases in Germany, Okinawa, California and Virginia.

Stoll said he notified each of the intended victims as soon as the hackers attacked, most of whom quickly shut off the intrusions. In order to keep watching the spies, he continued to allow them access to his own computer at the Lawrence Berkeley Lab.

"To them, it must have looked as though we were the only ones who didn't detect them," he said. "Whereas in reality, we were the only ones who did."