In The Cuckoo’s Egg, Cliff Stoll (correctly) identified that a German hacker working for the KGB attacking his systems in Berkeley, California and bouncing through intermediate systems was likely in Europe, based just on a round-trip latency measurement of Kermit responses, which is a lot more primitive than the above:

So I reopened our doors and sure enough, the hacker entered and poked around the system. He found one interesting file, describing new techniques to design integrated circuits. I watched as he fired up Kermit, the universal file-transfer program, to ship our file back to his computer.

The Kermit program doesn’t just copy a file from one computer to another. It constantly checks to make sure there haven’t been any mistakes in transmission. So when the hacker launched our Kermit program, I knew he was starting the same program on his own computer. I didn’t know where the hacker was, but he certainly used a computer, not just a simple terminal. This, in turn, meant that the hacker could save all his sessions on a printout or floppy disk. He didn’t have to keep notes in longhand.

Kermit copies files from one system to another. The two computers must cooperate—one sends a file, and the other receives it. Kermit runs on both computers: one Kermit does the talking, the other Kermit listens.

To make sure it doesn’t make mistakes, the sending Kermit pauses after each line, giving the listener a chance to say, “I got that line OK, go on to the next one.” The sending Kermit waits for that OK, and goes on to send the next line. If there’s a problem, the sending Kermit tries again, until it hears an OK. Much like a phone conversation where one person says “Uh huh” every few phrases. My monitoring post sat between my system’s Kermit and the hacker’s. Well, not exactly in the middle. My printer recorded their dialogue, but was perched at the Berkeley end of a long connection. I watched the hacker’s computer grab our data and respond with acknowledgments.

Suddenly it hit me. It was like sitting next to someone shouting messages across a canyon. The echoes tell you how far the sound traveled. To find the distance to the canyon wall, just multiply the echo delay by half the speed of sound. Simple physics.

Quickly, I called our electronic technicians. Right away, Lloyd Bellknap knew the way to time the echoes. “You just need an oscilloscope. And maybe a counter.” In a minute, he scrounged up an antique oscilloscope from the Middle Ages, built when vacuum tubes were the rage.

But that’s all we needed to see these pulses. Watching the trace, we timed the echoes. Three seconds. Three and a half seconds. Three and a quarter seconds. Three seconds for a round trip? If the signals traveled at the speed of light (not a bad assumption), this meant the hacker was 279,000 miles away. With appropriate pomp, I announced to Lloyd, “From basic physics, I conclude that the hacker lives on the moon.”

Lloyd knew his communications. “I’ll give you three reasons why you’re wrong.”

“OK, I know one of them,” I said. “The hacker’s signals might be traveling through a satellite link. It takes a quarter second for microwaves to travel from earth to the satellite and back.” Communications satellites orbit twenty-three thousand miles over the equator.

“Yeah, that’s one reason,” Lloyd said. “But you’d need twelve satellite hops to account for that three-second delay. What’s the real reason for the delay?”

“Maybe the hacker has a slow computer.”

“Not that slow. Though maybe the hacker has programmed his Kermit to respond slowly. That’s reason two.”

“Aah! I know the third delay. The hacker’s using networks that move his data inside of packets. His packets are constantly being rerouted, assembled, and disassembled. Every time they pass through another node, it slows him down.”

"Exactly. Unless you can count the number of nodes, you can’t tell how far away he is. In other words, ‘You lose.’ " Lloyd yawned and returned to repairing a terminal.

But there was still a way to find the hacker’s distance. After the hacker left, I called a friend in Los Angeles and told him to connect to my computer through AT&T and Tymnet. He started Kermit running, and I timed his echoes. Real short, maybe a tenth of a second.

Another friend, this time in Houston, Texas. His echoes were around 0.15 seconds. Three other people from Baltimore, New York, and Chicago each had echo delays of less than a second.

New York to Berkeley is about two thousand miles. It had a delay of around a second. So a three-second delay means six thousand miles. Give or take a few thousand miles.

Weird. The path to the hacker must be more convoluted than I suspected. I bounced this new evidence off Dave Cleveland. “Suppose the hacker lives in California, calls the East Coast, then connects to Berkeley. That could explain the long delays.”

“The hacker’s not from California,” my guru replied. “I tell you, he just doesn’t know Berkeley Unix.”

“Then he’s using a very slow computer.”

“Not likely, since he’s no slouch at Unix.”

“He’s purposely slowed down his Kermit parameters?”

“Nobody does that—it wastes their time when they transfer files.”

I thought about the meaning of this measurement. My friends’ samples told me how much delay Tymnet and AT&T introduced. Less than a second. Leaving two seconds of delay unaccounted for.

Maybe my method was wrong. Maybe the hacker used a slow computer. Or maybe he was coming through another network beyond the AT&T phone lines. A network I didn’t know about.

Every new piece of data pointed in a different direction. Tymnet had said Oakland. The phone company had said Virginia. His echoes said four thousand miles beyond Virginia.

Poring over the atlas, I remembered Maggie Morley recognizing the hacker’s password. “Jaeger—it’s a German word meaning Hunter.” The answer had been right in front of me, but I’d been blind.

This explained the timing of the acknowledgement echos when the hacker used the Kermit file transfers. I’d measured 6000 miles to the hacker, though I’d never relied much on that figure. I should have. Germany was 5200 miles from Berkeley.